After Postfix and Dovecot were installed, there are 4 ports open by default.

  • port 25 - for MX accepting messages
  • port 587 - for clients submission
  • port 143 - plain text IMAP
  • port 993 - ssl encrypted IMAP

For security issue, the first thing is to close the public port 143, which you can set in `10-master.conf` for dovecot.

 service imap-login {
   inet_listener imap {
     address = 127.0.0.1
     port = 143
   }
   ...
 }

This setting above let port 143 listen on local address only.

The second thing we should improve is to disable sasl login on port 25, which would accept incoming messages only.

how to disable sasl auth on postfix port 25

The third, we should improve the security of port 587, which would accept the submission requests via TLS only.

In postfix's master.cf, add the following section for submission entry.

     -o { smtpd_tls_security_level = encrypt }
     -o { smtpd_tls_auth_only = yes }
     -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary }
     -o { smtpd_sasl_tls_security_options = noanonymous }

The above settings are belt and suspenders (the first setting implies the second, and the third should then never be used).

Now you have a more secure email system.