disable SMTP AUTH on port 25 to stop it accidentally being used for submission

fixes #830
2018-11-30 09:49:00 -05:00 · 2018-11-30 09:49:00 -05:00 · aa52f52d02
commit aa52f52d02
parent b05b06c74a
2 changed files with 9 additions and 2 deletions
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -73,6 +73,8 @@ tools/editconf.py /etc/postfix/main.cf \

 # Enable the 'submission' port 587 smtpd server and tweak its settings.
 #
+# * Enable authentication. It's disabled globally so that it is disabled on port 25,
+#   so we need to explicitly enable it here.
 # * Do not add the OpenDMAC Authentication-Results header. That should only be added
 #   on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
 #   OpenDKIM milter only. See dkim.sh.
@ -87,6 +89,7 @@ tools/editconf.py /etc/postfix/main.cf \
 #   emails but we turn this off by setting nested_header_checks empty.
 tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
+	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8891
 	  -o smtpd_tls_security_level=encrypt
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@ -65,11 +65,15 @@ service auth {
 }
 EOF

-# And have Postfix use that service.
+# And have Postfix use that service. We *disable* it here
+# so that authentication is not permitted on port 25 (which
+# does not run DKIM on relayed mail, so outbound mail isn't
+# correct, see #830), but we enable it specifically for the
+# submission port.
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_sasl_type=dovecot \
 	smtpd_sasl_path=private/auth \
-	smtpd_sasl_auth_enable=yes
+	smtpd_sasl_auth_enable=no

 # ### Sender Validation