Making Postfix listen to a secondary port
Some ISPs that I use block outgoing SMTP traffic on port 25. As an example, my mobile operator Telenor blocks outgoing traffic from my phone on TCP port 25 which means that I couldn’t connect my laptop through their network to send email using SSL-encrypted SMTP via my company’s SMTP server. I can understand their intention but they make it very difficult for people like myself to use external mail servers for outgoing mail. The standard solution to this is to use the submission port (TCP 587) and if there is a fully configurable firewall in front of the mail server it is normally straightforward to make the firewall send traffic on two external ports (25 & 587) to the same internal port.
However, in my case it wasn’t so easy. The firewall could route traffic to internal IP addresses but it couldn’t change the destination port.
After briefly consulting Google, many people talked about having Postfix listen to multiple ports but others warned about the risk of ending up with an open relay. Naturally I didn’t want that so I looked for an easier solution. And there is. Just use iptables to rewrite the port on incoming packets:
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25
To make this stick when the server is rebooted, use iptables-save or similar and apply the rules when the network is activated. The nice thing with this setup is that Postfix is not touched and still only listens to port 25.
Corey J. Anderson
Thanks for this tidbit! I was already ready to dive into my server and bring up another
IP address on which to run postfix on port 587. This was a much more elegant solution.
Gerard
Thanks for this! It’s a lot better than configuring postfix on 2 ports. Very elegant, very nice
MarkM
Thanks Martin. Looks like Comcast blocked outbound connections to port25 this evening, and this was a simple cut and paste to implement.
MarkM
Miles
Yes, this was fantastic! Now I can send through my own hosted server.