Making Postfix listen to a secondary port

Some ISPs that I use block outgoing SMTP traffic on port 25. As an example, my mobile operator  Telenor blocks outgoing traffic from my phone on TCP port 25 which means that I couldn’t connect my laptop through their network to send email using SSL-encrypted SMTP via my company’s SMTP server. I can understand their intention but they make it very difficult for people like myself to use external mail servers for outgoing mail. The standard solution to this is to use the submission port (TCP 587) and if there is a fully configurable firewall in front of the mail server it is normally straightforward to make the firewall send traffic on two external ports (25 & 587) to the same internal port.

However, in my case it wasn’t so easy. The firewall could route traffic to internal IP addresses but it couldn’t change the destination port.

After briefly consulting Google, many people talked about having Postfix listen to multiple ports but others warned about the risk of ending up with an open relay. Naturally I didn’t want that so I looked for an easier solution. And there is. Just use iptables to rewrite the port on incoming packets:

iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25

To make this stick when the server is rebooted, use iptables-save or similar and apply the rules when the network is activated. The nice thing with this setup is that Postfix is not touched and still only listens to port 25.