Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
fuss:postfix [2016/10/25 22:28]
office [Enable Forward Secrecy]
fuss:postfix [2017/02/22 18:30] (current)
Line 1: Line 1:
 +====== Anti-Spam ======
 +
 +The Debian wiki page on [[https://​wiki.debian.org/​Postfix|Postfix]] suggests some additions to ''/​etc/​postfix/​main.cf''​ in order to filter out misbehaving ''​MTA''​s. Nevertheless,​ one should be aware that the options on the Debian wiki are too restrictive and may end up filtering legitimate servers. This is because some ''​MTA''​s,​ even popular ones are misconfigured. A [[postfix/​templates/​2.10/​restrictions|postfix restrictions template]] for configuring postfix restrictions is available as well as tutorials on  [[networking/​postfix/​sender_policy_framework|SPF]],​ [[networking/​postfix/​domain_keys_identified_mail|DKIM]] and [[networking/​postfix/​greylisting|greylisting]].
 +====== E-Mail Size Limit ======
 +
 +By default, postfix has a ''​10MB''​ e-mail size limit, this can be changed by setting:
 +<​code>​
 +message_size_limit = 25000000
 +
 +</​code>​
 +that would extend the e-mail size limit to ''​25MB''​. This limit is enforced if the kernel is patched with [[linux:​hardening:​grsecurity]].
 +
 +====== Enable SSL / TLS for Server-Side Communication ======
 +
 +''​postfix''​ is able to talk to servers over ''​SSL''​ or ''​TLS''​ but this functionality is left out from the default configuration and only the necessary setup is in-place to be able to authenticate via ''​SSL''​. To enable this feature, you have to edit ''/​etc/​postfix/​main.cf''​ and make sure that the following lines are in place:
 +
 +<​code>​
 +# TLS parameters
 +# These should already be there on Debian. If not, you will have to generate certificates.
 +smtpd_tls_cert_file=/​etc/​ssl/​certs/​ssl-cert-snakeoil.pem
 +smtpd_tls_key_file=/​etc/​ssl/​private/​ssl-cert-snakeoil.key
 +smtpd_tls_session_cache_database = btree:​${data_directory}/​smtpd_scache
 +smtp_tls_session_cache_database = btree:​${data_directory}/​smtp_scache
 +
 +# Enable TLS and offer TLS option to connections.
 +smtpd_use_tls = yes
 +smtp_use_tls = yes
 +smtp_tls_note_starttls_offer = yes
 +
 +# The CA for the certificates above. On Debian, this is at /​etc/​ssl/​certs/​ca-certificates.crt
 +smtpd_tls_CAfile = /​etc/​ssl/​certs/​ca-certificates.crt
 +smtp_tls_CAfile = $smtpd_tls_CAfile
 +
 +# Enable TLSv1 and SSLv3, offer them when receiving not only authentication.
 +smtpd_tls_received_header = yes
 +smtpd_tls_mandatory_protocols = SSLv3, TLSv1
 +smtpd_tls_mandatory_ciphers = medium
 +smtpd_tls_auth_only = no
 +smtpd_tls_loglevel = 1
 +
 +# Source of randomness.
 +tls_random_source = dev:/​dev/​urandom
 +</​code>​
 +
 +====== Enable Alternate Ports ======
 +
 +Since many ''​ISP''​s block outgoing port ''​25'',​ it is helpful to have ''​postfix''​ (or any other mail server) listening on an alternate port, alongside port ''​25''​. This is an easy task, just edit ''/​etc/​postfix/​master.cnf''​ and enable ''​submission''​ (port ''​587''​) and ''​smtps''​ (port ''​465''​):​
 +
 +<​code>​
 +submission inet n       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +smtps     ​inet ​ n       ​- ​      ​- ​      ​- ​      ​- ​      smtpd
 +</​code>​
 +
 +Remember to correctly port-forward these ports as you do for port ''​25''​. Provided that your publicly accessible ''​SMTP''​ server has the domain name ''​smtp.domain.com'',​ you can now tell your users to set their clients to use:
 +
 +<​code>​
 +smtp.domain.com:​465
 +</​code>​
 +
 +or:
 +
 +<​code>​
 +smtp.domain.com:​587
 +</​code>​
 +
 +as their outgoing mail server.
 +
 +====== Purge E-mails from the Postfix Queue ======
 +
 +Using ''​postqueue''​ we can print the current e-mail queue:
 +
 +<code bash>
 +postqueue -p
 +</​code>​
 +which will list the e-mails in the queue referenced by their ''​ID'':​
 +
 +<​code>​
 +1643B4D8687* 1783520 Mon Jun  1 01:​30:​17 ​ office@mail.com
 +                                         ​me@hotmail.com
 +
 +9354B4F82A6* 1735720 Tue Jun  3 08:​36:​53 ​ office@mail.com
 +                                         ​me@hotmail.com
 +</​code>​
 +
 +where the first column indicates the mail ''​ID''​s. The e-mails can now be removed from the queue using ''​postsuper'':​
 +
 +<code bash>
 +postsuper -d 1643B4D8687
 +</​code>​
 +
 +to delete the first e-mail and:
 +<code bash>
 +postsuper -d 9354B4F82A6
 +</​code>​
 +
 +to delete the second e-mail.
 +
 +====== Create Blacklist ======
 +
 +Considering that postfix is set-up correctly, create a file called ''/​etc/​postfix/​blacklist''​ which contains a list of e-mail addresses and ''​REJECT''​ as the predicate, line-by-line:​
 +<​code>​
 +test@gmail.com REJECT
 +some.one@yahoo.com REJECT
 +</​code>​
 +
 +After that, hash the file using:
 +<code bash>
 +postmap hash:/​etc/​postfix/​blacklist
 +</​code>​
 +
 +and you will notice that a new file appeared called ''/​etc/​postfix/​blacklist.db''​. This is the file that postfix will use internally to filter the e-mail addresses.
 +
 +The last step consists in adding the hash file to the postfix configuration. This can be done by editing ''/​etc/​postfix/​main.cf''​ and adding the list to ''​smtpd_recipient_restrictions'':​
 +<​code>​
 +smtpd_recipient_restrictions = permit_mynetworks,​
 +    # ... the rest of the stuff here ...
 +    check_sender_access hash:/​etc/​postfix/​blacklist,​
 +    permit
 +</​code>​
 +
 +Now the list will take effect when postfix reloads the configuration:​
 +<code bash>
 +postfix reload
 +</​code>​
 +
 +or by restarting postfix:
 +<code bash>
 +/​etc/​init.d/​postfix restart
 +</​code>​
 +
 +====== Censor Sensitive Headers ======
 +
 +E-mail clients sometimes bundle a bunch of information in their outgoing headers. Thunderbird,​ for example, bundles the local IP address of the e-mail client in the header, as well as other information. If you inspect the outgoing e-mails, you will see something like:
 +<​code>​
 +Received: from host.local (host.local [192.168.1.12]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailerhost.com (Postfix) with ESMTPSA id 2B8361FD29 for <​garbage@gmail.com>;​ Sun, 03 Aug 2014 11:20:31 +0000 (UTC)
 +</​code>​
 +
 +To eliminate such headers, edit ''/​etc/​postfix/​main.cf''​ and add the lines:
 +<​code>​
 +# Clean the headers
 +mime_header_checks = regexp:/​etc/​postfix/​clean_headers
 +header_checks = regexp:/​etc/​postfix/​clean_headers
 +</​code>​
 +
 +then create the file ''/​etc/​postfix/​clean_headers''​ and add the following lines:
 +<​code>​
 +/​^Received:​.*with ESMTPSA/​ IGNORE
 +/​^X-Originating-IP:/​ IGNORE
 +/​^X-Mailer:/​ IGNORE
 +/​^User-Agent:/​ IGNORE
 +
 +</​code>​
 +
 +Then, use ''​postmap''​ to hash the file:
 +<code bash>
 +postmap /​etc/​postfix/​clean_headers
 +</​code>​
 +
 +and reload the postfix configuration with:
 +<code bash>
 +postfix reload
 +</​code>​
 +
 +====== Enable Per-Home Directory Forwarding ======
 +
 +Add the line:
 +<​code>​
 +allow_mail_to_commands = alias,​forward,​include
 +</​code>​
 +
 +to ''/​etc/​postfix/​main.cf''​.
 +
 +After that postfix should pick-up the ''​.forward''​ files in the user home directories.
 +
 +====== Disable POODLE and FREAK/​Logjam ======
 +
 +Edit ''/​etc/​postfix/​main.cf''​ and amend the lines:
 +<​code>​
 +# POODLE / FREAK/​Logjam
 +smtpd_tls_mandatory_protocols=!SSLv2,​!SSLv3
 +smtp_tls_mandatory_protocols=!SSLv2,​!SSLv3
 +smtpd_tls_protocols=!SSLv2,​!SSLv3
 +smtp_tls_protocols=!SSLv2,​!SSLv3
 +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA,​ EDH-RSA-DES-CDC3-SHA,​ KRB5-DE5, CBC3-SHA
 +smtpd_tls_dh1024_param_file = ${config_directory}/​dh_1024.pem
 +smtpd_tls_dh512_param_file = ${config_directory}/​dh_512.pem
 +</​code>​
 +
 +After that generate a DH group file ''​dh_1024.pem''​ in the postfix configuration directory (''​${config_directory}''​) with:
 +<code bash>
 +openssl dhparam -out dh_1024.pem 1024
 +</​code>​
 +
 +as well as:
 +<code bash>
 +openssl dhparam -out dh_512.pem 512
 +</​code>​
 +
 +and reload the postfix configuration.
 +
 +===== Rotate Diffie-Hellman Parameters =====
 +
 +You can rotate the diffie-hellman keys if you so wish - it would actually be recommended and has no adverse effects using a crontab script. For instance, drop the following script in, say, ''/​etc/​cron.weekly/'':​
 +<file bash postfix-rotate-diffie-hellman.sh>​
 +#!/bin/sh
 +###########################################################################​
 +##  Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3      ##
 +###########################################################################​
 +# A script to rotate the Diffie-Hellman keys that can be called through ​  #
 +# crontab periodically. ​                                                  #
 +#                                                                         #
 +# This script would require the following postfix configuration keys to   #
 +# be set:                                                                 #
 +#                                                                         #
 +# smtpd_tls_dh1024_param_file = ${config_directory}/​dh_1024.pem ​          #
 +# smtpd_tls_dh512_param_file = ${config_directory}/​dh_512.pem ​            #
 +###########################################################################​
 +
 +###########################################################################​
 +#                             ​CONFIGURATION ​                              #
 +###########################################################################​
 +
 +# Set this to the directory corresponding to the result of expanding the 
 +# Postfix ${config_directory} variable - commonly, /​etc/​postfix.
 +POSTFIX_CONFIG_DIRECTORY=/​etc/​postfix
 +
 +###########################################################################​
 +#                                INTERNALS ​                               #
 +###########################################################################​
 +if [ -d "​$POSTFIX_CONFIG_DIRECTORY"​ ]; then
 +    # Re-create Diffie-Hellman parameters.
 +    openssl dhparam -out "​$POSTFIX_CONFIG_DIRECTORY/​dh_1024.pem"​ 1024
 +    openssl dhparam -out "​$POSTFIX_CONFIG_DIRECTORY/​dh_512.pem"​ 512
 +    # Reload Postfix to pick-up the newly generated keys.
 +    postfix reload
 +fi
 +</​file>​
 +====== Log Analysis ======
 +
 +The following command will count all the E-Mails coming to ''​server.tld''​ and then sort the entries in descending order:
 +<code bash>
 +grep "​to=.*@server\.tld"​ /​var/​log/​mail.log | grep 127.0.0.1 |cut -d "​="​ -f 2 |cut -d ">"​ -f 1 |cut -d "<"​ -f 2 | sort -n |uniq -ci | sort -n -r
 +</​code>​
 +
 +where:
 +  * ''​server\.tld''​ is the name of the local E-Mail server,
 +  * ''/​var/​log/​mail.log''​ is the file to which the E-Mail server logs to,
 +  * ''​127.0.0.1''​ is the IP address of the local E-Mail server
 +
 +
 +The following command will count all E-Mails sent through the mail server and then sort the entries in descending order:
 +
 +<code bash>
 +grep -E "​status=sent"​ /​var/​log/​mail.log | cut -d "​="​ -f 2 |cut -d ">"​ -f 1 |cut -d "<"​ -f 2 | sort -n |uniq -ci | sort -n -r
 +</​code>​
 +
 +where:
 +  * ''/​var/​log/​mail.log''​ is the file to which the E-Mail server logs to,
 +
 +====== Enable Forward Secrecy ======
 +
 +To enable forward secrecy on Postfix 2.6 and above, edit ''/​etc/​postfix/​main.cf''​ and add the line:
 +<​code>​
 +smtpd_tls_dh1024_param_file = ${config_directory}/​dh_1024.pem
 +smtpd_tls_dh512_param_file = ${config_directory}/​dh_512.pem
 +smtpd_tls_eecdh_grade = strong
 +tls_preempt_cipherlist = yes
 +</​code>​
 +
 +You will need to generate the Diffie-Hellman files. This can be done with ''​openssl''​. For the 1024 key issue:
 +<code bash>
 +openssl gendh -out /​etc/​postfix/​dh_1024.pem -2 1024
 +</​code>​
 +
 +and for the 512 key:
 +<code bash>
 +openssl gendh -out /​etc/​postfix/​dh_512.pem -2 512
 +</​code>​
 +
 +and then reload postfix:
 +<code bash>
 +postfix reload
 +</​code>​
 +
 +To check that it is working, issue on the command line:
 +<code bash>
 +openssl s_client -starttls smtp server.tld:​25
 +</​code>​
 +
 +where ''​server.tld''​ is the server to check. Amongst other things, you should see in the cipher SSL section:
 +<​code>​
 +Cipher ​   : ECDHE...
 +</​code>​
 +
 +====== Delete Mail from Queue for a Specific User ======
 +
 +The following command will delete all e-mails in the queue for the user ''​hill'':​
 +<code bash>
 +mailq | fgrep hill@domain\.tld | awk '{ print $1 }' | postsuper -d -
 +</​code>​
 +
 +this works by filtering out all the e-mails by ''​hill@domain.tld'',​ piping the output to ''​awk''​ that filters out the first column of E-Mail queue IDs and then pipes the result to ''​postsuper''​ that deletes the e-mails by taking the E-Mail queue IDs as input.
 +
  

fuss/postfix.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor Access website using i2p


For the copyright, license, warranty and privacy terms for the usage of this website please see the license, privacy and plagiarism pages.