Hi,
I'm a Postfix newbie... I'm trying to setup my personal Email server. I
have been able to setup Postfix+dovecot+roundcube+Imapproxy. Basically I
have a server with 2 IPv4 addresses, and the mails are stored locally by
dovecot.
I'm able to accept inbound and able to send emails. I'm planning to add
spam filters etc... Before that I want to make sure that my config is
decently secure.
Please help evaluate my config, let me know what changes are needed to help
improve security. (PS I have not yet implemented chroot.. Planning on
implementing it as well). There are many parameters, and I'm not sue if i
missed/mis-configured anything.
Here is my config
###Postconf -n
# postconf -n
command_directory = /mail/postfix/sbin
config_directory = /etc/postfix
daemon_directory = /mail/postfix/libexec
data_directory = /mail/postfix/var/lib
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
invalid_hostname_reject_code = 554
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /mail/postfix/man
message_size_limit = 52428800
multi_recipient_bounce_reject_code = 554
mydestination = localhost, localhost.localdomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 554
queue_directory = /mail/postfix/var/spool
readme_directory = no
relay_domains_reject_code = 554
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/mail/postfix/etc/generic
smtp_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/mail/postfix/var/lib/smtp_tls_session_cache
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org,
reject_rbl_client truncate.gbudb.net, permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /mail/postfix/var/spool/postfix/private/dovecot-auth
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/mail/postfix/etc/sender_restrictions
smtpd_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/mail/postfix/var/lib/smtpd_tls_session_cache
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/mail/postfix/etc/mysql/
virtual-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /mail/mailbox/vmail
virtual_mailbox_domains = proxy:mysql:/mail/postfix/etc/mysql/
virtual-domain.cf
virtual_mailbox_maps = proxy:mysql:/mail/postfix/etc/mysql/
virtual-mailbox-maps.cf
virtual_minimum_uid = 1000
virtual_transport =
lmtp:unix:/mail/postfix/var/spool/postfix/private/dovecot-lmtp
virtual_uid_maps = static:5000
###master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
##We will listen on specific ports so we can change out hostname ans SSL
certs
<IP_ADDR>.6:smtp inet n - n - - smtpd
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
<IP_ADDR>.7:smtp inet n - n - - smtpd
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
<IP_ADDR>.6:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail1.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
-o smtpd_tls_auth_only=yes
<IP_ADDR>.7:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
-o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
-o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
-o smtpd_tls_auth_only=yes
127.0.0.1:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=mail2.mydomain.tld
.
.
.
<truncated>
PS: I hope this is sort of questions are acceptable in this mailing list.
Thanks in advance,
Any help is greatly appreciated.
Vijay
