Re: Postfix Config -- Need assisance

Thu, 14 Mar 2013 06:35:57 -0700 

Vijay,
I would have smtpd listen on an additional port. (You'll need this for some circumstances). In addition, I would also tighten up your iptables rules and make sure nobody can get to your mysql server socket/port. 


In master.cf, add the following line:


# Have SMTPD listen on port 825 as well for remote users that have port 
25 blocked.  This will allow authentication and connectivity on the 
server from some remote users.

825 inet n - n - - smtpd -v

Cheers.

-Percy


On 3/14/2013 9:25 AM, Vijay Rajah wrote:

Hi,


I'm a Postfix newbie... I'm trying to setup my personal Email server. 
I have been able to setup Postfix+dovecot+roundcube+Imapproxy. 
Basically I have a server with 2 IPv4 addresses, and the mails are 
stored locally by dovecot.



I'm able to accept inbound and able to send emails. I'm planning to 
add spam filters etc... Before that I want to make sure that my config 
is decently secure.



Please help evaluate my config, let me know what changes are needed to 
help improve security.  (PS I have not yet implemented chroot.. 
Planning on implementing it as well). There are many parameters, and 
 I'm not sue if i missed/mis-configured anything.



Here is my config

###Postconf -n
# postconf -n
command_directory = /mail/postfix/sbin
config_directory = /etc/postfix
daemon_directory = /mail/postfix/libexec
data_directory = /mail/postfix/var/lib
debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
ddd $daemon_directory/$process_name $process_id & sleep 5

disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
invalid_hostname_reject_code = 554
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /mail/postfix/man
message_size_limit = 52428800
multi_recipient_bounce_reject_code = 554
mydestination = localhost, localhost.localdomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 554
queue_directory = /mail/postfix/var/spool
readme_directory = no
relay_domains_reject_code = 554
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/mail/postfix/etc/generic
smtp_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtp_tls_security_level = may

smtp_tls_session_cache_database = 
btree:/mail/postfix/var/lib/smtp_tls_session_cache

smtpd_helo_required = yes

smtpd_recipient_restrictions = reject_invalid_hostname, 
reject_unknown_recipient_domain, reject_unauth_pipelining, 
permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net 
<http://dnsbl.sorbs.net>, reject_rbl_client zen.spamhaus.org 
<http://zen.spamhaus.org>, reject_rbl_client truncate.gbudb.net 
<http://truncate.gbudb.net>, permit

smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /mail/postfix/var/spool/postfix/private/dovecot-auth

smtpd_sender_restrictions = reject_unknown_sender_domain, 
check_sender_access hash:/mail/postfix/etc/sender_restrictions

smtpd_tls_CAfile = /mail/postfix/etc/ssl/myca.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

smtpd_tls_session_cache_database = 
btree:/mail/postfix/var/lib/smtpd_tls_session_cache

strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =

virtual_alias_maps = 
proxy:mysql:/mail/postfix/etc/mysql/virtual-alias-maps.cf 
<http://virtual-alias-maps.cf>

virtual_gid_maps = static:5000
virtual_mailbox_base = /mail/mailbox/vmail

virtual_mailbox_domains = 
proxy:mysql:/mail/postfix/etc/mysql/virtual-domain.cf 
<http://virtual-domain.cf>
virtual_mailbox_maps = 
proxy:mysql:/mail/postfix/etc/mysql/virtual-mailbox-maps.cf 
<http://virtual-mailbox-maps.cf>

virtual_minimum_uid = 1000

virtual_transport = 
lmtp:unix:/mail/postfix/var/spool/postfix/private/dovecot-lmtp

virtual_uid_maps = static:5000


###master.cf <http://master.cf>

# 
==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)

# 
==========================================================================


##We will listen on specific ports so we can change out hostname ans SSL
certs

<IP_ADDR>.6:smtp      inet  n       -       n       -     -       smtpd
        -o myhostname=mail1.mydomain.tld
        -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
        -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem

<IP_ADDR>.7:smtp      inet  n       -       n       -     -       smtpd
        -o myhostname=mail2.mydomain.tld
        -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
        -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem

#smtp      inet  n       -       n       -       1 postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0 dnsblog
#tlsproxy  unix  -       -       n       -       0 tlsproxy

<IP_ADDR>.6:submission inet n       -       n       -     -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o myhostname=mail1.mydomain.tld
  -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail1-cert.pem
  -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail1-key.pem
  -o smtpd_tls_auth_only=yes

<IP_ADDR>.7:submission inet n       -       n       -     -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o myhostname=mail2.mydomain.tld
  -o smtpd_tls_cert_file=/mail/postfix/etc/ssl/mail2-cert.pem
  -o smtpd_tls_key_file=/mail/postfix/etc/ssl/mail2-key.pem
  -o smtpd_tls_auth_only=yes

127.0.0.1:submission inet n       -       n       -       -     smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o myhostname=mail2.mydomain.tld
.
.
.
<truncated>



PS: I hope this is sort of questions are acceptable in this mailing list.

Thanks in advance,
Any help is greatly appreciated.

Vijay
























					Reply via email to