Harden Your Postfix

Visits: 561

Postfix Hardening Guide for Security and Privacy

Postfix Security and Privacy

Postfix is one of the most used components on a server that needs to receive or send emails. With all its options available, it is easy to have a weak configuration. This security guide looks into Postfix hardening, to increase the defenses against spam, abuse, and leaking sensitive data.

start installing a Cyber Hardened postfix without hassles. Quickly Install  Postfix, Dovecot, Postgres, Letsencrypt certificate and Roundcube, launch the Complete Email Server with Webmail in the AWS Cloud.

Enable SASL authentication.

# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow any methods that do allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Define the sasl_passwd file location
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

The Best way to have a completely secure Postfix server is to install our simple to install EC2 including Roundcube WebMail. Check it out AWS Marketplace: Mail Server on Linux Postfix using MySQL for tons of users (amazon.com)

Now we will edit the /etc/postfix/sasl/sasl_passwd file.

[mail.example.org]:587 username:password

This file can be parsed by postmap to created an optimized version, which is used as the database for lookups.

postmap /etc/postfix/sasl/sasl_passwd

The last part is configuring encryption. To enable this, we have to configure this separately.

# Enable STARTTLS encryption
smtp_use_tls = yes
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Now restart Postfix, and send a test email.

echo “test” | mail -s “test” me@example.org

Related and useful commands

  • postqueue -f (flush mail queue and retry delivering all emails)


Cryptography, encryption, and privacy

Enable TLS logging

To see the details from TLS, increase the level of Postfix logging. Set smtp_tls_loglevel (outgoing) or  smtpd_tls_loglevel (incoming) to the value one (1).

postconf -e smtp_tls_loglevel=1

Testing keys

With OpenSSL you can easily test your SMTP configuration and related ciphers. One of the areas to test is the strength of the initial connection handshake. This is typically done with the DiffieHellman (DH) algorithm, that exchanges the cryptographic keys.

echo | openssl s_client -starttls smtp -connect localhost:25 -cipher "EDH" 2>/dev/null | grep -i -e "Server .* key"

Note: you need at least version 1.02 of OpenSSL, otherwise not all details are displayed. Use openssl version to double check that you are on a recent version.

This command should give you two lines of output. The first line is the temporary key and should be at least 1024 bits when using DH, to prevent the Logjam attack.

Server Temp Key: DH, 2048 bits

The second line is the public key size. This will typically be a 2048 bit key (or higher) on modern systems.

Server public key is 2048 bit