I am in the process of implementing a new Postfix implementation on an existing environment which is extremely old. While doing so I am requiring all clients to connect securely on either 465 or 587 for relay access.
The existing postfix environment that I inherited has the following setting:
smtpd_tls_security_level = may
According to Postfix documentation, which cites RFC 2487:
A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address.
Given that I want outbound SMTP relay access to be exclusively performed on 465/587, my question is simply this:
Is there any circumstance that TLS is used for local mail delivery for an MX host? (I have the required overrides in master.cf to enable ssl/tls, startls).
I can't find a definitive answer if other MTA's establish secure connections to MX hosts in order to deliver locally.
My goal is to prevent any relay access (Authenticated or otherwise) on port 25, however I do not want to disable tls security on 25 if it will interfere with local delivery from the internet.
Thanks in advance.
main.cf
#
# Postscreen
#
#postscreen_dnsbl_whitelist_threshold = -1 # Pending Postfix 2.11
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen/access.cidr
postscreen_greet_banner = $myhostname [POSTSCREEN] ESMTP
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen/dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
#swl.spamhaus.org*-4
postscreen_whitelist_interfaces = static:all
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
#
# Server
#
myhostname = relay1.sanitized.fqdn
mydomain = sanitized.fqdn
myorigin = $myhostname
mynetworks = 127.0.0.0/8, 192.168.0.0/24
mydestination = $myhostname, localhost.$mydomain, localhost
sendmail_path = /usr/sbin/sendmail.postfix
relay_domains =
local_recipient_maps =
inet_interfaces = localhost, 192.168.0.12
inet_protocols = ipv4
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
local_recipient_maps =
#
# SMTPD
#
append_dot_mydomain = no
biff = no
relayhost =
smtpd_banner = $myhostname ESMTP
#smtpd_client_restrictions = sleep 5
smtpd_delay_reject = no
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_error_sleep_time = 30
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit
smtp_helo_timeout = 5
#smtp_connect_timeout = 5
smtp_host_lookup = native
#
# SMTP-AUTH configuration
#
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql/mailboxes.cf
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = no
#smtp_sasl_mechanism_filter = plain, login
#
# TLS configuration
#
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/godaddy.crt
smtpd_tls_key_file = /etc/pki/tls/private/godaddy.key
smtpd_tls_CAfile = /etc/pki/tls/certs/gd_bundle-g2-g1.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10800s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
tls_random_source = dev:/dev/urandom
tls_random_exchange_name = /var/lib/postfix/prng_exch
smtpd_tls_auth_only = yes
#
# Virtual configuration
#
virtual_alias_domains =
virtual_mailbox_base = /
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/mailboxes.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/autoreply.cf, proxy:mysql:/etc/postfix/mysql/aliases.cf, proxy:mysql:/etc/postfix/mysql/groups.cf
virtual_minimum_uid = 110532
virtual_uid_maps = static:110532
virtual_gid_maps = static:101
proxy_read_maps = $virtual_mailbox_maps $virtual_alias_maps $virtual_mailbox_domains $smtp_sasl_password_maps
master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - n - 1 smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#-o smtpd_sender_restrictions=reject_sender_login_mismatch
#-o smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject
#-o smtpd_client_restrictions=$mua_client_restrictions
#-o smtpd_helo_restrictions=$mua_helo_restrictions
#-o smtpd_sender_restrictions=$mua_sender_restrictions
#-o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_login_maps.cf
#-o smtpd_sender_sasl_password_maps=proxy:mysql:/etc/postfix/mysql_login_maps.cf
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#-o smtpd_client_restrictions=$mua_client_restrictions
#-o smtpd_helo_restrictions=$mua_helo_restrictions
#-o smtpd_sender_restrictions=$mua_sender_restrictions
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
policy unix - n n - 0 spawn user=nobody
argv=/bin/python /usr/libexec/postfix/policyd-spf
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
mayis the safe and preferred option, I would be more inclined to suggest signed certificates. If both endpoints support TLS, it will be used.Many email providers run opportunistic TLS (Gmail even added visual indicators to email sent without tls).
Your config description doesn't make sense. If you want mail to flow you need port 25 open. You cannot presume that all mail will come in via 587 or with TLS. Relaying however, shouldn't be possible from the outside and there are several setting that allow you to only allow relaying from inside and optionally require tls.