Skip to content

Instantly share code, notes, and snippets.

@jfstenuit

jfstenuit/secure_postfix_mta.md

Last active September 11, 2019 08:57
Show Gist options
  • Save jfstenuit/556f82bde4a44b377fb26c49520b137c to your computer and use it in GitHub Desktop.
Save jfstenuit/556f82bde4a44b377fb26c49520b137c to your computer and use it in GitHub Desktop.
Download ZIP
Secure Postfix install on Debian
Raw
secure_postfix_mta.md

Introduction

Configuration files

On Debian (and probably on derivatives like Ubuntu Server), postfix configuration files are spread across several files :

  • transport
  • master.cf
  • transport.cf
  • main.cf

Configuration

main.cf

TLS parameters

You want TLS activated so that communication between your MTA and other TLS-activated MTA's on the Internet are encrypted.

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Rate limiting

If you are sending large amount of mails at once (f.i. with a mailing list server), you may want to rate-limit your outgoing mails. I suggest to use three settings : standard, polite and turtle. Monitor your logs to know whether recipient mail servers complaint about mails having too recipients or being sent too fast (error codes 418 or 452).

smtp_initial_destination_concurrency = 10 smtp_destination_concurrency_limit = 10 smtp_destination_rate_delay = 0 smtp_extra_recipient_limit = 10

polite_initial_destination_concurrency = 2 polite_destination_concurrency_limit = 2 polite_destination_rate_delay = 0 polite_destination_recipient_limit = 5

turtle_initial_destination_concurrency = 1 turtle_destination_concurrency_limit = 1 turtle_destination_rate_delay = 3s turtle_destination_recipient_limit = 2

Tune according to your needs. YMMV

In master.cf, you configure the three mailers (smtp, polite and turtle) :

smtp unix - - y - - smtp -o smtp_bind_address=192.168.11.2 polite unix - - y - - smtp -o smtp_bind_address=192.168.11.2 turtle unix - - y - - smtp -o smtp_bind_address=192.168.11.2

If your mail server only has one interface, you don't need the smtp_bind_address.

Finaly, select which transport will be used by each destination email address (the list below is for a mailing list server with mostly belgian subscribers). Create a file called "transport" if it does not exit yet. fulladsl.be turtle: worldonline.be turtle: scarlet.be turtle: brutele.be turtle: tvcablenet.be turtle: yahoo.fr turtle: yahoo.com turtle: gmail.com polite:

DKIM

If you want to enable DKIM, you need to add a new "milter" (a mail filter in postfix's jargon). I recommend you use OpenDKIM. On debian/ubuntu, you install it using apt-get install opendkim opendkim-tools

Activate milter support in your main.cf and add the OpenDKIM milter.

Enable milter filters

milter_protocol = 2 milter_default_action = accept

Filter trough OpenDKIM to sign messages

smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 compatibility_level = 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment