5. Security
Hardening Postfix¶
Put restrictions on servers sending mail to you.
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
Anonymize Headers¶
Use some regular expressions to prevent some meta data like a client's ip address from being leaked.
echo "/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Mailer:/ IGNORE" >> /etc/postfix/header_checks
Add this file to the postfix configuration:
Fail2Ban¶
If you're not familiar with fail2Ban, it's essentially a program which blocks bot's and hacker's login requests after a few invalid attempts.
Make a local copy of the configuration file:
Go down to the # Mail servers line and paste this:
[postfix]
enabled = true
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[sasl]
enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.warn
maxretry = 1
bantime = 21600
[dovecot]
enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
This will only grant 2 login attempts and then block the requester for 6 hours. Now restart fail2ban:
Last update:
September 24, 2023