SMTP Submission Service on Port 587 in Postfix

Email Tutorials - Herong's Tutorial Examples

∟SMTP Submission Service on Port 587 in Postfix

This section provides a tutorial example on how to turn on the Postfix dedicate 'SMTP Submission' service on port 587. This allows port 25 to be used for email Reply only.

By default, Postfix only provides SMTP service on port 25 offering both email relay and email submission functionalities with Opportunistic TLS connection.

In certain situations, we may want to offer email relay and email submission functionalities on separate ports to apply different security policies. This can be done by turning on SMTP Submission service on port 587 in Postfix configuration.

1. Open SMTP Submission service in master.cf configuration file.

herong$ sudo vi /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
...

2. Restart Postfix server.

herong$ sudo systemctl restart postfix

herong$ sudo systemctl status postfix
* postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; ...
   Active: active (running) since 2023-11-15 03:13:22 EST; 18s ago

3. Verify network ports.

herong$ nmap localhost
  PORT     STATE SERVICE
  25/tcp   open  smtp
  587/tcp  open  submission
  ...

herong$ sudo netstat -lpt
  Proto Local Address  Foreign Address  State       PID/Program name
  tcp   0.0.0.0:25     0.0.0.0:*        LISTEN      31224/master
  tcp   0.0.0.0:587    0.0.0.0:*        LISTEN      31224/master

4. Open firewall for 587

herong$ sudo firewall-cmd --zone=public --add-port=587/tcp
herong$ sudo firewall-cmd --runtime-to-permanent

5. Test it from a remote computer with "telnet" command, in plain text session.

herong$ telnet 192.168.1.100 587
  Trying 192.168.1.100...
  Connected to 192.168.1.100.
  Escape character is '^]'.
  220 mail.herongyang.com ESMTP Postfix
ehlo 192.168.1.11
  250-mail.herongyang.com
  ...
  250-STARTTLS
  250 SMTPUTF8

mail from: herong
  250 2.1.0 Ok
rcpt to: herong
  250 2.1.5 Ok
data
  354 End data with <CR><LF>.<CR><LF>
Hello world - from port 587!
.
  250 2.0.0 Ok: queued as D86E9266002D
quit
  221 2.0.0 Bye
  Connection closed by foreign host.

6. Test it from a remote computer with "telnet" command in TLS encrypted session created by calling "STARTTLS".

herong$ telnet 192.168.1.100 587
  Trying 192.168.1.100...
  Connected to 192.168.1.100.
  Escape character is '^]'.
  220 mail.herongyang.com ESMTP Postfix
ehlo 192.168.1.11
  250-mail.herongyang.com
  ...
  250-STARTTLS
  250 SMTPUTF8

starttls
  220 2.0.0 Ready to start TLS
...

7. Double check Opportunistic TLS from a remote computer with "openssl s_client".

herong$ openssl s_client -connect 192.168.1.100:587 -starttls smtp

CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, ...
verify error:num=18:self signed certificate
verify return:1
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2649 bytes and written 412 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
250 SMTPUTF8
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Start Time: 1605846117
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    ...
read R BLOCK

mail from: herong
  250 2.1.0 Ok
rcpt to: herong
  250 2.1.5 Ok
data
  354 End data with <CR><LF>.<CR><LF>
Hello World! - from port 587 STARTTLS
.
  250 2.0.0 Ok: queued as A20D3266002F
quit
  221 2.0.0 Bye
  closed