Bill Cole:
> On 15 Mar 2021, at 12:17, Viktor Dukhovni wrote:
>
> > You've enabled SASL with dovecot as a backend. You could limit this
> > to
> > port 587 (enable SASL via master.cf only for the submission service),
> > and require TLS there. It'll probably still get probed. That's life
> > on the public Internet.
>
> Not only "could" but for most systems, SHOULD. The primary purpose would
> be to reduce your attack surface. You will still get some auth attempts
> on the port 25 service, but far less than with SASL enabled and of
> course there is zero potential for those attacks ever working. Since
> auth attacks have mostly graduated from "brute force" (i.e. random-ish
> guessing) to "credential stuffing" (trying user+password pairs known to
> work somewhere else) it has become important to limit the ways
> successful authentication can work to only what is necessary. In 2021,
> no one should need to do authenticated mail submission on port 25. You
> also can gain simpler and clearer configuration for other sorts of
> policy enforcement (e.g. spam control) by not having any need to make
> exceptions for submission on port 25 (e.g. exemptions from DNSBL and/or
> spam filters for trusted networks.)
I agree. Don't enabls SASL AUTH (or any MUA-specific features) on
the MTA service (port 25), and Do give the Postfix submission and
smtps services their own set of smtpd_mumble_restrictions.
Wietse
