Port 25 "relay send" and TLS
Problem:
I have a Postfix server with dovecot running. Ports that are listening are 25
, 465
and 993
where last two have a mandatory TLS. Other "email" ports are not listening.
This means that client's MUA must use port 465
for email "submission" and port 993
for email "retrieval". This means one function per port (nice).
Port 25
on the other hand has three functions i.e. email "relay sending" email "relay recieving" and email "submitting" (a mess).
Other two ports are already demanding mandatory TLS and now I have to configure port 25
to do that as well. I know that Postfix is used to configure this port as it is SMTP port. I also understand that in /etc/postfix/master.cf
I can use -o
parameters under the below line to configure port 25
:
smtp inet n - y - - smtpd
We have some embedded devices on the field that can't speak TLS and can only "submit" emails through port 25
. This is why this port can use opurtunistic TLS but not mandatory TLS.
I already set up oportunistic TLS for the inbound requests i.e. email "submission" and email "relay recieve" like this:
smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp
#
-o smtpd_use_tls=yes
-o smtpd_tls_security_level=may
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
-o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
#
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=smtpd
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
NOTE:
Parameters starting with-o smtpd_
configure only inbound requests, while parameters starting with-o smtp_
(currently I have none) configure outbound requests.
Question:
Now I am wondering...
- Should I set mandatory TLS for outbound requests i.e. "relay sending" on port
25
? What problems could occur? - What happens if I set mandatory TLS for outbound requests i.e. "relay sending" on port
25
and some destination server does not support mandatory TLS or oportunistic TLS on it's "relay recieving" port25
? - Is oportunistic TLS what should be set for outbound requests i.e. "relay sending" on port
25
to avoid problems? - I know that oportunistic TLS is not 100% safe and I know it can be protected using DANE but who exactly DANE prottects? "Relay sender" or "relay reciever"? So should DANE be set for inbound or outbound requests?
You don't need incoming port 25 for any other purposes than accepting email from the Internet: the port 465 is for (implicit TLS) submission and for outbound SMTP you use the port 25 of the receiving server.
Also, it's not a good idea to make TLS mandatory on port 25, as it breaks the backwards compatibility and, therefore, pretty much your whole email infrastructure. DANE (RFC 6698) is exactly for that: for letting the others know that you don't need that backwards compatibility, and being comfortable not to fallback to unencrypted connections even if someone (MitM) had removed the 250-STARTTLS
extension (RFC 3207).