How can I configure Postfix and Dovecot to only bind to port 587 and 143 for unencrypted submission and imap, respectively, on localhost, but bind to port 465 and 993 for encrypted connections on all interfaces? I need to do this as Thunderbird defaults to the unencrypted ports when it sees that they are open.
Currently, this is what it looks like:
localhost
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)
eth0
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)
I need it to look like this:
localhost
- 25 (smtp)
- 143 (imap)
- 465 (smtps)
- 587 (unencrypted smtp/submission)
- 993 (imaps)
eth0
- 25 (smtp)
- 465 (smtps)
- 993 (imaps)
Best Answer
The fact that you listen on ports
143
and587
doesn't necessarily mean the connection is unencrypted. It's common to use opportunistic TLS i.e.STARTTLS
with these ports: the connection starts as unencrypted, but is soon upgraded to be encrypted. The only reason to avoidSTARTTLS
would be mitigating man-in-the-middle attacks (RFC 3207; STARTTLS is less secure than TLS).In this case the target would be to make this
STARTTLS
mandatory, but disabling is also possible.Postfix submission
587
In
postfix/master.cf
,the submission service must have (among other settings):
To disable the port
587
entirely (answering your question), comment outsubmission
section.To make submission only available on
localhost
(literal answer):Dovecot IMAP
143
In
dovecot/conf.d/10-auth.conf
you have this setting with the documentation in comments:To disable the IMAP listener change its port to
0
indovecot/conf.d/10-master.conf:
To configure Dovecot to listen IMAP
143
only onlocalhost
(literal answer):