If you use the SMTP port 25 for unauthenticated incoming mail and configure the submission port 587 separately for (outbound) authenticated mail, you could make it only listen on local loopback.
In the master.cf
you have a separate section, another instance of smtpd
for the submission:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
submission inet n - y - - smtpd
You could modify this line into:
127.0.0.1:submission inet n - y - - smtpd
(According to master(5) it seems inet_interfaces = loopback-only
is only available on the main.cf
. This would mean you can only configure it globally and not per process with -o
in master.cf
.)