On Mon, Jul 13, 2015 at 12:35:33PM +0200, Martin S wrote:
> I've googled this subject a bit and found a few suggested settings for
> main.cf that are already in my configuration. Does anyone have a nice
> guide on how to harden a postfix installation (you should probably do it
> right and consider it from the beginning, but anyway).?
What does "hardening" mean to you? My main recommendation
for main.cf is to delete all the stock comments (no longer
needed now that the parameters are documented at:
http://www.postfix.org/postconf.5.html#<insert-parameter-name>
and to group the parameters by function:
# Global parameters
...
# Address rewriting
...
# Routing (address class and transport configuration)
...
# SMTP access control
...
# TLS
...
# SASL
...
Basically, make main.cf easy to maintain, so you can see what's
going on at a glance. Then you're less likely to make silly
mistakes.
An outline of my main.cf file is below.
--
Viktor.
# -- Personality
#
mydomain = ...
myorigin = $mydomain
inet_protocols = ipv4
# -- Convenience
#
default_database_type = cdb
indexed = ${default_database_type}:${config_directory}/
cidr = cidr:${config_directory}/
pcre = pcre:${config_directory}/
# -- Trusted clients
#
mynetworks = 127.0.0.1
# -- Limits
#
message_size_limit = 26214400
# -- Routing
#
mydestination = ...
virtual_alias_domains = ...
virtual_mailbox_domains = virtual.invalid
# Virtual mailbox (Dovecot) domains
#
virtual_mailbox_base = /var/spool/virtual
virtual_mailbox_maps = ${indexed}vmbox
virtual_uid_maps = static:504
virtual_gid_maps = static:504
sender_dependent_default_transport_maps =
texthash:${config_directory}/sd-def-transp
# -- Rewriting
#
alias_maps = ${indexed}aliases
alias_database = ${indexed}aliases
canonical_maps = ${indexed}canonical
virtual_alias_maps = ${indexed}valias
# Subdomain matching always requires an explicit ".domain" key.
parent_domain_matches_subdomains =
recipient_delimiter = ...
# -- Access control
#
smtpd_helo_required = yes
smtpd_error_sleep_time = ...
smtpd_restriction_classes = ...
smtpd_client_restrictions = ...
smtpd_helo_restrictions = ...
smtpd_sender_restrictions = ...
smtpd_relay_restrictions = ...
smtpd_recipient_restrictions = ...
smtpd_data_restrictions = ...
header_checks = ${pcre}headerchecks
body_checks = ${pcre}body_checks
# -- TLS
#
# Incoming mail:
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_cert_file = /usr/pkg/etc/mail-cert.pem
smtpd_tls_key_file = /usr/pkg/etc/mail-key.pem
# MTA SMTP clients are expected to cope with 2048-bit EDH.
smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file=${config_directory}/dh512.pem
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_exclude_ciphers = EXPORT, LOW
# Outgoing mail:
# Dogfood! Enable DANE support.
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_exclude_ciphers = EXPORT, LOW, aDSS, kECDHe, kECDHr, PSK, SRP
smtp_tls_policy_maps = ${indexed}tls-policy
# -- SASL
#
#cyrus_sasl_config_path = ${config_directory}
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = ...
# -- Reject codes.
# Use 5XX for long-term settings.
# Use 4XX briefly when testing new features (or use soft_bounce = yes).
# The settings below, default to 4XX, explicitly set to 5XX.
# To search for any settings that fell through the cracks:
#
# $ postconf | grep ' = 450' | egrep -v 'defer_code'
#
# Note, I leave 'plaintext_reject_code = 450' as-is.
#
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_sender_reject_code = 550
unverified_recipient_reject_code = 550
