Question on setting up postfix with tls

I’ve been trying for some time now to get postfix running as i want to but that just won’t happen. The problem I have is that I don;t want nobody sending mail without signing in (using TLS) but I want to receive mail from smtp servers like and others. Could somebody give me the key setting that I have to use and the files that they are in.
Thx. help would be much apreciated

Set it up so that port 25 is blocked to local users and they have to use port 465 (secure smtp) to send email.

That sound like a good ideea but how do I do it? :slight_smile:

By the way here is my current configuration
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
home_mailbox = Maildir/
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $mydomain, $myhostname, localhost.$mydomain
mydomain =
myhostname = mailserver.$mydomain
mynetworks =,
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check _relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

There is a whole raft of settings involved. Best to get the info from the horse’s mouth:

Postfix TLS Support

also various tutes can be found by searching on “postfix tls”.

If you are running dovecot you can chain onto dovecot for authentication instead of having to set up cyrus-sasl.

The thing is postfix is now currently running ok with tls. My problem is that if I force tls and the clients to use their credentials to send mail I can’t receive mail from popular smtp servers otherwise everything is ok. But the fact that anybody could send mail through my smtp server annoys me. By the way I have searched the net for answers but I couldn;t find what I needed (maybe becuse I am noob). By the way somelinks would be apreciated

What you have to do is edit (not to tell postfix to listen on both 25 and 465 (the smtp and smtps lines), if you haven’t already. Then use the firewall to block access to port 25 from the inside. Or alternatively require authentication for relaying, which is what local users need to do to be able to send mail outside the domain. Incoming mail does not (and should not be allowed) to relay. Those restrictions are set in something like this. In your case you have to remove the permit_mynetworks.

smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_sender,pe
ent_access pcre:/etc/postfix/recipient_checks.pcre,check_helo_access hash:/etc/p
ostfix/helo_checks,reject_rbl_client,reject_rbl_client sbl.spamhau,reject_rbl_client,reject_rbl_client,pe