Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Postfix Config -- Need assisance
12 views
Skip to first unread message
Vijay Rajah
Mar 14, 2013, 9:25:56 AM3/14/13
to
Hi,
I'm a Postfix newbie... I'm trying to setup my personal Email server. I have been able to setup Postfix+dovecot+roundcube+Imapproxy. Basically I have a server with 2 IPv4 addresses, and the mails are stored locally by dovecot.
I'm able to accept inbound and able to send emails. I'm planning to add spam filters etc... Before that I want to make sure that my config is decently secure.
Please help evaluate my config, let me know what changes are needed to help improve security. (PS I have not yet implemented chroot.. Planning on implementing it as well). There are many parameters, and I'm not sue if i missed/mis-configured anything.
Here is my config
###Postconf -n
# postconf -n
command_directory = /mail/postfix/sbin
config_directory = /etc/postfix
daemon_directory = /mail/postfix/libexec
data_directory = /mail/postfix/var/lib
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
invalid_hostname_reject_code = 554
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /mail/postfix/man
message_size_limit = 52428800
multi_recipient_bounce_reject_code = 554
mydestination = localhost, localhost.localdomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 554
queue_directory = /mail/postfix/var/spool
readme_directory = no
relay_domains_reject_code = 554
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/mail/postfix/etc/generic
smtp_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/mail/postfix/var/lib/smtp_tls_session_cache
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /mail/postfix/var/spool/postfix/private/dovecot-auth
smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/mail/postfix/etc/sender_restrictions
smtpd_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/mail/postfix/var/lib/smtpd_tls_session_cache
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /mail/mailbox/vmail
virtual_mailbox_domains = proxy:mysql:/mail/postfix/etc/mysql/virtual-domain.cf
virtual_mailbox_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-mailbox-maps.cf
virtual_minimum_uid = 1000
virtual_transport = lmtp:unix:/mail/postfix/var/spool/postfix/private/dovecot-lmtp
virtual_uid_maps = static:5000
###master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
##We will listen on specific ports so we can change out hostname ans SSL
certs
<IP_ADDR>.6:smtp inet n - n - - smtpd
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
<IP_ADDR>.7:smtp inet n - n - - smtpd
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
<IP_ADDR>.6:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
-o smtpd_tls_auth_only=yes
<IP_ADDR>.7:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
-o smtpd_tls_auth_only=yes
127.0.0.1:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
.
.
.
PS: I hope this is sort of questions are acceptable in this mailing list.
Thanks in advance,
Any help is greatly appreciated.
Vijay
I'm a Postfix newbie... I'm trying to setup my personal Email server. I have been able to setup Postfix+dovecot+roundcube+Imapproxy. Basically I have a server with 2 IPv4 addresses, and the mails are stored locally by dovecot.
I'm able to accept inbound and able to send emails. I'm planning to add spam filters etc... Before that I want to make sure that my config is decently secure.
Please help evaluate my config, let me know what changes are needed to help improve security. (PS I have not yet implemented chroot.. Planning on implementing it as well). There are many parameters, and I'm not sue if i missed/mis-configured anything.
Here is my config
###Postconf -n
# postconf -n
command_directory = /mail/postfix/sbin
config_directory = /etc/postfix
daemon_directory = /mail/postfix/libexec
data_directory = /mail/postfix/var/lib
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
invalid_hostname_reject_code = 554
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /mail/postfix/man
message_size_limit = 52428800
multi_recipient_bounce_reject_code = 554
mydestination = localhost, localhost.localdomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 554
queue_directory = /mail/postfix/var/spool
readme_directory = no
relay_domains_reject_code = 554
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/mail/postfix/etc/generic
smtp_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/mail/postfix/var/lib/smtp_tls_session_cache
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /mail/postfix/var/spool/postfix/private/dovecot-auth
smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/mail/postfix/etc/sender_restrictions
smtpd_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/mail/postfix/var/lib/smtpd_tls_session_cache
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /mail/mailbox/vmail
virtual_mailbox_domains = proxy:mysql:/mail/postfix/etc/mysql/virtual-domain.cf
virtual_mailbox_maps = proxy:mysql:/mail/postfix/etc/mysql/virtual-mailbox-maps.cf
virtual_minimum_uid = 1000
virtual_transport = lmtp:unix:/mail/postfix/var/spool/postfix/private/dovecot-lmtp
virtual_uid_maps = static:5000
###master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
##We will listen on specific ports so we can change out hostname ans SSL
certs
<IP_ADDR>.6:smtp inet n - n - - smtpd
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
<IP_ADDR>.7:smtp inet n - n - - smtpd
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
<IP_ADDR>.6:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
-o smtpd_tls_auth_only=yes
<IP_ADDR>.7:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
-o smtpd_tls_auth_only=yes
127.0.0.1:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
.
.
.
<truncated>
PS: I hope this is sort of questions are acceptable in this mailing list.
Thanks in advance,
Any help is greatly appreciated.
Vijay
Percy Kwong
Mar 14, 2013, 9:35:21 AM3/14/13
to
Vijay,
I would have smtpd listen on an additional port. (You'll need this for some circumstances). In addition, I would also tighten up your iptables rules and make sure nobody can get to your mysql server socket/port.
In master.cf, add the following line:
# Have SMTPD listen on port 825 as well for remote users that have port 25 blocked. This will allow authentication and connectivity on the server from some remote users.
825 inet n - n - - smtpd -v
Cheers.
-Percy
I would have smtpd listen on an additional port. (You'll need this for some circumstances). In addition, I would also tighten up your iptables rules and make sure nobody can get to your mysql server socket/port.
In master.cf, add the following line:
# Have SMTPD listen on port 825 as well for remote users that have port 25 blocked. This will allow authentication and connectivity on the server from some remote users.
825 inet n - n - - smtpd -v
Cheers.
-Percy
Ansgar Wiechers
Mar 14, 2013, 10:32:42 AM3/14/13
to
On 2013-03-14 Percy Kwong wrote:
> I would have smtpd listen on an additional port. (You'll need this
> for some circumstances). In addition, I would also tighten up your
> iptables rules and make sure nobody can get to your mysql server
> socket/port.
>
>
> In master.cf, add the following line:
>
> # Have SMTPD listen on port 825 as well for remote users that have
> port 25 blocked. This will allow authentication and connectivity on
> the server from some remote users.
> 825 inet n - n - - smtpd -v
The canonical port for message submission in this scenario is 587 (see
> I would have smtpd listen on an additional port. (You'll need this
> for some circumstances). In addition, I would also tighten up your
> iptables rules and make sure nobody can get to your mysql server
> socket/port.
>
>
> In master.cf, add the following line:
>
> # Have SMTPD listen on port 825 as well for remote users that have
> port 25 blocked. This will allow authentication and connectivity on
> the server from some remote users.
> 825 inet n - n - - smtpd -v
RFC 6409). As required per that RFC you must enable authentication on
that port.
Also, do *not* enable verbose logging (-v) unless specifically asked to
do so.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
0 new messages