Should I enable port 587 for mail relay access?

The submission port 587 is not directly used to reduce spam, but the need for another port do arise from fighting spam: the SMTP port 25 is typically closed by the ISP on every consumer grade internet connections and on all other networks that shouldn't have any email servers. This prevents infected computers from directly communicating with the receiving servers, but as a side effect prevents your authenticated users from using the relay, too. The answer to the question "should I" depends on whether your users faces these problems. That's probably yes.

Aside, there's other reasons why using a separate port for submission becomes handy. For this kind of setup, you don't use port 25 for outbound mail at all, which enables you to use separate settings (e.g. smtpd_sender_restrictions / smtpd_recipient_restrictions) for SMTP and submission.

  • For incoming mail on 25 you usually perform many checks like SPF, DMARC, DNS BL. These checks are not very useful on authenticated connections, are they? You can simply skip them on them on submission.

    smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        . . .
        check_policy_service unix:private/policy-spf,
        reject_rbl_client sbl-xbl.spamhaus.org,
        . . .
        permit
    

    Recipient restrictions?! Most of these are actually restrictions for the sender, but I like to fire them only after SMTP command RCPT TO for more debug information e.g. on false positives.

  • For email submission on 587 you may want different kind of checks for authenticated users. (These settings goes to master.cf and overrides the settings in main.cf. First we enable SASL authentication; this configuration is unfinished as it depends on your SASL provider. Dovecot?)

    submission inet n - - - - smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      . . .
    

    You don't want every user to be able to send mail on behalf of other users, do you? This is especially important if you DKIM sign the messages. It's possible to bind addresses to certain usersnames. In the following example these address/username pairs are already defined for virtual_alias_maps in a format we can also use here, but your setup most likely needs another mapping as you don't have local mailboxes.

      -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
      -o smtpd_sender_restrictions=reject_sender_login_mismatch
      . . .
    

    Then, you don't want to accept mail to domains that doesn't exist etc, just like you didn't want to receive mail from that kind of domains on the smtpd_recipient_restrictions for port 25. Only that now they actually test recipient addresses. On the same line (the line break is merely for formatting) you can enforce SASL authentication by rejecting everything non-authenticated.

      -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,
         reject_unknown_recipient_domain,permit_sasl_authenticated,reject
      . . .