Splitting incoming SMTP and outgoing (submission) to 2 different entities

[dragoangel]

I speak at Slack about this already, so just will copy it:
One good idea to change: leave 25 port only for incoming mail and reject any authorization on it including SMTP and IP trust, but add additional entity: trusted replay or forwarding hosts.

Add 587 port that will accept only authorized mail, as is via auth or ip trust.

This will remove bruteforce noise from web, system administrators will have a choice to restrict access based on their needs over firewall, e.g.: not open sending to public web.

Also there should be independent TLS setting for incoming and submission ports.
E.g.: on 25 port encryption could be optimistic and on 587 via settings could be set to be mandatory.

Anyway 25 port on web should be used only by mta to mta, that is why it blocked by default on many ISP.

Now people need create local nat on 587 port to 25 to get things working, not the best solution.

Recommend 2525 at all not standard, and not feeling well, better remove it from any docs and helping notes.

[dragoangel]

Also in this global, basically breaking change good to rework ip binding, to support list of ips to bind at. Default binding could be '0.0.0.0,::' for smtp_server and for submission_server