assuming you got postfix up and running already
see the Dovecot guide –> SASL socket section
make sure you’ve enabled a valid certificate and a decent TLS setup already
then enable submissions implicit ssl/tls (not starttls). it’s better to hard-code the port number here, slackware still did not switch from smtps to submissions
vi /etc/postfix/master.cf
465 inet n - n - - smtpd
-o syslog_name=sasl
-o smtpd_tls_auth_only=yes
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o cleanup_service_name=ascleanup
#-o broken_sasl_auth_clients=yes
ascleanup unix n - y - 0 cleanup
-o mime_header_checks=regexp:/etc/postfix/header_checks.regexp
-o header_checks=regexp:/etc/postfix/header_checks.regexp
there is NO NEED to add permit_sasl_authenticated, in main.cf
apparently you need both cleanup AND ascleanup otherwise you get some of those
postfix/smtpd[797]: warning: connect #5 to subsystem public/cleanup: Connection refused
otherwise – in case you want to dedicate a host for that, you could simply define those options into the main configuration
vi /etc/postfix/main.cf # # SASL DEDICATED HOST # syslog_name = postfix/submissions smtpd_tls_auth_only = yes smtpd_tls_wrappermode = yes smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous #broken_sasl_auth_clients = yes
keep your SASL users' IPs hidden
vi /etc/postfix/header_checks.regexp /^Received:.*with SMTP/ IGNORE /^Received:.*with ESMTP/ IGNORE /^Received:.*with ESMTPS/ IGNORE /^Received:.*with ESMTPSA/ IGNORE /^X-Originating-IP:/ IGNORE /^X-Mailer:/ IGNORE /^Mime-Version:/ IGNORE
apply and check
postfix reload netstat -an -f inet | grep LISTEN
and remotely
openssl s_client -connect xc.nethence.com:465
TODO try to validate auth with an s_client telnet session with a base64 password.
Postfix SASL Howto http://www.postfix.org/SASL_README.html
Postfix/dovecot SASL and SSL/TLS guide https://wiki.centos.org/HowTos/postfix_sasl
Postfix with SASL https://wiki.archlinux.org/index.php/Postfix_with_SASL
Enabling SASL authentication in the Postfix SMTP client https://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/SASL_README_011.html
Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix
Postfix smtps and submission confusion https://serverfault.com/questions/605715/postfix-smtps-and-submission-confusion
Enable SMTPS service (SMTP over SSL, port 465) https://docs.iredmail.org/enable.smtps.html
http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/
https://serverfault.com/questions/413533/remove-hide-client-sender-ip-from-postfix
https://serverfault.com/questions/833906/rewrite-from-for-specific-to-addresses
http://www.postfix.org/regexp_table.5.html
How to test SMTP servers using the command-line https://halon.io/blog/how-to-test-smtp-servers-using-the-command-line/
How to test SMTP Authentication and StartTLS https://www.saotn.org/test-smtp-authentication-starttls/
Test STARTTLS configuration of SMTP server https://security.stackexchange.com/questions/58857/test-starttls-configuration-of-smtp-server
Simple Troubleshooting For SMTP Via Telnet And Openssl https://wiki.zimbra.com/wiki/Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl