Disable SMTP AUTH on Port 25

pci-dsssmtptls

Due to PCI-DSS, we are required to disable plaintext authentication. We've achieved this by encapsulating communications between our mail server and clients with TLS on port 465.

The problem lies in that port 25 must remain open and unencrypted for us to receive email from the internet, but should not allow authentication.

I've tried disabling the AUTH command, but that breaks authentication on port 465, too.

Is there a mail server or proxy that will allow separate configuration for port 25 and 465, such that authentication is only available over a secure channel?

Also noteworthy: we are using MailEnable with stunnel in FIPS mode.

Update:

MailEnable supplied a patched SMTP executable that allowed me to configure via Windows' registry whether authorization is offered on each listening port. This solved my problem—hopefully, they will publish the patch as a hotfix.

Best Answer

Yes, postfix is perfectly capable of this.

Take a look at the Postfix HOWTO:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

and particularly:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

(those two pages are linked from the fairly extensive official Postfix docs page http://www.postfix.org/docs.html)

For my server, the configuration in master.cf looks like:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

And main.cf has a line like:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

In this case, authentication is only turned on for the submission (587) and SMTPS (465) ports.

Update:

Best Answer

Related Solutions

Postfix SMTP Without Authentication – How to Disable Sending Mail

Note, however, that this means that you must have some other email server set up to accept incoming mails to your domains. Otherwise all your incoming mail will be bounced.

IIS SMTP TLS encryption issue

Related Topic