For security issue, we'd better disable sasl auth on smtp port 25.

This is because port 25 is mainly used for communication between MX, not for a submission session.

To disable sasl auth on port 25, we could have the following changes.

Edit main.cf, comment out this line:

 #smtpd_sasl_auth_enable = yes 

This is a global argument for turning on sasl auth, which is bad.

Edit master.cf, update the following section:

 submission inet n       -       y       -       -       smtpd
-o smtpd_sasl_auth_enable=yes

That means for submission service (port 587) the sasl auth should be open explicitly.

And, if you were using port 465 for SSL connection, then enable sasl auth for smtps as well.

In master.cf:

 smtps     inet  n       -       y       -       -       smtpd
-o smtpd_sasl_auth_enable=yes

Then restart postfix.

Please note, for security stuff we should enable all default options in master.cf for submission/smtps.

For instance, the default entries for smtps are:

 #smtps     inet  n       -       y       -       -       smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

I will uncomment out all the options then they become,

 smtps     inet  n       -       y       -       -       smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

To test it, just telnet to the mailserver's port 25, and issue a EHLO command.

If the server answers without AUTH command, that should be OK.

 ehlo localhost.localdomain
250-mx.domain.xyz
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING

All are done well now.