Due to PCI-DSS, we are required to disable plaintext authentication. We’ve achieved this by encapsulating communications between our mail server and clients with TLS on port 465.
The problem lies in that port 25 must remain open and unencrypted for us to receive email from the internet, but should not allow authentication.
I’ve tried disabling the AUTH command, but that breaks authentication on port 465, too.
Is there a mail server or proxy that will allow separate configuration for port 25 and 465, such that authentication is only available over a secure channel?
Also noteworthy: we are using MailEnable with stunnel in FIPS mode.
Yes, postfix is perfectly capable of this.
Take a look at the Postfix HOWTO:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
and particularly:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
(those two pages are linked from the fairly extensive office Postfix docs page http://www.postfix.org/docs.html)
For my server, the configuration in master.cf
looks like:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
And main.cf has a line like:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
In this case, authentication is only turned on for the submission (587) and SMTPS (465) ports.
Check more discussion of this question.