Port 25 "relay send" and TLS

Problem:

I have a Postfix server with dovecot running. Ports that are listening are 25, 465 and 993 where last two have a mandatory TLS. Other "email" ports are not listening.

This means that client's MUA must use port 465 for email "submission" and port 993 for email "retrieval". This means one function per port (nice).

Port 25 on the other hand has three functions i.e. email "relay sending" email "relay recieving" and email "submitting" (a mess).

Other two ports are already demanding mandatory TLS and now I have to configure port 25 to do that as well. I know that Postfix is used to configure this port as it is SMTP port. I also understand that in /etc/postfix/master.cf I can use -o parameters under the below line to configure port 25:

smtp      inet  n       -       y       -       -       smtpd

We have some embedded devices on the field that can't speak TLS and can only "submit" emails through port 25. This is why this port can use opurtunistic TLS but not mandatory TLS.

I already set up oportunistic TLS for the inbound requests i.e. email "submission" and email "relay recieve" like this:

smtp      inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtp
#
  -o smtpd_use_tls=yes
  -o smtpd_tls_security_level=may
  -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
  -o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
#
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

NOTE:
Parameters starting with -o smtpd_ configure only inbound requests, while parameters starting with -o smtp_ (currently I have none) configure outbound requests.

Question:

Now I am wondering...

  • Should I set mandatory TLS for outbound requests i.e. "relay sending" on port 25? What problems could occur?
  • What happens if I set mandatory TLS for outbound requests i.e. "relay sending" on port 25 and some destination server does not support mandatory TLS or oportunistic TLS on it's "relay recieving" port 25?
  • Is oportunistic TLS what should be set for outbound requests i.e. "relay sending" on port 25 to avoid problems?
  • I know that oportunistic TLS is not 100% safe and I know it can be protected using DANE but who exactly DANE prottects? "Relay sender" or "relay reciever"? So should DANE be set for inbound or outbound requests?

You don't need incoming port 25 for any other purposes than accepting email from the Internet: the port 465 is for (implicit TLS) submission and for outbound SMTP you use the port 25 of the receiving server.

Also, it's not a good idea to make TLS mandatory on port 25, as it breaks the backwards compatibility and, therefore, pretty much your whole email infrastructure. DANE (RFC 6698) is exactly for that: for letting the others know that you don't need that backwards compatibility, and being comfortable not to fallback to unencrypted connections even if someone (MitM) had removed the 250-STARTTLS extension (RFC 3207).