1

How to make my Postfix server send mail only on port 587, and also enable TLS with port 587 with Secure authentication (which uses system linux users)?

First of all, this question might seem too broad, but I couldn't find a single solution for this on the internet. Many articles do give a solution, but they skip some parts.

I want to force authentication and force TLS connections.

I can post the config if anyone asks me.

Thanks in advance. I am new to postfix. Also, I could take a look at http://www.postfix.org/documentation.html, but before you tell me about it, I am unable to understand it properly, hence, I am sure I would mess up a config, and make my server unusable. Also, postfix here was installed using the apt package manager. But I'm sure this is not particularly related to ubuntu. I was using Exim4 before using postfix, but there is so little support for Exim, because people mostly have it in cPanel, so I don't get vanilla Exim support.

This needs urgent help because our server's security is in danger.

2 Answers2

1

This will only allow secure connections:

smtpd_tls_auth_only = yes

Then you have the other needed options:

smtpd_tls_security_level = may

smtp_sasl_auth_enable = yes

smtp_use_tls = yes

To use 587, edit master.cf and uncomment the line:

submission inet n - n - - smtpd

The restart postfix.

Overmind
  • 2,970
  • 2
  • 15
  • 24
  • Thanks for that. But Does that also enable authentication, if so, what users? I want to use system users, with their systme username and password. What about port 587 and stuff? I am a newbie. And just in case, my configuration is full default, with Internet site conf. –  Dec 17 '20 at 08:08
  • Mail users should not be linux users. There is no reason for that. You have MariaDB or alternates to handle e-mail client users. If you're config is default there's a lot of work on multiple aspects; you can't just make a setting and call it all good. – Overmind Dec 17 '20 at 08:21
  • help me about that. Maybe tell me how to use port 587, virtual users without Database, –  Dec 17 '20 at 09:08
  • I have added the 587 usage option to the answer. – Overmind Dec 18 '20 at 06:34
0

To enable port 587, edit the file /etc/postfix/master.cf

vi /etc/postfix/master.cf

and remove the # in front of the line (uncomment the line):

#submission inet n - n - - smtpd

so that it looks like this:

submission inet n - n - - smtpd

You may want to uncomment additional lines enabling SASL authentication right after this line. Each new line should start with space!

 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject

All the other settings to be configured in /etc/postfix/main.cf based on your environment.

Additionally you may need to configure TLS settings:

# TLS parameters
# you need to specify a real certificate location
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert.key
smtpd_use_tls=yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_sasl_tls_security_options=noanonymous
smtpd_tls_auth_only=yes

Depending if you use dovecot to receive emails you may need to add:

smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
broken_sasl_auth_clients=yes

Additional security restrictions:

smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_helo_hostname,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_non_fqdn_recipient,reject_unknown_recipient_domain

check and restart postfix:

postfix check
systemctl restart postfix

You can make sure that postfix is now listening on both ports 25 and 587:

netstat -na | grep LISTEN | grep 25
netstat -na | grep LISTEN | grep 587

Don't forget to allow port 587 in your firewall.

Creation of postfix users is another story. As was mentioned in comments you should use SQL to store mailboxes (mail users). If you don't want to do so, you can use Linux users are described in details here.

P.S. I don't think it's feasible to provide the complete config here because it always very dependent on the specific case requirements and your environment.

Hardoman
  • 225
  • 1
  • 7
  • So, uhh... If dovecot uses linux users. So, if I enable user auth in dovecot, and connect postfix to it, then will it start working, the auth? I will do those things myself unless I have a major issue. –  Dec 18 '20 at 04:56
  • Dovecot is used only to receive emails via IMAP or POP3, you may delegate postfix to do authentication instead of it when receiving emails. But postfix is able to do SASL auth itself without dovecot when using another protocols. – Hardoman Dec 18 '20 at 22:10