Hi all,
I have been running a postfix server for a while. Though I think I
have come with a sensible configuration, I have not been able to check
if it is really sound. Can somebody give it a look, security-wise?
My requirements are:
- Require encrypted and authenticated user to submit mail from non-local
(other than 127.0.0.x) connections
- Allow unencrypted/unauthenticated users to submit mail from local
(127.0.0.x) connections
Thank you very much for any hint you guys might have!
Felix
Output of postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_status_update_time = 2h
append_dot_mydomain = no
biff = no
compatibility_level = 2
confirm_delay_cleared = yes
default_process_limit = 5
delay_warning_time = 1h
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 26214400
milter_default_action = accept
milter_mail_macros = "i {mail_addr} {client_addr} {client_name}
{auth_authen}"
milter_protocol = 6
mydestination = $myhostname localhost.$mydomain localhost
mail.$mydomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16
mynetworks_style = host
myorigin = $mydomain
notify_classes = resource, software
recipient_delimiter = +
relay_domains = $mydestination
relayhost = [smtp.myprovider.com]:587
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_helo_timeout = 60
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keyword_address_maps =
hash:/etc/postfix/discard_ehlo
smtpd_error_sleep_time = 30
smtpd_etrn_restrictions = reject
smtpd_hard_error_limit = 4
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname
regexp:/etc/postfix/helo.regexp permit
smtpd_milters = local:/var/run/rspamd/worker-proxy.sock
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain reject_unauth_pipelining
reject_unverified_recipient permit
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks
permit_sasl_authenticated reject_non_fqdn_sender
reject_unauth_pipelining reject_unlisted_sender permit
smtpd_soft_error_limit = 2
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/example.com/certs/certificate.RSA.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /opt/example.com/certs/dh4096.pem
smtpd_tls_eccert_file = /opt/example.com/certs/certificate.EC.pem
smtpd_tls_eckey_file = /opt/example.com/certs/private.EC.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH,
MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file = /opt/example.com/certs/private.RSA.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_scache
strict_rfc821_envelopes = yes
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = no_ticket, no_compression
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_domains =
virtual_alias_maps =
mysql:/etc/postfix/virtual/mysql-virtual-alias-maps.cf,
mysql:/etc/postfix/virtual/mysql-virtual-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
mysql:/etc/postfix/virtual/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps =
mysql:/etc/postfix/virtual/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
To fulfill my requirements with respect to local/remote authentication
and encryption settings, in master.cf I have:
smtp inet n - y - - smtpd
-o smtpd_sasl_auth_enable=no
submission inet n - y - - smtpd
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
127.0.0.1:588 inet n - y - - smtpd
-o smtpd_sasl_exceptions_networks=
-o smtpd_tls_auth_only=no
--
Don't believe what you are told. Double check.