Skip to content

5. Security

Hardening Postfix

Put restrictions on servers sending mail to you.

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'

Anonymize Headers

Use some regular expressions to prevent some meta data like a client's ip address from being leaked.

echo "/^Received:.*/     IGNORE
/^X-Originating-IP:/    IGNORE
/^User-Agent:/        IGNORE
/^X-Mailer:/        IGNORE" >> /etc/postfix/header_checks

Add this file to the postfix configuration:

postconf -e "header_checks = regexp:/etc/postfix/header_checks"


If you're not familiar with fail2Ban, it's essentially a program which blocks bot's and hacker's login requests after a few invalid attempts.

apt-get install fail2ban

Make a local copy of the configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Go down to the # Mail servers line and paste this:


enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log


enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.warn
maxretry = 1
bantime  = 21600


enabled = true
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

This will only grant 2 login attempts and then block the requester for 6 hours. Now restart fail2ban:

systemctl restart fail2ban

Last update: September 24, 2023