Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
postfix [2015/01/19 17:46]
127.0.0.1 external edit
postfix [2018/10/30 16:56] (current)
steve [Security]
Line 74: Line 74:
 </​code>​ </​code>​
  
 +If creating a new ''/​var/​log/​maillog''​ you will need to restart your system logger **in addition** to postfix for it to populate.
 +
 +==== Security ====
 +
 +Enable Postfix to use TLS if possible. Clients and servers that connect may use it. In ''​main.cf'':​
 +
 +<​code>​
 +smtp_tls_security_level = may
 +smtpd_tls_security_level = may
 +</​code>​
 +
 +If you have your own certs, enable those as well. In this case, the ''​server.pem''​ is the combination of the CRT PEM and the CA bundle PEM. Be sure to set the key to read-only for the root user as well.
 +
 +<​code>​
 +cat beandog.crt.pem ca_bundle.pem > server.pem
 +</​code>​
 +
 +<​code>​
 +smtpd_tls_cert_file = /​etc/​postfix/​server.pem
 +smtpd_tls_key_file = /​etc/​postfix/​server.key
 +</​code>​
 +
 +Postfix can define which protocols and ciphers to ignore, and set the preferred order as well. Here, ignore TLSv1 and use stronger ciphers.
 +
 +Also, if you are using OpenSSL 1.1.1 or higher, you can add TLSv1.3 to the list.
 +
 +<​code>​
 +smtp_tls_ciphers = high
 +smtp_tls_mandatory_ciphers = high
 +smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +
 +smtpd_tls_ciphers = high
 +smtpd_tls_mandatory_ciphers = high
 +smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1
 +</​code>​
 +
 +Specific ciphers can be disabled as well. For a list of all ciphers that are available, use ''​openssl'':​
 +
 +<​code>​
 +openssl ciphers
 +</​code>​
 +
 +To make it easier to read, one per line:
 +
 +<​code>​
 +openssl ciphers | tr ':'​ '​\n'​
 +</​code> ​
 +
 +You can find the ciphers or cipher family you'd like to drop by specifying the cipher list. For example::
 +
 +<​code>​
 +openssl ciphers MD5:aNULL
 +</​code>​
 +
 +And then disable those in ''​main.cf'':​
 +
 +<​code>​
 +smtp_tls_exclude_ciphers = MD5, aNULL
 +smtp_tls_mandatory_exclude_ciphers = MD5, aNULL
 +
 +smtpd_tls_exclude_ciphers = MD5, aNULL
 +smtpd_tls_mandatory_exclude_ciphers = MD5, aNULL
 +</​code>​
 +
 +==== Virtual Domains and Aliases ====
 +
 +Configure Postfix to accept email from additional domains. In ''/​etc/​postfix/​main.cf'':​
 +
 +<​code>​
 +virtual_alias_domains = hash:/​etc/​postfix/​virtual_domains
 +virtual_alias_maps = hash:/​etc/​postfix/​virtual_aliases
 +</​code>​
 +
 +In ''/​etc/​postfix/​virtual_domains'':​
 +
 +<​code>​
 +wonkabar.org comment-ignored
 +</​code>​
 +
 +In ''/​etc/​postfix/​virtual_aliases'',​ send all email for ''​wonkabar.org''​ to user root on local box:
 +
 +<​code>​
 +@wonkabar.org root
 +</​code>​
 +
 +Create the database hashes once the files are created and reload postfix:
 +
 +<​code>​
 +postmap virtual_domains
 +postmap virtual_aliases
 +postfix reload
 +</​code>​
 +
 +Here's an example the maillog where an email sent to postmaster@wonkabar.org is delivered locally to user root@beandog.org:​
 +
 +<​code>​
 +Oct 28 20:52:11 lkmx postfix/​local[29196]:​ 8A35EC93E1: to=<​root@beandog.org>,​ orig_to=<​postmaster@wonkabar.org>,​ relay=local,​ delay=0.05, delays=0.05/​0/​0/​0,​ dsn=2.0.0, status=sent (delivered to mailbox)
 +</​code>​
 ==== FreeBSD ==== ==== FreeBSD ====
  
Line 103: Line 203:
   * inet_interfaces   * inet_interfaces
   * mydestination   * mydestination
 +
 +Set ''​smtp_tls_security_level''​ to ''​may''​ so that TLS can be used to transfer mail.
  
 <​code>​ <​code>​
Line 189: Line 291:
 #​mydestination = $myhostname,​ localhost.$mydomain,​ localhost, $mydomain, #​mydestination = $myhostname,​ localhost.$mydomain,​ localhost, $mydomain,
 #       ​mail.$mydomain,​ www.$mydomain,​ ftp.$mydomain #       ​mail.$mydomain,​ www.$mydomain,​ ftp.$mydomain
-</​code>​ 
- 
-==== Ubuntu 12.04 ==== 
- 
-<​code>​ 
-# See /​usr/​share/​postfix/​main.cf.dist for a commented, more complete version 
- 
- 
-# Debian specific: ​ Specifying a file name will cause the first 
-# line of that file to be used as the name.  The Debian default 
-# is /​etc/​mailname. 
-#myorigin = /​etc/​mailname 
- 
-smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) 
-biff = no 
- 
-# appending .domain is the MUA's job. 
-append_dot_mydomain = no 
- 
-# Uncomment the next line to generate "​delayed mail" warnings 
-#​delay_warning_time = 4h 
- 
-readme_directory = no 
- 
-# TLS parameters 
-smtpd_tls_cert_file=/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem 
-smtpd_tls_key_file=/​etc/​ssl/​private/​ssl-cert-snakeoil.key 
-smtpd_use_tls=yes 
-smtpd_tls_session_cache_database = btree:​${data_directory}/​smtpd_scache 
-smtp_tls_session_cache_database = btree:​${data_directory}/​smtp_scache 
- 
-# See /​usr/​share/​doc/​postfix/​TLS_README.gz in the postfix-doc package for 
-# information on enabling SSL in the smtp client. 
- 
-myhostname = ubuntu 
-alias_maps = hash:/​etc/​aliases 
-alias_database = hash:/​etc/​aliases 
-mydestination = ubuntu, localhost.localdomain,​ localhost 
-relayhost =  
-mynetworks = 127.0.0.0/8 [::​ffff:​127.0.0.0]/​104 [::1]/128 
-mailbox_size_limit = 0 
-recipient_delimiter = + 
-inet_interfaces = all 
 </​code>​ </​code>​