postfix の安全な接続と安全でない接続

tag-icon tag-icon postfix sasl saslauthd
postfix の安全な接続と安全でない接続

私は以下の設定でメール送信専用に postfix SMTP サーバーを設定しました。openLDAP で認証するために cyrus-sasl を使用しました。SMTP ポート 25 で安全でない接続を使用し、ポート 587 で安全な TLS 接続を確立したいと考えています。

これが私のmaster.cfファイルの一部です

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp       inet  n       -       n       -       -       smtpd -v
587        inet  n       -       n       -       -       smtpd -v
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes

main.cf の抜粋は次のとおりです:

# USER SPECIFIC SETTINGS - 

transport_maps = hash:/etc/postfix/transport

# STMP FOR SENDING
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /certs/private/server.key
smtp_tls_cert_file = /certs/server.cer
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtp_tls_ciphers = high

smtp_tls_security_level = encrypt
smtp_sasl_path = /etc/sasl2/smtpd.conf
smtp_sasl_type = cyrus
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login


# SMTPD FOR RECEIVING
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /certs/private/server.key
smtpd_tls_cert_file = /certs/server.cer
smtpd_tls_CAfile = /certs/local-ca.cer
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_ciphers = high
tls_random_source = dev:/dev/urandom
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
cyrus_sasl_config_path = /etc/sasl2/
broken_sasl_auth_clients = yes
smtpd_tls_security_level = encrypt
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

main.cf を変更するとサーバー全体に影響が及びますが、上記のシナリオを実現するにはどうすればよいか教えていただけませんか。

関連情報