End users should not use port 25 but rather the submission service on TCP port 587 (as described in RFC 4409). The idea is to use port 25 to transport emails through the Mail Transport Agent (MTA) from one server to server and port 587 to submit emails through the Mail Submission Agent (MSA) from a user to a mail server.
In order to enable the submission port, we need to edit the file /etc/postfix/master.cf where all Postfix services are declared. Edit this file and find the submission section which is commented out by default. Transform this section into the following. Basically, I removed the # character on all lines in this section and removed the lines with the mua_* variables:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATINGCAREFUL: Make sure to start the first line in the first column and indent the following lines.
smtpd: This service uses the smtpd daemon which is the piece of software that responds if you open an SMTP connection on TCP port 25.syslog_name: In the /var/log/mail.log log file you will see the connections to the submission port as postfix/submission.smtpd_tls_security_level: Enforce encryption on port 587.smtpd_sasl_auth_enable: Enable authentication.smtpd_tls_auth_onlyEnforce encryption during authentication.smtpd_reject_unlisted_recipient: Allow sending emails to recipients outside of this mail server.smtpd_*_restrictions: Remove special restrictions.smtpd_recipient_restrictions: allow relaying if the sender was authenticated.milter_macro_daemon_name: Assigns a macro value (in this case,ORIGINATING) that can be passed to Milter applications (e.g., for spam and virus filtering) to indicate the specific context or phase of email handling. Setting this toORIGINATINGidentifies the email as coming from a sender inside your network, typically an authenticated or authorized sender. This is often done to inform Milter applications that the email originates from a trusted internal source. It can help these filters apply specific rules or bypass some checks for outgoing mail, such as spam filtering, which might not be necessary for internal users.
Restart the Postfix server:
systemctl restart postfixTest Submission Service
Your users can now use the submission port to send email. They just use the port 587 in their mail clients instead of port 25. You will need to install the libnet-ssleay-perl package first to use TLS encryption in SWAKS:
sudo apt install -y libnet-ssleay-perlSend a mails on submission port 587:
swaks --server localhost --to user1@example1.com --port 587 -tls --auth-user user1@example1.com --auth-password SecurePassNOTE: What is Port 465 ? This TCP port belongs to the "submission over TLS" service. It is used for the submission service but expects an encrypted connection from the first byte. This port is hardly ever used so you don’t have to care about it. The submission service you just configured is also encrypted but uses the STARTTLS mechanism to switch to a TLS connection after the welcome message.