Bill Cole: > On 15 Mar 2021, at 12:17, Viktor Dukhovni wrote: > > > You've enabled SASL with dovecot as a backend. You could limit this > > to > > port 587 (enable SASL via master.cf only for the submission service), > > and require TLS there. It'll probably still get probed. That's life > > on the public Internet. > > Not only "could" but for most systems, SHOULD. The primary purpose would > be to reduce your attack surface. You will still get some auth attempts > on the port 25 service, but far less than with SASL enabled and of > course there is zero potential for those attacks ever working. Since > auth attacks have mostly graduated from "brute force" (i.e. random-ish > guessing) to "credential stuffing" (trying user+password pairs known to > work somewhere else) it has become important to limit the ways > successful authentication can work to only what is necessary. In 2021, > no one should need to do authenticated mail submission on port 25. You > also can gain simpler and clearer configuration for other sorts of > policy enforcement (e.g. spam control) by not having any need to make > exceptions for submission on port 25 (e.g. exemptions from DNSBL and/or > spam filters for trusted networks.)
I agree. Don't enabls SASL AUTH (or any MUA-specific features) on the MTA service (port 25), and Do give the Postfix submission and smtps services their own set of smtpd_mumble_restrictions. Wietse