ScriptingTutorial.com

How-to: Run PostFix Securely on the Internet

Today’s how-to is all about our favorite MTA Postfix.

For those of you who are not familiar with postfix, its one of the most popular mail transport agents available on Linux. Most of the time postfix can run with no configuration at all, however there are times when you want to access postfix from the internet securely. If you follow this guide correctly you will secure your client connections to use TLS, and ensure its not an open relay for spammers.

This guide is for CentOS, if you are using a different distro, your configuration files may be in different locations, but the configuration should be the same. 

 

The two main files you will need to will be editing are: /etc/postfix/main.cf and /etc/postfix/master.cf. 

Lets start with main.cf. Add the following lines to your main.cf file:

 

## This line sets the limits on what domains to accept mail for

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, $mydomain

## Reject incoming mail for unknown email addresses
unknown_local_recipient_reject_code = 550

## Leave Relay Domains Blank so you can send mail anywhere
relay_domains =

## Tell Postfix where your domain aliases are if you are hosting multiple domains from one server
virtual_alias_maps = hash:/etc/postfix/virtual

## Mailbox command if using domains
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

## Tell Postfix where to store usermail
home_mailbox = Maildir/

## Important enable SASL Authentication to secure SMTP from open relay
smtpd_sasl_auth_enable = yes

## No anonymous allowed sorry, we don’t like open relays
smtpd_sasl_security_options = noanonymous

## Allow some non standard SALS clients to work (Optional)
broken_sasl_auth_clients = yes

## IMPORTANT Only Accept SMTP client connections that are authenticated.
 smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination

## Tell PostFix what TLS Certificate to use. Make sure you copy the certificate there.
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem

## Same thing with the private key
smtpd_tls_key_file = /etc/postfix/postfix.key.pem

## And the CA bundle to chain to
smtpd_tls_CAfile = /etc/postfix/CAcert.pem

## Enable Optional TLS Security

smtpd_tls_security_level = may

##Set TLS Ciphers to high security

smtpd_tls_mandatory_ciphers = high

## Limit the number of people who can be emailed at one time, just in case. 

smtp_destination_recipient_limit = 50

And in main.cf add the following:

smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING

And thats it your postfix should only allow authenticated clients and will not be an open relay. Lastley make sure your reverse DNS resolves to the same hostname as your mail server. May internet MTA’s will rejet your mail if it does not resolve or resolves incorrectly.

Hope this helps you!

-Joe

Posted

in

, ,

by

Tutor

Tags:

Comments

2 responses to “How-to: Run PostFix Securely on the Internet”

  1. Amedar Consulting Avatar
    Amedar Consulting

    We absolutely love your blog and find nearly all of your post’s to be what precisely I’m looking for. Does one offer guest writers to write content for yourself? I wouldn’t mind creating a post or elaborating on a lot of the subjects you write with regards to here. Again, awesome weblog!

    Reply
    1. joe Avatar
      joe

      Thanks Amedar, you can email me offline at [email protected]. Attach an article I will review it and, if it meets our review criteria, post it giving you full credit for your post with a link to you site. Appreciate the comments.

      Thanks,

      Joe

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *