how to disable sasl auth on postfix port 25

For security issue, we'd better disable sasl auth on smtp port 25.

This is because port 25 is mainly used for communication between MX, not for a submission session.

To disable sasl auth on port 25, we could have the following changes.

Edit main.cf, comment out this line:

 #smtpd_sasl_auth_enable = yes 
 

This is a global argument for turning on sasl auth, which is bad.

Edit master.cf, update the following section:

 submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
 

That means for submission service (port 587) the sasl auth should be open explicitly.

And, if you were using port 465 for SSL connection, then enable sasl auth for smtps as well.

In master.cf:

 smtps     inet  n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
 

Then restart postfix.

Please note, for security stuff we should enable all default options in master.cf for submission/smtps.

For instance, the default entries for smtps are:

 #smtps     inet  n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 

I will uncomment out all the options then they become,

 smtps     inet  n       -       y       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_client_restrictions=$mua_client_restrictions
   -o smtpd_helo_restrictions=$mua_helo_restrictions
   -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
 

To test it, just telnet to the mailserver's port 25, and issue a EHLO command.

If the server answers without AUTH command, that should be OK.

 ehlo localhost.localdomain
 250-mx.domain.xyz
 250-PIPELINING
 250-SIZE
 250-VRFY
 250-ETRN
 250-STARTTLS
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250-DSN
 250 CHUNKING 
 

All are done well now.