Prev Previous Post   Next Post Next
Old 25th June 2009, 06:02
Lotek Lotek is offline
Junior Member
Join Date: May 2008
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Smile Postfix TLS and Security

So I'm using gmail as my email relay with postfix and unfortunately it seems to have opened a large security hole for my server to be used for spam. To alleviate this I decided to use stmp_tls_security_level at the fingerprint level. I added in gmails sha1 key and I have no error in the logs, but I can't send mail. I seem to be able to receive it, but not send. Here's the output of my (sorry for the length of it)

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost = []:587
mynetworks =, 
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = digest-md5

smtp_sasl_security_options =

# More security fixes: Disable if they interfere
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match = AB:BE:5E:B4:93:88:4E:E4:60:C6:EF:F8:EA:D4:B1:55:4B:C9:59:3C

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

# Disable DNS Lookups
disable_dns_lookups = yes
Is it wrong somewhere? Am I doing something that I shouldn't be? I am no postfix guru by any stretch of the imagination, so any harsh, otherwise, criticisms are welcome. Thanks everyone!
Reply With Quote
Sponsored Links


ispconfig, postfix, tls, ubuntu 8.10

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help needed error rpmbuild -ba postfix.spec mr_bo Installation/Configuration 2 15th May 2009 10:47
postfix config problem bob808 Server Operation 2 12th May 2009 19:22
Postfix TLS working fine but SSL over port 25 not working bob808 Server Operation 2 11th March 2009 18:10
Postfix TLS for Apache/Postfix/Courier popper2001 Installation/Configuration 3 23rd July 2007 14:50
postfix TLS problem - please help! ryanhs HOWTO-Related Questions 17 3rd March 2007 02:55

All times are GMT +2. The time now is 07:42.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.