SMTP Auth

Postfix accepts relaying (sending out) emails only from the localhost (e.g., cron job). Authorization mechanisms are required for mailbox users to send out their emails.

For this purpose, port 465 (submissions, formerly SMTPS) is used
- Outbound port 25 (SMTP) is often blocked by Internet Service Providers (ISPs) via OP25B, preventing users from connecting to the mail server.
- Port 587 (submission port) was used according to RFC 6409 released in 2011, but RFC 8314 released in 2018 recommends using port 465 for submissions.

SMTP TLS

Let Postfix use the proper server certificate to encrypt the connection. Change the test certificate in /etc/postfix/main.cf to Let’s Encrypt ones.

# SMTP server RSA key and certificate in PEM format
smtpd_tls_key_file = /etc/letsencrypt/live/example.jp/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.jp/fullchain.pem
# SMTP Server security level: none|may|encrypt
smtpd_tls_security_level=may

Certificate rotation

As explained in Let’s Encrypt certificate rotation, Let’s Encrypt can reload applications after the certificate is renewed.
Add the following line to /etc/letsencrypt/renewal-hooks/deploy/reload_services.sh.

systemctl reload postfix

SMTP Auth configuration

Dovecot side

Uncomment “# Postfix smtp-auth” section in /etc/dovecot/conf.d/10-master.conf.

service auth {
  (snip)
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0600
    user = postfix
    group = postfix
  }

  # Auth process is run as this user.
  #user = $SET:default_internal_user
}

Reload Dovecot.

sudo systemctl reload dovecot

Postfix SASL

Postfix SASL Howto explains the basics and provides configuration examples.

Update /etc/postfix/main.cf.

Comment out Cyrus SASL configurations
Add Dovecot SASL configurations

# Comment out Cyrus SASL configurations
#cyrus_sasl_config_path = /etc/postfix/sasl

# Add SASL configurations
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

smtpd_tls_auth_only = yes force tls connection for authentication

Reload Postfix

sudo systemctl reload postfix

Submission port

Enable submissions (NOT submission, with an “s”), section in /etc/postfix/master.cf.

submissions inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submissions
  -o smtpd_forbid_unauth_pipelining=no
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o local_header_rewrite_clients=static:all
  -o smtpd_hide_client_session=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_relay_restrictions=$mua_relay_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

As the submissions port is not for the normal mail transfer from other servers;
- The connection requires TLS encryption
- No relaying is permitted unless authenticated
$mua_..._restrictions will be defined later

Reload Postfix

sudo systemctl reload postfix

Now, you should be able to connect to the server from your mailer.
Go to the next step to reject malicious connection attempts.