Postfix Security – How to Secure Postfix on Ubuntu Server

postfixSecurity

I am setting up a new VPS server with LEMP. The only piece missing now is the mail server. Do I need to do something special to make it secure? or it is already secured when the installation is completed?

I think the right term is hardening postfix, does it make sense?

Best Answer

There are a lot of guides online regarding the config and steps for 'hardening' postfix.

This one courtesy of http://security-24-7.com/hardening-guide-for-postfix-2-x/

Hardening guide for Postfix 2.x

Make sure the Postfix is running with non-root account:

ps aux | grep postfix | grep -v '^root'

Change permissions and ownership on the destinations below:

chmod 755 /etc/postfix
chmod 644 /etc/postfix/*.cf
chmod 755 /etc/postfix/postfix-script*
chmod 755 /var/spool/postfix
chown root:root /var/log/mail*
chmod 600 /var/log/mail*

Edit using nano or vi, the file /etc/postfix/main.cf and add make the following changes: Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:

myhostname = myserver.example.com

Configure network interface addresses that the Postfix service should listen on, for example:

inet_interfaces = 192.168.1.1

Configure Trusted Networks, for example:

mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1

Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:

myorigin = example.com

Configure the SMTP domain destination, for example:

mydomain = example.com

Configure to which SMTP domains to relay messages to, for example:

relay_domains = example.com

Configure SMTP Greeting Banner:

smtpd_banner = $myhostname

Limit Denial of Service Attacks:

default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

Restart the Postfix daemon:

service postfix restart
Related Question