12

I would like to host mail services for some domains. I have succesfully setup postfix to consult sql for those virtual domains. What I would like to do is:

  • For connections on 25:

    1. Deny relaying (only deliver to recipients of my virtual domains)
    2. Leave tls optional, but offer auth only if client does tls
    3. Accept only non-blacklisted clients (e.g restrict XBL+SBL+PBL from spamhaus) or clients that do tls and auth ("friend mail servers" that are setup to authenticate with me with auth and tls)
  • For connections on 587:

    1. Enforce tls and auth
    2. Permit relaying.
    3. Accept only non-blacklisted clients (blacklists like above but leave out PBL checking)

My Questions:

  • A. I know of the postfix options for the above , but I cant find how to differentiate them based on the listening port.

  • B. Will I run into widely known problems with supposedly legit clients with the above policy?

I am new to mail server setup, sorry for any meaningless question/assupmtion (please point it). Thanks.

PLNech
  • 109
  • 5
Paralife
  • 339
  • 1
  • 3
  • 10

2 Answers2

21

That's easy,

  1. In /etc/postfix/main.cf you will add/change

    smtpd_tls_security_level=may
    

    so that by default TLS is available (but optional).

  2. Then, in your /etc/postfix/master.cf you will override it for port 587 (the submission port) by overriding the parameter:

    submission inet n       -       n       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
    

    This requires TLS for all submission (port 587) connections.

As for denying relaying, this is the default; relaying is allowed only for authenticated users, and IP addresses you specify in mynetworks.

Finally you can add blacklists in main.cf by appending to smtpd_recipient_restrictions:

    reject_rbl_client zen.spamhaus.org,

or whatever blacklists you wish. These should appear near the end of the list, just before the final permit.


One last thing. For more ideas on how to prevent spam, see Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks, only one blurry point: On port 25 I want to unconditionally deny relaying, no matter if client authenticated or not. – Paralife Feb 22 '13 at 13:04
  • Authentication on port 25 is disabled by default. But to check for sure, make sure that `smtpd_sasl_auth_enable` is NOT in your `main.cf` and also that it is NOT present in the `smtp` section of your `master.cf` (but it SHOULD be set to `yes` in the `submission` section). The `master.cf` should look much like [this](http://serverfault.com/a/389089/126632). – Michael Hampton Feb 22 '13 at 13:06
  • Correct but I want to enable optional auth+tls on 25. I just dont want to relay on 25. Essentially I want to be liberal about how someone connects but very strict on relaying(deny all relaying). No Relaying should be permitted unless it comes on 587 and client is authed via tls. Any other combination should reject relaying. I ll probably just remove permit_sasl_authenticated from smtpd_relay_restrictions and put it only in overrides for 587 in master.cf. Thanks. – Paralife Feb 22 '13 at 15:06
  • People are not supposed to even attempt to auth on 25. You can enable it if you want, but you really should not. – Michael Hampton Feb 22 '13 at 15:10
4

I don't know the answer to question B, but to A:

in postfix you usually have a master.cf where you define every single running process, often in /etc/postfix. In that file you have one entry per running postfix service, so there are two different ones for port 25 and port 587. For each of them you can also pass parameters to the smtpd to make them have different settings.

Thats an example from my mailserver:

4.3.2.1:25      inet  n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
4.3.2.1:10027   inet  n       -       -       -       -       smtpd
  -o mynetworks=91.190.245.4/32 127.0.0.0/8
  -o smtpd_client_restrictions=permit_mynetworks,reject
replay
  • 3,180
  • 13
  • 16