conexiones postfix seguras e inseguras

tag-icon tag-icon postfix sasl saslauthd
conexiones postfix seguras e inseguras

He configurado el servidor SMTP postfix para el envío de correo solo con las siguientes configuraciones, he usado cyrus-sasl para autenticarme con openLDAP, quiero lograr el puerto SMTP 25 para usar conexiones inseguras mientras estoy en el puerto 587 para realizar conexiones TLS seguras

aquí está mi fragmento de archivo master.cf

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp       inet  n       -       n       -       -       smtpd -v
587        inet  n       -       n       -       -       smtpd -v
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes

aquí está el fragmento de main.cf:

# USER SPECIFIC SETTINGS - 

transport_maps = hash:/etc/postfix/transport

# STMP FOR SENDING
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /certs/private/server.key
smtp_tls_cert_file = /certs/server.cer
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtp_tls_ciphers = high

smtp_tls_security_level = encrypt
smtp_sasl_path = /etc/sasl2/smtpd.conf
smtp_sasl_type = cyrus
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login


# SMTPD FOR RECEIVING
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /certs/private/server.key
smtpd_tls_cert_file = /certs/server.cer
smtpd_tls_CAfile = /certs/local-ca.cer
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_ciphers = high
tls_random_source = dev:/dev/urandom
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
cyrus_sasl_config_path = /etc/sasl2/
broken_sasl_auth_clients = yes
smtpd_tls_security_level = encrypt
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

Si cambio main.cf, afectará a todo el servidor. ¿Alguien puede orientarme sobre cómo puedo lograr el escenario anterior?

información relacionada