0

How can I configure Postfix and Dovecot to only bind to port 587 and 143 for unencrypted submission and imap, respectively, on localhost, but bind to port 465 and 993 for encrypted connections on all interfaces? I need to do this as Thunderbird defaults to the unencrypted ports when it sees that they are open.

Currently, this is what it looks like:

localhost
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)

eth0
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)

I need it to look like this:

localhost
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)

eth0
- 25 (smtp)
- 465 (smtps)
- 993 (imaps)
Billy
  • 204
  • 2
  • 9
  • While this is possible, wouldn't it be better to either a) remove the `143`/`587` or b) configure them to only allow login after `STARTTLS`. Do you actually need unencrypted connections from the localhost? – Esa Jokinen Apr 29 '18 at 07:06
  • @EsaJokinen That would work, and I've been doing-so with Postfix, but how can I configure Dovecot to not bind to 143? Setting ssl = required doesn't do the trick. – Billy Apr 29 '18 at 13:20

1 Answers1

1

The fact that you listen on ports 143 and 587 doesn't necessarily mean the connection is unencrypted. It's common to use opportunistic TLS i.e. STARTTLS with these ports: the connection starts as unencrypted, but is soon upgraded to be encrypted. The only reason to avoid STARTTLS would be mitigating man-in-the-middle attacks (RFC 3207; STARTTLS is less secure than TLS).

In this case the target would be to make this STARTTLS mandatory, but disabling is also possible.

Postfix submission 587

In postfix/master.cf,

  • the submission service must have (among other settings):

     submission inet n - - - - smtpd
   -o smtpd_tls_security_level=encrypt

  • To disable the port 587 entirely (answering your question), comment out submission section.

  • To make submission only available on localhost (literal answer):

     127.0.0.1:587 inet n - - - - smtpd

Dovecot IMAP 143

  • In dovecot/conf.d/10-auth.conf you have this setting with the documentation in comments:

     # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
 disable_plaintext_auth = yes

  • To disable the IMAP listener change its port to 0 in dovecot/conf.d/10-master.conf:

     service imap-login {
   inet_listener imap {
     port = 0
   }
   ...
 }

  • To configure Dovecot to listen IMAP 143 only on localhost (literal answer):

     service imap-login {
   inet_listener imap {
     address = 127.0.0.1
   }
 }
Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122