config check

Sun, 08 Dec 2019 23:18:47 -0800 

Hi all,
I have been running a postfix server for a while. Though I think I have come with a sensible configuration, I have not been able to check if it is really sound. Can somebody give it a look, security-wise? 

My requirements are:

- Require encrypted and authenticated user to submit mail from non-local 
(other than 127.0.0.x) connections
- Allow unencrypted/unauthenticated users to submit mail from local 
(127.0.0.x) connections


Thank you very much for any hint you guys might have!

Felix


Output of postconf -n:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    anvil_status_update_time = 2h
    append_dot_mydomain = no
    biff = no
    compatibility_level = 2
    confirm_delay_cleared = yes
    default_process_limit = 5
    delay_warning_time = 1h
    disable_vrfy_command = yes
    inet_interfaces = all
    inet_protocols = ipv4
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    message_size_limit = 26214400
    milter_default_action = accept

    milter_mail_macros = "i {mail_addr} {client_addr} {client_name} 
{auth_authen}"

    milter_protocol = 6

    mydestination = $myhostname localhost.$mydomain localhost 
mail.$mydomain

    mydomain = example.com
    myhostname = mail.example.com
    mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16
    mynetworks_style = host
    myorigin = $mydomain
    notify_classes = resource, software
    recipient_delimiter = +
    relay_domains = $mydestination
    relayhost = [smtp.myprovider.com]:587
    smtp_cname_overrides_servername = no
    smtp_connect_timeout = 30
    smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
    smtp_helo_timeout = 60
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_tls_ciphers = high
    smtp_tls_fingerprint_digest = sha1
    smtp_tls_loglevel = 1
    smtp_tls_mandatory_ciphers = high
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtp_tls_protocols = !SSLv2, !SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
    smtpd_banner = $myhostname ESMTP
    smtpd_data_restrictions = reject_unauth_pipelining

    smtpd_discard_ehlo_keyword_address_maps = 
hash:/etc/postfix/discard_ehlo

    smtpd_error_sleep_time = 30
    smtpd_etrn_restrictions = reject
    smtpd_hard_error_limit = 4
    smtpd_helo_required = yes

    smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname 
regexp:/etc/postfix/helo.regexp permit

    smtpd_milters = local:/var/run/rspamd/worker-proxy.sock

    smtpd_recipient_restrictions = permit_sasl_authenticated 
permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname 
reject_non_fqdn_sender reject_non_fqdn_recipient 
reject_unknown_sender_domain reject_unauth_pipelining 
reject_unverified_recipient permit
    smtpd_relay_restrictions = permit_mynetworks 
permit_sasl_authenticated reject_unauth_destination

    smtpd_sasl_auth_enable = yes
    smtpd_sasl_exceptions_networks = $mynetworks
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot

    smtpd_sender_restrictions = permit_mynetworks 
permit_sasl_authenticated reject_non_fqdn_sender 
reject_unauth_pipelining reject_unlisted_sender permit

    smtpd_soft_error_limit = 2
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /opt/example.com/certs/certificate.RSA.pem
    smtpd_tls_ciphers = high
    smtpd_tls_dh1024_param_file = /opt/example.com/certs/dh4096.pem
    smtpd_tls_eccert_file = /opt/example.com/certs/certificate.EC.pem
    smtpd_tls_eckey_file = /opt/example.com/certs/private.EC.key
    smtpd_tls_eecdh_grade = ultra

    smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, 
MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL

    smtpd_tls_fingerprint_digest = sha256
    smtpd_tls_key_file = /opt/example.com/certs/private.RSA.key
    smtpd_tls_loglevel = 1
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may

    smtpd_tls_session_cache_database = 
btree:/var/lib/postfix/smtpd_scache

    strict_rfc821_envelopes = yes
    tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
    tls_preempt_cipherlist = yes
    tls_random_source = dev:/dev/urandom
    tls_ssl_options = no_ticket, no_compression
    transport_maps = hash:/etc/postfix/transport
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    virtual_alias_domains =

    virtual_alias_maps = 
mysql:/etc/postfix/virtual/mysql-virtual-alias-maps.cf, 
mysql:/etc/postfix/virtual/mysql-virtual-email2email.cf

    virtual_gid_maps = static:5000

    virtual_mailbox_domains = 
mysql:/etc/postfix/virtual/mysql-virtual-mailbox-domains.cf
    virtual_mailbox_maps = 
mysql:/etc/postfix/virtual/mysql-virtual-mailbox-maps.cf

    virtual_transport = lmtp:unix:private/dovecot-lmtp
    virtual_uid_maps = static:5000


To fulfill my requirements with respect to local/remote authentication 
and encryption settings, in master.cf I have:

    smtp      inet  n       -       y       -       -       smtpd
    -o smtpd_sasl_auth_enable=no
    submission inet n       -       y       -       -       smtpd

    -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    127.0.0.1:588 inet n       -       y       -       -       smtpd
    -o smtpd_sasl_exceptions_networks=
    -o smtpd_tls_auth_only=no


--
Don't believe what you are told. Double check.






















					Reply via email to