Hi,
I write the mail with a quasi throw-away mail, because I don't want to reveal
my configuration to everyone.
I am the only user of my setup on my debian 12 server. I am convinced that
minimalism is the best security. I mention this because it hopefully explains
some of the decisions I have made.
I read and write my mails by connecting to my sever via ssh and using mutt. I
don't use dovecot, the only ports that are opened are my ssh port and port 25.
I didn't get any spam mails (yet), as long as this does not change, I will not
set up things like rspamd to keep the complexity low.
LANG=C comm -23 <(postconf -n) <(postconf -d) returns this:
append_dot_domain = no
compatibility_level = 3.6
delay_warning_time = 4h
disable_vrfy_command = yes
home_mailbox = Maildir/
mailbox_size_limit = 0
milter_default_action = accept
mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [:ffff:127.0.0.0]/104 [::1]/128
non_smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
recipient_delimiter = +
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = <mydomain.tld> ESMTP
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unknown_helo_hostname,
reject_unknown_client_hostname, reject_plaintext_session
smtpd_tls_cert_file = /etc/letsencrypt/live/<mydomain.tld>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/<mydomain.tld>/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.3
smtpd_tls_security_level = encrypt
virtual_alias_maps = hash:/etc/postfix/virtual
For various reasons I'm typing this by hand, I hope I haven't made any spelling
mistakes ;)
The only thing I'm currently still evaluating is whether I should set
smtp_tls_security_level higher. And now as I write this I realize that I will
also set smtp_tls_mandatory_protocols to >=TLSv1.3.
But apart from that, I wonder what other settings I can make to make my system
even more secure and minimalistic? Compatibility with old systems is currently
not a priority (which is for example why >= TLSv1.3), and I don't care about
optimal performance at the moment.
My request does not refer to general things like ssh or fail2ban, only to
Postfix. Do you have any ideas?_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
