This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
fuss:postfix [2016/10/25 21:28] – [Enable Forward Secrecy] office | fuss:postfix [2022/04/19 08:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Anti-Spam ====== | ||
+ | |||
+ | The Debian wiki page on [[https:// | ||
+ | ====== E-Mail Size Limit ====== | ||
+ | |||
+ | By default, postfix has a '' | ||
+ | < | ||
+ | message_size_limit = 25000000 | ||
+ | |||
+ | </ | ||
+ | that would extend the e-mail size limit to '' | ||
+ | |||
+ | ====== Enable SSL / TLS for Server-Side Communication ====== | ||
+ | |||
+ | '' | ||
+ | |||
+ | < | ||
+ | # TLS parameters | ||
+ | # These should already be there on Debian. If not, you will have to generate certificates. | ||
+ | smtpd_tls_cert_file=/ | ||
+ | smtpd_tls_key_file=/ | ||
+ | smtpd_tls_session_cache_database = btree: | ||
+ | smtp_tls_session_cache_database = btree: | ||
+ | |||
+ | # Enable TLS and offer TLS option to connections. | ||
+ | smtpd_use_tls = yes | ||
+ | smtp_use_tls = yes | ||
+ | smtp_tls_note_starttls_offer = yes | ||
+ | |||
+ | # The CA for the certificates above. On Debian, this is at / | ||
+ | smtpd_tls_CAfile = / | ||
+ | smtp_tls_CAfile = $smtpd_tls_CAfile | ||
+ | |||
+ | # Enable TLSv1 and SSLv3, offer them when receiving not only authentication. | ||
+ | smtpd_tls_received_header = yes | ||
+ | smtpd_tls_mandatory_protocols = SSLv3, TLSv1 | ||
+ | smtpd_tls_mandatory_ciphers = medium | ||
+ | smtpd_tls_auth_only = no | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | |||
+ | # Source of randomness. | ||
+ | tls_random_source = dev:/ | ||
+ | </ | ||
+ | |||
+ | ====== Enable Alternate Ports ====== | ||
+ | |||
+ | Since many '' | ||
+ | |||
+ | < | ||
+ | submission inet n | ||
+ | smtps | ||
+ | </ | ||
+ | |||
+ | Remember to correctly port-forward these ports as you do for port '' | ||
+ | |||
+ | < | ||
+ | smtp.domain.com: | ||
+ | </ | ||
+ | |||
+ | or: | ||
+ | |||
+ | < | ||
+ | smtp.domain.com: | ||
+ | </ | ||
+ | |||
+ | as their outgoing mail server. | ||
+ | |||
+ | ====== Purge E-mails from the Postfix Queue ====== | ||
+ | |||
+ | Using '' | ||
+ | |||
+ | <code bash> | ||
+ | postqueue -p | ||
+ | </ | ||
+ | which will list the e-mails in the queue referenced by their '' | ||
+ | |||
+ | < | ||
+ | 1643B4D8687* 1783520 Mon Jun 1 01: | ||
+ | | ||
+ | |||
+ | 9354B4F82A6* 1735720 Tue Jun 3 08: | ||
+ | | ||
+ | </ | ||
+ | |||
+ | where the first column indicates the mail '' | ||
+ | |||
+ | <code bash> | ||
+ | postsuper -d 1643B4D8687 | ||
+ | </ | ||
+ | |||
+ | to delete the first e-mail and: | ||
+ | <code bash> | ||
+ | postsuper -d 9354B4F82A6 | ||
+ | </ | ||
+ | |||
+ | to delete the second e-mail. | ||
+ | |||
+ | ====== Create Blacklist ====== | ||
+ | |||
+ | Considering that postfix is set-up correctly, create a file called ''/ | ||
+ | < | ||
+ | test@gmail.com REJECT | ||
+ | some.one@yahoo.com REJECT | ||
+ | </ | ||
+ | |||
+ | After that, hash the file using: | ||
+ | <code bash> | ||
+ | postmap hash:/ | ||
+ | </ | ||
+ | |||
+ | and you will notice that a new file appeared called ''/ | ||
+ | |||
+ | The last step consists in adding the hash file to the postfix configuration. This can be done by editing ''/ | ||
+ | < | ||
+ | smtpd_recipient_restrictions = permit_mynetworks, | ||
+ | # ... the rest of the stuff here ... | ||
+ | check_sender_access hash:/ | ||
+ | permit | ||
+ | </ | ||
+ | |||
+ | Now the list will take effect when postfix reloads the configuration: | ||
+ | <code bash> | ||
+ | postfix reload | ||
+ | </ | ||
+ | |||
+ | or by restarting postfix: | ||
+ | <code bash> | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ====== Censor Sensitive Headers ====== | ||
+ | |||
+ | E-mail clients sometimes bundle a bunch of information in their outgoing headers. Thunderbird, | ||
+ | < | ||
+ | Received: from host.local (host.local [192.168.1.12]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailerhost.com (Postfix) with ESMTPSA id 2B8361FD29 for < | ||
+ | </ | ||
+ | |||
+ | To eliminate such headers, edit ''/ | ||
+ | < | ||
+ | # Clean the headers | ||
+ | mime_header_checks = regexp:/ | ||
+ | header_checks = regexp:/ | ||
+ | </ | ||
+ | |||
+ | then create the file ''/ | ||
+ | < | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then, use '' | ||
+ | <code bash> | ||
+ | postmap / | ||
+ | </ | ||
+ | |||
+ | and reload the postfix configuration with: | ||
+ | <code bash> | ||
+ | postfix reload | ||
+ | </ | ||
+ | |||
+ | ====== Enable Per-Home Directory Forwarding ====== | ||
+ | |||
+ | Add the line: | ||
+ | < | ||
+ | allow_mail_to_commands = alias, | ||
+ | </ | ||
+ | |||
+ | to ''/ | ||
+ | |||
+ | After that postfix should pick-up the '' | ||
+ | |||
+ | ====== Disable POODLE and FREAK/ | ||
+ | |||
+ | Edit ''/ | ||
+ | < | ||
+ | # POODLE / FREAK/ | ||
+ | smtpd_tls_mandatory_protocols=!SSLv2, | ||
+ | smtp_tls_mandatory_protocols=!SSLv2, | ||
+ | smtpd_tls_protocols=!SSLv2, | ||
+ | smtp_tls_protocols=!SSLv2, | ||
+ | smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, | ||
+ | smtpd_tls_dh1024_param_file = ${config_directory}/ | ||
+ | smtpd_tls_dh512_param_file = ${config_directory}/ | ||
+ | </ | ||
+ | |||
+ | After that generate a DH group file '' | ||
+ | <code bash> | ||
+ | openssl dhparam -out dh_1024.pem 1024 | ||
+ | </ | ||
+ | |||
+ | as well as: | ||
+ | <code bash> | ||
+ | openssl dhparam -out dh_512.pem 512 | ||
+ | </ | ||
+ | |||
+ | and reload the postfix configuration. | ||
+ | |||
+ | ===== Rotate Diffie-Hellman Parameters ===== | ||
+ | |||
+ | You can rotate the diffie-hellman keys if you so wish - it would actually be recommended and has no adverse effects using a crontab script. For instance, drop the following script in, say, ''/ | ||
+ | <file bash postfix-rotate-diffie-hellman.sh> | ||
+ | #!/bin/sh | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | # A script to rotate the Diffie-Hellman keys that can be called through | ||
+ | # crontab periodically. | ||
+ | # # | ||
+ | # This script would require the following postfix configuration keys to # | ||
+ | # be set: # | ||
+ | # # | ||
+ | # smtpd_tls_dh1024_param_file = ${config_directory}/ | ||
+ | # smtpd_tls_dh512_param_file = ${config_directory}/ | ||
+ | ########################################################################### | ||
+ | |||
+ | ########################################################################### | ||
+ | # | ||
+ | ########################################################################### | ||
+ | |||
+ | # Set this to the directory corresponding to the result of expanding the | ||
+ | # Postfix ${config_directory} variable - commonly, / | ||
+ | POSTFIX_CONFIG_DIRECTORY=/ | ||
+ | |||
+ | ########################################################################### | ||
+ | # INTERNALS | ||
+ | ########################################################################### | ||
+ | if [ -d " | ||
+ | # Re-create Diffie-Hellman parameters. | ||
+ | openssl dhparam -out " | ||
+ | openssl dhparam -out " | ||
+ | # Reload Postfix to pick-up the newly generated keys. | ||
+ | postfix reload | ||
+ | fi | ||
+ | </ | ||
+ | ====== Log Analysis ====== | ||
+ | |||
+ | The following command will count all the E-Mails coming to '' | ||
+ | <code bash> | ||
+ | grep " | ||
+ | </ | ||
+ | |||
+ | where: | ||
+ | * '' | ||
+ | * ''/ | ||
+ | * '' | ||
+ | |||
+ | |||
+ | The following command will count all E-Mails sent through the mail server and then sort the entries in descending order: | ||
+ | |||
+ | <code bash> | ||
+ | grep -E " | ||
+ | </ | ||
+ | |||
+ | where: | ||
+ | * ''/ | ||
+ | |||
+ | ====== Enable Forward Secrecy ====== | ||
+ | |||
+ | To enable forward secrecy on Postfix 2.6 and above, edit ''/ | ||
+ | < | ||
+ | smtpd_tls_dh1024_param_file = ${config_directory}/ | ||
+ | smtpd_tls_dh512_param_file = ${config_directory}/ | ||
+ | smtpd_tls_eecdh_grade = strong | ||
+ | tls_preempt_cipherlist = yes | ||
+ | </ | ||
+ | |||
+ | You will need to generate the Diffie-Hellman files. This can be done with '' | ||
+ | <code bash> | ||
+ | openssl gendh -out / | ||
+ | </ | ||
+ | |||
+ | and for the 512 key: | ||
+ | <code bash> | ||
+ | openssl gendh -out / | ||
+ | </ | ||
+ | |||
+ | and then reload postfix: | ||
+ | <code bash> | ||
+ | postfix reload | ||
+ | </ | ||
+ | |||
+ | To check that it is working, issue on the command line: | ||
+ | <code bash> | ||
+ | openssl s_client -starttls smtp server.tld: | ||
+ | </ | ||
+ | |||
+ | where '' | ||
+ | < | ||
+ | Cipher | ||
+ | </ | ||
+ | |||
+ | ====== Delete Mail from Queue for a Specific User ====== | ||
+ | |||
+ | The following command will delete all e-mails in the queue for the user '' | ||
+ | <code bash> | ||
+ | mailq | fgrep hill@domain\.tld | awk '{ print $1 }' | postsuper -d - | ||
+ | </ | ||
+ | |||
+ | this works by filtering out all the e-mails by '' | ||
+ | |||