Postfix – SMTPS and Submission Confusion Explained

postfixsmtps

I've setup postfix so that email clients use port 465 (smtps) for outbound mail. I'm not really understanding the difference between smtps (port 465) and submission (port 587)

What's the 'best practice' when configuring postfix for clients to securely send mail? Just use smtps? Or use both submission and smtps?

Best Answer

edit: This answer is based on RFC-6409 and is no longer correct, see the newer RFC-8314

Port 465 was used for SMTP connections secured by SSL. However, using that port for SMTP has been deprecated with the availability of STARTTLS: "Revoking the smtps TCP port" These days you should no longer use Port 465 for SMTPS. Instead, use Port 25 for receiving mails for your domain from other servers, or port 587 to receive e-mails from clients, which need to send mails through your server to other domains and thus other servers.

As an additional note, port 587 however is dedicated to mail submission - and mail submission is designed to alter the message and/or provide authentication:

offering and requiring authentication for clients which try to submit mails
providing security mechanisms to prevent submission of unsolicited bulk mail (spam) or infected mails (viruses, etc.)
modify the mail to the needs of an organisation (rewriting the from part, etc.)

Submission to port 587 is supposed to support STARTTLS, and thus can be encrypted. See also RFC#6409.

Related Solutions

Postfix – problem connecting to smtpd through port 465 (smtps)

You need to uncomment the smtps line in your /etc/postfix/master.cf

What you've current got looks like the following. Try uncommenting the first two lines and restarting Postfix. You should see that Postfix is now listening on port 465. You may also need to open that port on your firewall.

#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Postfix permit_sasl_authenticated in smtpd_client_restrictions for submission on 587

It's simply a clean way of overriding main.cf since usually smtpd_client_restrictions in main.cf isn't used, which is the same as saying by default it is set to smtpd_client_restrictions = permit.

You could achieve the same result by overriding smtpd_recipient_restrictions as you say in your question, in which case you wouldn't need the smtpd_client_restrictions statement, perhaps that might have an unnoticeable performance benefit but if there were other restrictions present in smtpd_recipient_restrictions in main.cf relevant to authenticated clients you would also have to add them to master.cf too and remember to keep them in sync with future edits.

Also from the debian packagers point of view, overriding smtpd_client_restrictions is a safer bet since it's much less likely it was doing anything in main.cf compared with smtpd_recipient_restrictions.

Best Answer

Related Solutions

Postfix – problem connecting to smtpd through port 465 (smtps)

Postfix permit_sasl_authenticated in smtpd_client_restrictions for submission on 587

Related Topic