On Monday 13 July 2015 14.25.15 Viktor Dukhovni wrote: > On Mon, Jul 13, 2015 at 12:35:33PM +0200, Martin S wrote: > > I've googled this subject a bit and found a few suggested settings for > > main.cf that are already in my configuration. Does anyone have a nice > > guide on how to harden a postfix installation (you should probably do it > > right and consider it from the beginning, but anyway).? > > What does "hardening" mean to you? My main recommendation > for main.cf is to delete all the stock comments (no longer > needed now that the parameters are documented at:
Well, "not easily providing wholes and minimizing attack areas for crackers (and spammers)" would be my starting point. If there are any really retarded configurations I'd want to avoid them obviously. > http://www.postfix.org/postconf.5.html#<insert-parameter-name> > > and to group the parameters by function: > > # Global parameters > ... > # Address rewriting > ... > # Routing (address class and transport configuration) > ... > # SMTP access control > ... > # TLS > ... > # SASL > ... > > Basically, make main.cf easy to maintain, so you can see what's > going on at a glance. Then you're less likely to make silly > mistakes. Very good idea! I'll do that. That would definately make it much easier to avoid retardedness. (At least it provides a solid foundation to avoid it). I'll look at the mulit-instance setup idea as well. /M.
