Table of Contents

Anti-Spam

The Debian wiki page on Postfix suggests some additions to /etc/postfix/main.cf in order to filter out misbehaving MTAs. Nevertheless, one should be aware that the options on the Debian wiki are too restrictive and may end up filtering legitimate servers. This is because some MTAs, even popular ones are misconfigured. A postfix restrictions template for configuring postfix restrictions is available as well as tutorials on SPF, DKIM and greylisting.

E-Mail Size Limit

By default, postfix has a 10MB e-mail size limit, this can be changed by setting:

message_size_limit = 25000000

that would extend the e-mail size limit to 25MB. This limit is enforced if the kernel is patched with grsecurity.

Enable SSL / TLS for Server-Side Communication

postfix is able to talk to servers over SSL or TLS but this functionality is left out from the default configuration and only the necessary setup is in-place to be able to authenticate via SSL. To enable this feature, you have to edit /etc/postfix/main.cf and make sure that the following lines are in place:

# TLS parameters
# These should already be there on Debian. If not, you will have to generate certificates.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Enable TLS and offer TLS option to connections.
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

# The CA for the certificates above. On Debian, this is at /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile = $smtpd_tls_CAfile

# Enable TLSv1 and SSLv3, offer them when receiving not only authentication.
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1

# Source of randomness.
tls_random_source = dev:/dev/urandom

Enable Alternate Ports

Since many ISPs block outgoing port 25, it is helpful to have postfix (or any other mail server) listening on an alternate port, alongside port 25. This is an easy task, just edit /etc/postfix/master.cnf and enable submission (port 587) and smtps (port 465):

submission inet n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd

Remember to correctly port-forward these ports as you do for port 25. Provided that your publicly accessible SMTP server has the domain name smtp.domain.com, you can now tell your users to set their clients to use:

smtp.domain.com:465

or:

smtp.domain.com:587

as their outgoing mail server.

Purge E-mails from the Postfix Queue

Using postqueue we can print the current e-mail queue:

postqueue -p

which will list the e-mails in the queue referenced by their ID:

1643B4D8687* 1783520 Mon Jun  1 01:30:17  office@mail.com
                                         me@hotmail.com

9354B4F82A6* 1735720 Tue Jun  3 08:36:53  office@mail.com
                                         me@hotmail.com

where the first column indicates the mail IDs. The e-mails can now be removed from the queue using postsuper:

postsuper -d 1643B4D8687

to delete the first e-mail and:

postsuper -d 9354B4F82A6

to delete the second e-mail.

Create Blacklist

Considering that postfix is set-up correctly, create a file called /etc/postfix/blacklist which contains a list of e-mail addresses and REJECT as the predicate, line-by-line:

test@gmail.com REJECT
some.one@yahoo.com REJECT

After that, hash the file using:

postmap hash:/etc/postfix/blacklist

and you will notice that a new file appeared called /etc/postfix/blacklist.db. This is the file that postfix will use internally to filter the e-mail addresses.

The last step consists in adding the hash file to the postfix configuration. This can be done by editing /etc/postfix/main.cf and adding the list to smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks,
    # ... the rest of the stuff here ...
    check_sender_access hash:/etc/postfix/blacklist,
    permit

Now the list will take effect when postfix reloads the configuration:

postfix reload

or by restarting postfix:

/etc/init.d/postfix restart

Censor Sensitive Headers

E-mail clients sometimes bundle a bunch of information in their outgoing headers. Thunderbird, for example, bundles the local IP address of the e-mail client in the header, as well as other information. If you inspect the outgoing e-mails, you will see something like:

Received: from host.local (host.local [192.168.1.12]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailerhost.com (Postfix) with ESMTPSA id 2B8361FD29 for <garbage@gmail.com>; Sun, 03 Aug 2014 11:20:31 +0000 (UTC)

To eliminate such headers, edit /etc/postfix/main.cf and add the lines:

# Clean the headers
mime_header_checks = regexp:/etc/postfix/clean_headers
header_checks = regexp:/etc/postfix/clean_headers

then create the file /etc/postfix/clean_headers and add the following lines:

/^Received:.*with ESMTPSA/	IGNORE
/^X-Originating-IP:/	IGNORE
/^X-Mailer:/	IGNORE
/^User-Agent:/	IGNORE

Then, use postmap to hash the file:

postmap /etc/postfix/clean_headers

and reload the postfix configuration with:

postfix reload

Enable Per-Home Directory Forwarding

Add the line:

allow_mail_to_commands = alias,forward,include

to /etc/postfix/main.cf.

After that postfix should pick-up the .forward files in the user home directories.

Disable POODLE and FREAK/Logjam

Edit /etc/postfix/main.cf and amend the lines:

# POODLE / FREAK/Logjam
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = ${config_directory}/dh_1024.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh_512.pem

After that generate a DH group file dh_1024.pem in the postfix configuration directory (${config_directory}) with:

openssl dhparam -out dh_1024.pem 1024

as well as:

openssl dhparam -out dh_512.pem 512

and reload the postfix configuration.

Rotate Diffie-Hellman Parameters

You can rotate the diffie-hellman keys if you so wish - it would actually be recommended and has no adverse effects using a crontab script. For instance, drop the following script in, say, /etc/cron.weekly/:

postfix-rotate-diffie-hellman.sh
#!/bin/sh
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3      ##
###########################################################################
# A script to rotate the Diffie-Hellman keys that can be called through   #
# crontab periodically.                                                   #
#                                                                         #
# This script would require the following postfix configuration keys to   #
# be set:                                                                 #
#                                                                         #
# smtpd_tls_dh1024_param_file = ${config_directory}/dh_1024.pem           #
# smtpd_tls_dh512_param_file = ${config_directory}/dh_512.pem             #
###########################################################################
 
###########################################################################
#                             CONFIGURATION                               #
###########################################################################
 
# Set this to the directory corresponding to the result of expanding the 
# Postfix ${config_directory} variable - commonly, /etc/postfix.
POSTFIX_CONFIG_DIRECTORY=/etc/postfix
 
###########################################################################
#                                INTERNALS                                #
###########################################################################
if [ -d "$POSTFIX_CONFIG_DIRECTORY" ]; then
    # Re-create Diffie-Hellman parameters.
    openssl dhparam -out "$POSTFIX_CONFIG_DIRECTORY/dh_1024.pem" 1024
    openssl dhparam -out "$POSTFIX_CONFIG_DIRECTORY/dh_512.pem" 512
    # Reload Postfix to pick-up the newly generated keys.
    postfix reload
fi

Log Analysis

The following command will count all the E-Mails coming to server.tld and then sort the entries in descending order:

grep "to=.*@server\.tld" /var/log/mail.log | grep 127.0.0.1 |cut -d "=" -f 2 |cut -d ">" -f 1 |cut -d "<" -f 2 | sort -n |uniq -ci | sort -n -r

where:

The following command will count all E-Mails sent through the mail server and then sort the entries in descending order:

grep -E "status=sent" /var/log/mail.log | cut -d "=" -f 2 |cut -d ">" -f 1 |cut -d "<" -f 2 | sort -n |uniq -ci | sort -n -r

where:

Enable Forward Secrecy

To enable forward secrecy on Postfix 2.6 and above, edit /etc/postfix/main.cf and add the line:

smtpd_tls_dh1024_param_file = ${config_directory}/dh_1024.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh_512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes

You will need to generate the Diffie-Hellman files. This can be done with openssl. For the 1024 key issue:

openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

and for the 512 key:

openssl gendh -out /etc/postfix/dh_512.pem -2 512

and then reload postfix:

postfix reload

To check that it is working, issue on the command line:

openssl s_client -starttls smtp server.tld:25

where server.tld is the server to check. Amongst other things, you should see in the cipher SSL section:

Cipher    : ECDHE...

Delete Mail from Queue for a Specific User

The following command will delete all e-mails in the queue for the user hill:

mailq | fgrep hill@domain\.tld | awk '{ print $1 }' | postsuper -d -

this works by filtering out all the e-mails by hill@domain.tld, piping the output to awk that filters out the first column of E-Mail queue IDs and then pipes the result to postsuper that deletes the e-mails by taking the E-Mail queue IDs as input.