Disable SMTP AUTH on Port 25
Yes, postfix is perfectly capable of this.
Take a look at the Postfix HOWTO:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
and particularly:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
(those two pages are linked from the fairly extensive official Postfix docs page http://www.postfix.org/docs.html)
For my server, the configuration in master.cf looks like:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
And main.cf has a line like:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
In this case, authentication is only turned on for the submission (587) and SMTPS (465) ports.
It seems that the Postfix’s option smtpd_tls_auth_only = yes is exactly what you search. It allows to use SMTP AUTH only when TLS is activated, which is only relevant on port 25 for your configuration.
http://www.postfix.org/SASL_README.html#id396969
http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only