Configuration
Postfix Setup
Introduction
We will be setting up postfix with the following features:
- Virtual hosting
- UCE prevention
- Anti virus
- SMTP authentication
- TLS
- RBLs
- SPF
- Attack mitigation
The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.
The Basics
To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.
command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mydomain = example.com myorigin = $mydomain mynetworks = 127.0.0.0/8 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases canonical_maps = hash:/etc/postfix/canonical sender_canonical_maps = hash:/etc/postfix/canonical recipient_canonical_maps = hash:/etc/postfix/canonical virtual_alias_maps = hash:/etc/postfix/virtual mail_spool_directory = /var/spool/mail
Maildir
We will use the much improved maildir format as opposed to the default mbox format:
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes
TLS
We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.
Instructions on creating your server certificate signed by cacert.org are can be found here.
- Set TLS random source:
tls_random_source = dev:/dev/urandom
- Enable server TLS:
smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/postfix/key.pem smtpd_tls_cert_file = /etc/pki/postfix/server.pem smtpd_tls_CAfile = /etc/pki/postfix/root.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
- Enable client TLS:
smtp_use_tls = yes smtp_tls_key_file = /etc/pki/postfix/key.pem smtp_tls_cert_file = /etc/pki/postfix/server.pem smtp_tls_CAfile = /etc/pki/postfix/root.crt smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache smtp_tls_note_starttls_offer = yes
Spam Prevention
- Require a valid EHLO / HELO:
smtpd_helo_required = yes
- Prevent email address harvesting attacks:
disable_vrfy_command = yes
- Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 unknown_local_recipient_reject_code = 550
- Setup sender address verification:
address_verify_map = btree:/var/spool/postfix/verify smtpd_sender_restrictions = hash:/etc/postfix/sender_access
- Create /etc/postfix/sender_access and add:
#sample /etc/postfix/sender_access contains frequently spoofed domains aol.com reject_unverified_sender hotmail.com reject_unverified_sender yahoo.com reject_unverified_sender gmail.com reject_unverified_sender bigfoot.com reject_unverified_sender
- Mitigate attacks from zombies and broken clients:
smtpd_error_sleep_time = 5s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20
- Only allow pipelining from authenticated clients:
smtpd_data_restrictions = reject_unauth_pipelining
- Install postfix-policyd-spf-perl and enable SPF support:
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /etc/postfix/
Add this to /etc/postfix/master.cf:
spfpolicy unix - n n - - spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl
- Add DKIM support:
Instructions on adding DKIM support can be found here.
- Add domainkeys support:
Instructions on adding domainkeys support can be found here.
- Getting it all to work depends on the smtpd_recipient_restrictions option so we set it below:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/access reject_unknown_recipient_domain reject_unknown_sender_domain reject_unverified_recipient reject_non_fqdn_recipient reject_non_fqdn_sender reject_invalid_hostname reject_rbl_client list.dsbl.org reject_rbl_client zen.spamhaus.org reject_rbl_client l1.spews.dnsbl.sorbs.net reject_rbl_client combined.njabl.org reject_rbl_client bl.spamcop.net reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org reject_rhsbl_sender rhsbl.sorbs.net reject_rhsbl_client dsn.rfc-ignorant.org reject_rhsbl_client bogusmx.rfc-ignorant.org reject_rhsbl_client rhsbl.sorbs.net check_policy_service unix:private/spfpolicy
Milters [SpamAssassin & ClamAV]
For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.
smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
Create DB Files
postmap /etc/postfix/canonical
postmap /etc/postfix/access
postmap /etc/postfix/virtual
postmap /etc/postfix/sender_access