My 1 cent for privacy wise (assuming you're hosting on a VPS and not at
home)
Remove headers and your home IP with postfix:
master.cf:
under submission:
-o cleanup_service_name=auth-cleanup
auth-cleanup unix n - n - 0 cleanup
-o syslog_name=postfix/auth-cleanup
-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre
# cat auth_header_checks.pcre
/^\s*(Received: from)[^\n]*(.*for <.*@(?!YOURDOMAIN.COM).*)/ REPLACE $1
[127.0.0.1] (localhost [127.0.0.1])$2
#/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version:*/ HOLD
This makes it look like all mail is sent from the email server itself
and hides your client. I can't remember where I got the above from but I
found it somewhere, possibly even from this list.
My other cent for security
I am also in the position to firewall off my machine to everything but
my home IP and just to be a dick, all login attempts on client ports
from any other IP's get routed to a honey pot.
To use things on the road I can vpn to my home and then get at my email.
Login attempts on port 25 still get nailed by fail2ban and I think I
just disabled the ability to log in at all on 25 but it's been a while
since I set this up.
If you wanted to be an even bigger jerk you could probably get fail2ban
to reroute bans to the honeypot instead of just blocking. it is kinda
entertaining to watch someone get a successful login on the honeypot
followed by a new account authorization request getting bounced from
some webshop a few minutes later.
Like someone else said, reducing the attack surface is the first line of
defense. Don't use default url's for any web stuff and try to restrict
on ip basis as much as you can.
I considered looking into the ancient art of port knocking but a vpn to
a fixed ip was just easier.
