Based on Debian 11 "Bullseye" environment.

SMTP Auth

Now Postfix accepts relaying (sending out) the mails only from the localhost (e.g. cronjob). Set up authorization mechanisms to enable mailbox users to send out emails.

Here I use Dovecot for SMTP Auth and integrate with Postfix.
Because outbound port 25 is often blocked by the internet provider, we use port 587 (submission port) to connect from MUA to the server.

SMTP TLS

Before setting up authentication, let Postfix use a proper server certificate to encrypt the connection between Postfix and MUA.
The test certificate is set in /etc/postfix/main.cf by default, so change them to the valid certificate from Let's Encrypt (or anything else you have).

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.jp/fullchain.pem  # Change this line to valid certificate
smtpd_tls_key_file=/etc/letsencrypt/live/example.jp/privkey.pem     # Change this line to valid private key file
smtpd_tls_security_level=may

SMTP Auth Configuration

Dovecot

Uncomment configurations in /etc/dovecot/conf.d/10-master.conf to enable smtp-auth for Postfix.

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user = 
    #group = 
  }

  # Postfix smtp-auth # Uncomment following lines
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

Comment out normal PAM (Linux user auth, auth-system.conf.ext) from the list unless you need it. /etc/dovecot/conf.d/10-auth.conf

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Restart dovecot.

# systemctl restart dovecot

Postfix

Add SASL configuration to /etc/postfix/main.cf.

# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
  • This authentication can be done through the tls connection only.

Reload Postfix

# systemctl reload postfix

Test

If your provider doesn't block the Outbound port 25 connection, you can check what happens when sending out the mail.
If succeeded, the mail should reach the destination and the following log will show up in /var/log/mail.log.

postfix/smtpd[xxxx]: AFXXXXXXXX: client=xxx.ne.jp[000.000.000.000], sasl_method=PLAIN, sasl_username=info@mail.example.jp

Submission Port

For the mailbox users, port 587 is the normal port to connect from MUA.
Enable submission section in /etc/postfix/master.cf

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  • As the submission port is not used for the normal mail transfer from other servers, so...
    • the connection is limited to tls connection.
    • no relaying permitted unless authenticated.
  • There are $mua_xxx_restrictions parameters, which don't exist. These will be defined later.

Reload Postfix

# systemctl reload postfix

Test

Like the port 25 case above, the successful log should appear in /etc/log/mail.log. The difference is, the log will show you it's connected via submission port.

postfix/submission/smtpd[xxxx]: AFXXXXXXXX: client=xxx.ne.jp[000.000.000.000], sasl_method=PLAIN, sasl_username=info@mail.example.jp

fail2ban

After opening the submission port, there will be continuing attacks. Fail2ban has the Pestfix preset to shut them.
Here I tweaked (included the latest version) to take countermeasures for the brute-force attack.

Enable postfix preset

Create /etc/fail2ban/jail.d/postfix.conf with the contents below.

[postfix]
enabled = true
mode = aggressive
findtime = 60m
  • The "aggressive" mode will enable all presets for postfix. If you need a softer version, this option can be "more" or specific mode described in the presets.
  • The default findtime is 10 minutes, which may be too short for the postfix attacks.

Enable this configuration.

# systemctl restart fail2ban

You can check the result in the fail2ban logs: /var/log/fail2ban.log

Update History

2020-03-28

  • Add fail2ban configuration

2021-09-08

  • Correct configurations according to Debian 11

2022-09-14

  • Add configuration to disable PAM authentication

Ginnojo LLC company website