View Single Post
Old 25th June 2009, 05:02
Lotek Lotek is offline
Junior Member
Join Date: May 2008
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Smile Postfix TLS and Security

So I'm using gmail as my email relay with postfix and unfortunately it seems to have opened a large security hole for my server to be used for spam. To alleviate this I decided to use stmp_tls_security_level at the fingerprint level. I added in gmails sha1 key and I have no error in the logs, but I can't send mail. I seem to be able to receive it, but not send. Here's the output of my (sorry for the length of it)

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost = []:587
mynetworks =, 
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = digest-md5

smtp_sasl_security_options =

# More security fixes: Disable if they interfere
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match = AB:BE:5E:B4:93:88:4E:E4:60:C6:EF:F8:EA:D4:B1:55:4B:C9:59:3C

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

# Disable DNS Lookups
disable_dns_lookups = yes
Is it wrong somewhere? Am I doing something that I shouldn't be? I am no postfix guru by any stretch of the imagination, so any harsh, otherwise, criticisms are welcome. Thanks everyone!
Reply With Quote
Sponsored Links