Postfix STARTTLS encryption before authentication

Question

I'm trying my best to configure Postfix with STARTTLS using port 25. Now the problem is STARTTLS is not working on port 25.

250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 xxxxxxxxxx
334 xxxxxxxxxxxxx
235 2.7.0 Authentication successful
RSET
250 2.0.0 Ok
MAIL FROM: <user1@domain.com>
250 2.1.0 Ok
RCPT TO: <user2@domain.com>

When using port 587, there is a STARTTLS feature, but I don't see "220 2.0.0 Ready to start TLS".

STARTTLS should start before authention. If the device/client doesn't support STARTTLS, auth should be rejected automatically.

It should be like this with port 25.

250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
220 2.0.0 Ready to start TLS
250-AUTH PLAIN LOGIN
AUTH PLAIN am9obkBleGFtcGxlLm9yZwBqb2huQGV4YW1wbGUub3JnAHN1bW1lcnN1bg==

Please advice where the mistake is? Did I miss out something?

Possible to use STARTTLS with port 25?

main.cf

smtp_tls_security_level = may
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/key.key
smtpd_tls_cert_file = /etc/postfix/certs/crt.crt
smtpd_tls_CAfile = /etc/postfix/certs/mcabundle.ca-bundle
smtp_tls_key_file = /etc/postfix/certs/key.key
smtp_tls_cert_file = /etc/postfix/certs/crt.crt
smtp_tls_CAfile = /etc/postfix/certs/ca-bundle
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtpd_delay_reject = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject

master.cf

smtp      inet  n       -       n     -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

Do you reload postfix after updating the configuration ? – Dom Apr 29 '18 at 15:00 — Dom, Apr 29 '18 at 15:00

84104 · Accepted Answer · 2018-04-30T15:21:21.240

4

To get TLS on port 25, place smtpd_tls_security_level = may in main.cf.
You should also place smtpd_tls_auth_only = yes in main.cf, so that it is not possible to authenticate without first encrypting connections.

Additionally, I recommend adjusting your master.cf to:

smtp      inet  n       -       n     -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

After this change the submission port (587/tcp) will be active and require encryption. It will also be easier to distinguish in the logs.

edited Apr 30 '18 at 15:21

answered Apr 29 '18 at 15:59

84104

12,905
6
45
76

I have changed main.cf and master.cf accordingly, now it shows error "Error: SMTP protocol error. 503 5.5.1 Error: authentication not enabled. Failed to send message" when using port 25.. When using port 587, shows "Error: SMTP protocol error. 530 5.7.0 Must issue a STARTTLS command first. Failed to send message" – David A Apr 30 '18 at 02:00
That's what it should do. Simply connecting on 587 doesn't cause encryption. You need to issue STARTTLS. 465/tcp aka smtps is a TLS wrapped port, but your (telnet?) test isn't going to work with that either. The typical commandline test is `openssl s_client -connect server.example.com:$port -starttls smtp`. – 84104 Apr 30 '18 at 06:49
My bad. Tested with outlook, working great with port 587 now. Need to issue STARTTLS first. That's what I want. One more question, is it possible with port 25 instead? Can we force issue STARTTLS first before authentication, like 587? For example, in smtp.gmail.com, both 25 and 587 will enforce STARTTLS before authentication. Thanks much :) – David A Apr 30 '18 at 14:24
Had a typo in my answer. It should have been "`smtpd_tls_security_level = may` in `main.cf`" rather than "`smtp_tls_security_level = may` in `main.cf`". Leave the latter though, it opportunistically encrypts outgoing mail. – 84104 Apr 30 '18 at 15:21

Postfix STARTTLS encryption before authentication

main.cf

master.cf

1 Answers1