Should I enable port 587 for mail relay access?

port email postfix email-server smtp

The submission port 587 is not directly used to reduce spam, but the need for another port do arise from fighting spam: the SMTP port 25 is typically closed by the ISP on every consumer grade internet connections and on all other networks that shouldn't have any email servers. This prevents infected computers from directly communicating with the receiving servers, but as a side effect prevents your authenticated users from using the relay, too. The answer to the question "should I" depends on whether your users faces these problems. That's probably yes.

Aside, there's other reasons why using a separate port for submission becomes handy. For this kind of setup, you don't use port 25 for outbound mail at all, which enables you to use separate settings (e.g. smtpd_sender_restrictions / smtpd_recipient_restrictions) for SMTP and submission.

  • For incoming mail on 25 you usually perform many checks like SPF, DMARC, DNS BL. These checks are not very useful on authenticated connections, are they? You can simply skip them on them on submission. 

    smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    . . .
    check_policy_service unix:private/policy-spf,
    reject_rbl_client sbl-xbl.spamhaus.org,
    . . .
    permit

    Recipient restrictions?! Most of these are actually restrictions for the sender, but I like to fire them only after SMTP command RCPT TO for more debug information e.g. on false positives.

  • For email submission on 587 you may want different kind of checks for authenticated users. (These settings goes to master.cf and overrides the settings in main.cf. First we enable SASL authentication; this configuration is unfinished as it depends on your SASL provider. Dovecot?)

    submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  . . .

    You don't want every user to be able to send mail on behalf of other users, do you? This is especially important if you DKIM sign the messages. It's possible to bind addresses to certain usersnames. In the following example these address/username pairs are already defined for virtual_alias_maps in a format we can also use here, but your setup most likely needs another mapping as you don't have local mailboxes.

      -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  . . .

    Then, you don't want to accept mail to domains that doesn't exist etc, just like you didn't want to receive mail from that kind of domains on the smtpd_recipient_restrictions for port 25. Only that now they actually test recipient addresses. On the same line (the line break is merely for formatting) you can enforce SASL authentication by rejecting everything non-authenticated.

      -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,permit_sasl_authenticated,reject
  . . .

Related

SMTP service detection
Redirect wildcard subdomain to same subdomain on different domain
A local IP address (RFC 1918) on my network that is not … local
Can I restore a backup made with Windows Server 2008 R2 in Windows Server 2012 R2?
Ubuntu 13.04 lenovo m490 INFO @wl_cfg80211_attach : Registered CFG80211 phy [closed]
How do I get an Atheros AR9285 working?
Conky Widgets are Opening in their Own Windows
I want to copy the data folders from a previous ubuntu(14.04) partition
Why doesn't LD_PRELOAD "v4l1compat.so" work with 64-bit Skype? [duplicate]
Why does my optical drive not play commercial dvds?
Is there a way to use multiple instances of Chromium or Firefox?
`qdbus` returns an error. Ubuntu 18.04