Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
postfix [2018/10/01 11:04] steve [Logging] |
postfix [2018/10/30 16:49] steve [Security] |
||
|---|---|---|---|
| Line 75: | Line 75: | ||
| If creating a new ''/var/log/maillog'' you will need to restart your system logger **in addition** to postfix for it to populate. | If creating a new ''/var/log/maillog'' you will need to restart your system logger **in addition** to postfix for it to populate. | ||
| + | |||
| + | ==== Security ==== | ||
| + | |||
| + | Enable Postfix to use TLS if possible. Clients and servers that connect may use it. In ''main.cf'': | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_security_level = may | ||
| + | smtpd_tls_security_level = may | ||
| + | </code> | ||
| + | |||
| + | If you have your own certs, enable those as well. In this case, the ''server.pem'' is the combination of the CRT PEM and the CA bundle PEM. Be sure to set the key to read-only for the root user as well. | ||
| + | |||
| + | <code> | ||
| + | cat beandog.crt.pem ca_bundle.pem > server.pem | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | smtpd_tls_cert_file = /etc/postfix/server.pem | ||
| + | smtpd_tls_key_file = /etc/postfix/server.key | ||
| + | </code> | ||
| + | |||
| + | Postfix can define which protocols and ciphers to ignore, and set the preferred order as well. Here, ignore TLSv1 and use stronger ciphers: | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_ciphers = high | ||
| + | smtp_tls_mandatory_ciphers = high | ||
| + | smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | |||
| + | smtpd_tls_ciphers = high | ||
| + | smtpd_tls_mandatory_ciphers = high | ||
| + | smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | </code> | ||
| + | |||
| + | Specific ciphers can be disabled as well. For a list of all ciphers that are available, use ''openssl'': | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers | ||
| + | </code> | ||
| + | |||
| + | To make it easier to read, one per line: | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers | tr ':' '\n' | ||
| + | </code> | ||
| + | |||
| + | You can find the ciphers or cipher family you'd like to drop by specifying the cipher list. For example:: | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers MD5:aNULL | ||
| + | </code> | ||
| + | |||
| + | And then disable those in ''main.cf'': | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_exclude_ciphers = MD5, aNULL | ||
| + | smtp_tls_mandatory_exclude_ciphers = MD5, aNULL | ||
| + | |||
| + | smtpd_tls_exclude_ciphers = MD5, aNULL | ||
| + | smtpd_tls_mandatory_exclude_ciphers = MD5, aNULL | ||
| + | </code> | ||
| + | |||
| + | ==== Virtual Domains and Aliases ==== | ||
| + | |||
| + | Configure Postfix to accept email from additional domains. In ''/etc/postfix/main.cf'': | ||
| + | |||
| + | <code> | ||
| + | virtual_alias_domains = hash:/etc/postfix/virtual_domains | ||
| + | virtual_alias_maps = hash:/etc/postfix/virtual_aliases | ||
| + | </code> | ||
| + | |||
| + | In ''/etc/postfix/virtual_domains'': | ||
| + | |||
| + | <code> | ||
| + | wonkabar.org comment-ignored | ||
| + | </code> | ||
| + | |||
| + | In ''/etc/postfix/virtual_aliases'', send all email for ''wonkabar.org'' to user root on local box: | ||
| + | |||
| + | <code> | ||
| + | @wonkabar.org root | ||
| + | </code> | ||
| + | |||
| + | Create the database hashes once the files are created and reload postfix: | ||
| + | |||
| + | <code> | ||
| + | postmap virtual_domains | ||
| + | postmap virtual_aliases | ||
| + | postfix reload | ||
| + | </code> | ||
| + | |||
| + | Here's an example the maillog where an email sent to [email protected] is delivered locally to user [email protected]: | ||
| + | |||
| + | <code> | ||
| + | Oct 28 20:52:11 lkmx postfix/local[29196]: 8A35EC93E1: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=0.05, delays=0.05/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox) | ||
| + | </code> | ||
| ==== FreeBSD ==== | ==== FreeBSD ==== | ||
| Line 104: | Line 201: | ||
| * inet_interfaces | * inet_interfaces | ||
| * mydestination | * mydestination | ||
| + | |||
| + | Set ''smtp_tls_security_level'' to ''may'' so that TLS can be used to transfer mail. | ||
| <code> | <code> | ||
| Line 190: | Line 289: | ||
| #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, | #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, | ||
| # mail.$mydomain, www.$mydomain, ftp.$mydomain | # mail.$mydomain, www.$mydomain, ftp.$mydomain | ||
| - | </code> | ||
| - | |||
| - | ==== Ubuntu 12.04 ==== | ||
| - | |||
| - | <code> | ||
| - | # See /usr/share/postfix/main.cf.dist for a commented, more complete version | ||
| - | |||
| - | |||
| - | # Debian specific: Specifying a file name will cause the first | ||
| - | # line of that file to be used as the name. The Debian default | ||
| - | # is /etc/mailname. | ||
| - | #myorigin = /etc/mailname | ||
| - | |||
| - | smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) | ||
| - | biff = no | ||
| - | |||
| - | # appending .domain is the MUA's job. | ||
| - | append_dot_mydomain = no | ||
| - | |||
| - | # Uncomment the next line to generate "delayed mail" warnings | ||
| - | #delay_warning_time = 4h | ||
| - | |||
| - | readme_directory = no | ||
| - | |||
| - | # TLS parameters | ||
| - | smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | ||
| - | smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | ||
| - | smtpd_use_tls=yes | ||
| - | smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | ||
| - | smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | ||
| - | |||
| - | # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for | ||
| - | # information on enabling SSL in the smtp client. | ||
| - | |||
| - | myhostname = ubuntu | ||
| - | alias_maps = hash:/etc/aliases | ||
| - | alias_database = hash:/etc/aliases | ||
| - | mydestination = ubuntu, localhost.localdomain, localhost | ||
| - | relayhost = | ||
| - | mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 | ||
| - | mailbox_size_limit = 0 | ||
| - | recipient_delimiter = + | ||
| - | inet_interfaces = all | ||
| </code> | </code> | ||
