Loading ...
Sorry, an error occurred while loading the content.
 

Re: Postfix Config -- Need assisance

Expand Messages
  • Percy Kwong
    Vijay, I would have smtpd listen on an additional port. (You ll need this for some circumstances). In addition, I would also tighten up your iptables rules
    Message 1 of 3 , Mar 14, 2013
      Vijay,

      I would have smtpd listen on an additional port. (You'll need this for some circumstances).  In addition, I would also tighten up your iptables rules and make sure nobody can get to your mysql server socket/port. 


      In master.cf, add the following line:

      # Have SMTPD listen on port 825 as well for remote users that have port 25 blocked.  This will allow authentication and connectivity on the server from some remote users.
      825 inet n - n - - smtpd -v

      Cheers.

      -Percy


      On 3/14/2013 9:25 AM, Vijay Rajah wrote:
      Hi,

      I'm a Postfix newbie... I'm trying to setup my personal Email server. I have been able to setup Postfix+dovecot+roundcube+Imapproxy. Basically I have a server with 2 IPv4 addresses, and the mails are stored locally by dovecot.

      I'm able to accept inbound and able to send emails. I'm planning to add spam filters etc... Before that I want to make sure that my config is decently secure.

      Please help evaluate my config, let me know what changes are needed to help improve security.  (PS I have not yet implemented chroot.. Planning on implementing it as well). There are many parameters, and  I'm not sue if i missed/mis-configured anything.


      Here is my config

      ###Postconf -n
      # postconf -n
      command_directory = /mail/postfix/sbin
      config_directory = /etc/postfix
      daemon_directory = /mail/postfix/libexec
      data_directory = /mail/postfix/var/lib
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
      disable_vrfy_command = yes
      dovecot_destination_recipient_limit = 1
      html_directory = no
      inet_protocols = ipv4
      invalid_hostname_reject_code = 554
      mail_owner = postfix
      mailq_path = /usr/bin/mailq
      manpage_directory = /mail/postfix/man
      message_size_limit = 52428800
      multi_recipient_bounce_reject_code = 554
      mydestination = localhost, localhost.localdomain
      newaliases_path = /usr/bin/newaliases
      non_fqdn_reject_code = 554
      queue_directory = /mail/postfix/var/spool
      readme_directory = no
      relay_domains_reject_code = 554
      sample_directory = /etc/postfix
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtp_generic_maps = hash:/mail/postfix/etc/generic
      smtp_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
      smtp_tls_security_level = may
      smtp_tls_session_cache_database = btree:/mail/postfix/var/lib/smtp_tls_session_cache
      smtpd_helo_required = yes
      smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, permit
      smtpd_reject_unlisted_sender = yes
      smtpd_sasl_auth_enable = no
      smtpd_sasl_path = /mail/postfix/var/spool/postfix/private/dovecot-auth
      smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/mail/postfix/etc/sender_restrictions
      smtpd_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
      smtpd_tls_ciphers = high
      smtpd_tls_exclude_ciphers = aNULL, MD5, DES
      smtpd_tls_mandatory_ciphers = high
      smtpd_tls_protocols = TLSv1
      smtpd_tls_received_header = yes
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:/mail/postfix/var/lib/smtpd_tls_session_cache
      strict_rfc821_envelopes = yes
      tls_random_source = dev:/dev/urandom
      unknown_address_reject_code = 554
      unknown_client_reject_code = 554
      unknown_hostname_reject_code = 554
      unknown_local_recipient_reject_code = 554
      unknown_relay_recipient_reject_code = 554
      unknown_virtual_alias_reject_code = 554
      unknown_virtual_mailbox_reject_code = 554
      unverified_recipient_reject_code = 554
      unverified_sender_reject_code = 554
      virtual_alias_domains =
      virtual_alias_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-alias-maps.cf
      virtual_gid_maps = static:5000
      virtual_mailbox_base = /mail/mailbox/vmail
      virtual_mailbox_domains = proxy:mysql:/mail/postfix/etc/mysql/virtual-domain.cf
      virtual_mailbox_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-mailbox-maps.cf
      virtual_minimum_uid = 1000
      virtual_transport = lmtp:unix:/mail/postfix/var/spool/postfix/private/dovecot-lmtp
      virtual_uid_maps = static:5000


      ###master.cf
      # ==========================================================================
      # service type  private unpriv  chroot  wakeup  maxproc command + args
      #               (yes)   (yes)   (yes)   (never) (100)
      # ==========================================================================

      ##We will listen on specific ports so we can change out hostname ans SSL
      certs

      <IP_ADDR>.6:smtp      inet  n       -       n       -       -       smtpd
              -o myhostname=mail1.mydomain.tld
              -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
              -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem

      <IP_ADDR>.7:smtp      inet  n       -       n       -       -       smtpd
              -o myhostname=mail2.mydomain.tld
              -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
              -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem

      #smtp      inet  n       -       n       -       1       postscreen
      #smtpd     pass  -       -       n       -       -       smtpd
      #dnsblog   unix  -       -       n       -       0       dnsblog
      #tlsproxy  unix  -       -       n       -       0       tlsproxy

      <IP_ADDR>.6:submission inet n       -       n       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
        -o myhostname=mail1.mydomain.tld
        -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
        -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
        -o smtpd_tls_auth_only=yes

      <IP_ADDR>.7:submission inet n       -       n       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
        -o myhostname=mail2.mydomain.tld
        -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
        -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
        -o smtpd_tls_auth_only=yes

      127.0.0.1:submission inet n       -       n       -       -       smtpd
        -o syslog_name=postfix/submission
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
        -o myhostname=mail2.mydomain.tld
      .
      .
      .
      <truncated>



      PS: I hope this is sort of questions are acceptable in this mailing list.

      Thanks in advance,
      Any help is greatly appreciated.

      Vijay

    • Ansgar Wiechers
      ... The canonical port for message submission in this scenario is 587 (see RFC 6409). As required per that RFC you must enable authentication on that port.
      Message 2 of 3 , Mar 14, 2013
        On 2013-03-14 Percy Kwong wrote:
        > I would have smtpd listen on an additional port. (You'll need this
        > for some circumstances). In addition, I would also tighten up your
        > iptables rules and make sure nobody can get to your mysql server
        > socket/port.
        >
        >
        > In master.cf, add the following line:
        >
        > # Have SMTPD listen on port 825 as well for remote users that have
        > port 25 blocked. This will allow authentication and connectivity on
        > the server from some remote users.
        > 825 inet n - n - - smtpd -v

        The canonical port for message submission in this scenario is 587 (see
        RFC 6409). As required per that RFC you must enable authentication on
        that port.

        Also, do *not* enable verbose logging (-v) unless specifically asked to
        do so.

        Regards
        Ansgar Wiechers
        --
        "Abstractions save us time working, but they don't save us time learning."
        --Joel Spolsky
      Your message has been successfully submitted and would be delivered to recipients shortly.