Submission postfix port 587 with optional TLS
Hi,
The installation documentation of ISPConfig - postfix has this line:
#/etc/postfix/master.cf
#submission ....
-o smtpd_tls_security_level=encrypt
However, I believe, that SSL/TLS encryption for port 587 should be optional, since the STARTTLS command is for upgrading an insecure communication into a secure communication.
There are ISPs blocking outgoing traffic to port 25. Then clients have to use port 587 or 465.
Postfix accepts all emails coming from localhost, even if it is not SASL authenticated (username, password authentication). This makes relatively easy to use an ISPConfig / Postfix / Web server for sending spam. However one can block all traffic to port 25, except for root and postfix user. Then any website, which would like to send mail using SMTP protocol from a website, can use port 587 with SASL authentication, with or without SSL/TLS encryption (since encryption for localhost is not necessary) or the sendmail command.
Is there any RFC about mandatory STARTTLS in port 587?
And what is your opinion about making STARTTLS optional in port 587?
#/etc/postfix/master.cf
#submission ....
-o smtpd_tls_security_level=may