More secure postfix

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

More secure postfix

Philippe - Forums

Hello,

I would like to secure more my postfix.

My SMTP configuration actually is:

smtpd_tls_cert_file=/path/to/certs/fullchain.pem
smtpd_tls_key_file=/path/to/certs/privkey.pem
smtpd_tls_CAfile=/path/to/certs/chain.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = may

smtp_tls_cert_file=/path/to/certs/fullchain.pem
smtp_tls_key_file=/path/to/certs/privkey.pem
smtp_tls_CAfile=/path/to/certs/chain.pem
smtp_use_tls=yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

smtpd_client_restrictions =
        permit_mynetworks,
        reject_unknown_client_hostname,
        permit

smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit

smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org

smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access hash:/etc/postfix/rejected-recipient,
        check_client_access hash:/etc/postfix/client_check_access
        reject_unknown_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        permit

smtpd_helo_required = yes
smtpd_delay_reject = yes


But with this configuration I can't send an email from my smartphone (reject).


--

##################

Philippe - Forums

Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Matus UHLAR - fantomas
On 22.12.18 10:13, Philippe - Forums wrote:

>I would like to secure more my postfix.
>
>My SMTP configuration actually is:
>
>_smtpd_tls_cert_file=/path/to/certs/fullchain.pem_
>_smtpd_tls_key_file=/path/to/certs/privkey.pem_
>_smtpd_tls_CAfile=/path/to/certs/chain.pem_
>_smtpd_use_tls=yes_
>_smtpd_tls_session_cache_database =
>btree:${data_directory}/smtpd_scache_
>_smtpd_tls_security_level = may_


please avoid those underscores and avoid line wrapping when possible.

>But with this configuration I can't send an email from my smartphone
>(reject).

what's in the logs? It's hard to see in crystall ball (especially when I
don't have any)

I only can guess one thing:

>smtpd_client_restrictions =
>        permit_mynetworks,
>        reject_unknown_client_hostname,
>        permit

this however can cause rejecting even client authentication, when client
connects from IP without proper reverse/direct DNS records
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Viktor Dukhovni
In reply to this post by Philippe - Forums


> On Dec 22, 2018, at 4:13 AM, Philippe - Forums <[hidden email]> wrote:
>
> smtpd_tls_cert_file=/path/to/certs/fullchain.pem
> smtpd_tls_key_file=/path/to/certs/privkey.pem

Fine, but if Let's Encrypt creates a single file with both the key
and the certificate use that instead.

> smtpd_tls_CAfile=/path/to/certs/chain.pem

This is not needed.

> smtpd_use_tls=yes

This is obsolete, you already have the preferred "smtpd_tls_security_level = may".

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

As of Postfix 2.11 and later supporting TLS session tickets, this is no
longer needed.

> smtpd_tls_security_level = may

Good.  But see your master.cf file, where you should have the submission
service enabled, with "-o smtpd_tls_security_level=encrypt" and other
necessary settings.

> smtp_tls_cert_file=/path/to/certs/fullchain.pem
> smtp_tls_key_file=/path/to/certs/privkey.pem
> smtp_tls_CAfile=/path/to/certs/chain.pem

These are not needed and should be removed.

> smtp_use_tls=yes

This should be "smtp_tls_security_level = may".

> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

This is fine.

> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth

These make smtpd(8) capable of SASL auth via Dovecot,
they're fine, but:

> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

these are SMTP client (smtp(8)) settings, so SASL is still
not enabled for the SMTP server (smtpd(8)).  That's actually
normal, because it is best to leave SASL off on port 25, and
configure it on only for port 587 (submission) via master.cf.
You've not posted your master.cf configuration (output of
postconf -Mf), so perhaps you don't have SASL enabled.

> smtpd_client_restrictions =
>         permit_mynetworks,
>         reject_unknown_client_hostname,
>         permit

The "reject_unknown_client_hostname" restriction is
generally too strict.

> smtpd_sender_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_non_fqdn_sender,
>         reject_unknown_sender_domain,
>         permit
>
> smtpd_relay_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         defer_unauth_destination

Replace "defer_unauth_destination" with "reject_unauth_destination".

> smtpd_recipient_restrictions =
>         permit_sasl_authenticated,
>         permit_mynetworks,
>         reject_unauth_destination,

These first three are redundant, given the "relay" restrictions.

>         reject_rbl_client b.barracudacentral.org,
>         reject_rbl_client zen.spamhaus.org
>
> But with this configuration I can't send an email from my smartphone (reject).

The real story is in master.cf and your logs.

        http://www.postfix.org/DEBUG_README.html#mail

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Philippe - Forums
In reply to this post by Matus UHLAR - fantomas

Yes, with this option I can't send an email with my smartphone, because the smartphone IP have not proper reverse DNS.

And there is my problem: reject all IPs without proper reverse DNS but accept my smartphone.

---

##################

Philippe - Forums


Le 2018-12-22 10:55, Matus UHLAR - fantomas a écrit :

On 22.12.18 10:13, Philippe - Forums wrote:
I would like to secure more my postfix.

My SMTP configuration actually is:

_smtpd_tls_cert_file=/path/to/certs/fullchain.pem_
_smtpd_tls_key_file=/path/to/certs/privkey.pem_
_smtpd_tls_CAfile=/path/to/certs/chain.pem_
_smtpd_use_tls=yes_
_smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_scache_
_smtpd_tls_security_level = may_


please avoid those underscores and avoid line wrapping when possible.

But with this configuration I can't send an email from my smartphone
(reject).

what's in the logs? It's hard to see in crystall ball (especially when I
don't have any)

I only can guess one thing:

smtpd_client_restrictions =
       permit_mynetworks,
       reject_unknown_client_hostname,
       permit

this however can cause rejecting even client authentication, when client
connects from IP without proper reverse/direct DNS records
Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Richard Damon
On 12/22/18 4:26 PM, Philippe - Forums wrote:
>
> Yes, with this option I can't send an email with my smartphone,
> because the smartphone IP have not proper reverse DNS.
>
> And there is my problem: reject all IPs without proper reverse DNS but
> accept my smartphone.
>
And what is special about your phone that postfix should use to allow
it, but not other IPs?

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Wietse Venema
In reply to this post by Philippe - Forums
Philippe - Forums:
> Yes, with this option I can't send an email with my smartphone, because
> the smartphone IP have not proper reverse DNS.
>
> And there is my problem: reject all IPs without proper reverse DNS but
> accept my smartphone.

Use permit_sasl_authenticated before reject_unknown_client_hostname.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: More secure postfix

Philippe - Forums

It's seem to be good with this option.

Thanks.

---

##################

Philippe - Forums


Le 2018-12-22 22:46, Wietse Venema a écrit :

Philippe - Forums:
Yes, with this option I can't send an email with my smartphone, because
the smartphone IP have not proper reverse DNS.

And there is my problem: reject all IPs without proper reverse DNS but
accept my smartphone.

Use permit_sasl_authenticated before reject_unknown_client_hostname.

    Wietse