Email Tutorials - Herong's Tutorial Examples - v1.04, by Herong Yang
SMTP Submission Service on Port 587 in Postfix
This section provides a tutorial example on how to turn on the Postfix dedicate 'SMTP Submission' service on port 587. This allows port 25 to be used for email Reply only.
By default, Postfix only provides SMTP service on port 25 offering both email relay and email submission functionalities with Opportunistic TLS connection.
In certain situations, we may want to offer email relay and email submission functionalities on separate ports to apply different security policies. This can be done by turning on SMTP Submission service on port 587 in Postfix configuration.
1. Open SMTP Submission service in master.cf configuration file.
herong$ sudo vi /etc/postfix/master.cf submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may ...
2. Restart Postfix server.
herong$ sudo systemctl restart postfix herong$ sudo systemctl status postfix * postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; ... Active: active (running) since 2023-11-15 03:13:22 EST; 18s ago
3. Verify network ports.
herong$ nmap localhost PORT STATE SERVICE 25/tcp open smtp 587/tcp open submission ... herong$ sudo netstat -lpt Proto Local Address Foreign Address State PID/Program name tcp 0.0.0.0:25 0.0.0.0:* LISTEN 31224/master tcp 0.0.0.0:587 0.0.0.0:* LISTEN 31224/master
4. Open firewall for 587
herong$ sudo firewall-cmd --zone=public --add-port=587/tcp herong$ sudo firewall-cmd --runtime-to-permanent
5. Test it from a remote computer with "telnet" command, in plain text session.
herong$ telnet 192.168.1.100 587 Trying 192.168.1.100... Connected to 192.168.1.100. Escape character is '^]'. 220 mail.herongyang.com ESMTP Postfix ehlo 192.168.1.11 250-mail.herongyang.com ... 250-STARTTLS 250 SMTPUTF8 mail from: herong 250 2.1.0 Ok rcpt to: herong 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello world - from port 587! . 250 2.0.0 Ok: queued as D86E9266002D quit 221 2.0.0 Bye Connection closed by foreign host.
6. Test it from a remote computer with "telnet" command in TLS encrypted session created by calling "STARTTLS".
herong$ telnet 192.168.1.100 587 Trying 192.168.1.100... Connected to 192.168.1.100. Escape character is '^]'. 220 mail.herongyang.com ESMTP Postfix ehlo 192.168.1.11 250-mail.herongyang.com ... 250-STARTTLS 250 SMTPUTF8 starttls 220 2.0.0 Ready to start TLS ...
7. Double check Opportunistic TLS from a remote computer with "openssl s_client".
herong$ openssl s_client -connect 192.168.1.100:587 -starttls smtp CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, ... verify error:num=18:self signed certificate verify return:1 ... --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2649 bytes and written 412 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- 250 SMTPUTF8 --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Start Time: 1605846117 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) ... read R BLOCK mail from: herong 250 2.1.0 Ok rcpt to: herong 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello World! - from port 587 STARTTLS . 250 2.0.0 Ok: queued as A20D3266002F quit 221 2.0.0 Bye closed
Cool. I can give out two SMTP ports for 2 different functionalities now: 25 for email relay, and 587 for email submission.
Note that both ports support Opportunistic TLS (calling STARTTLS explicitly).
Table of Contents
►Postfix - Mail Transport Agent (MTA)
Install and Configure Postfix on CentOS
Test Postfix Server with "telnet" Client
►SMTP Submission Service on Port 587 in Postfix
Archive Emails using "always_bcc" Setting in Postfix
Move /var/spool/postfix to New Location
"postconf" Command to Manage Postfix Configuration
Turn on Postfix Server Logging for Troubleshooting
SSL/TLS Secure Connections with Postfix Server
Dovecot - IMAP and POP3 Server
SSL/TLS Secure Connections with Dovecot Server
Email Client Tools - Mail User Agents (MUA)
Mozilla Thunderbird - Mail User Agents (MUA)
PHPMailer - PHP Package for Sending Emails