On 15 Mar 2021, at 12:17, Viktor Dukhovni wrote:
You've enabled SASL with dovecot as a backend. You could limit this
to
port 587 (enable SASL via master.cf only for the submission service),
and require TLS there. It'll probably still get probed. That's life
on the public Internet.
Not only "could" but for most systems, SHOULD. The primary purpose would
be to reduce your attack surface. You will still get some auth attempts
on the port 25 service, but far less than with SASL enabled and of
course there is zero potential for those attacks ever working. Since
auth attacks have mostly graduated from "brute force" (i.e. random-ish
guessing) to "credential stuffing" (trying user+password pairs known to
work somewhere else) it has become important to limit the ways
successful authentication can work to only what is necessary. In 2021,
no one should need to do authenticated mail submission on port 25. You
also can gain simpler and clearer configuration for other sorts of
policy enforcement (e.g. spam control) by not having any need to make
exceptions for submission on port 25 (e.g. exemptions from DNSBL and/or
spam filters for trusted networks.)
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire