Postfix Hardening Guide for Security and Privacy

Visits: 3084

Postfix Hardening for Security and Privacy

Harden Your Postfix Email Server

Postfix Hardening Guide for Security and Privacy – Linux Audit for GDPR, HIPAA , ITAR . Don’t use gmail Gsuite, get your own corporate server.

Start Hardening postfix by installing a new Postfix Email Server with Webmail, Https Cert, Easy User Admin following this you will have a simple to use and hardened Postfix Email Server. Simple to use always best for Cyber Security, since complicated stuff has more friction allowing hackers to get in.

It Seems that presently so many need to have their emails in Postfix Hardend and secured. Did you know that according to GDPR you need to be able to delete every email interaction with EU folks?

The flip side of this is that health professionals need a permanent record of every interaction that is not editable or deletable.

We work with you to keep your Corporate emails up to regs.

Postfix is one of the most used components on a server that needs to receive or send emails. With all its options available, it is easy to have a weak configuration. This security guide looks into Postfix hardening, to increase the defenses against spam, abuse, and leaking sensitive data. Time to start……

Start installing Postfix hardened, anti-spam and easy to install, launch the Complete Linux Email Server with Webmail in the AWS Cloud. You can also installARM64 / Graviton Complete Linux Email Server with Webmail , Also comes with HTTPS SSL certificates and easy user admin.

Enable SASL authentication for Postfix Hardening.

# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow any methods that do allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Define the sasl_passwd file location
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

Now we will edit the /etc/postfix/sasl/sasl_passwd file.

[]:587 username:password

This file can be parsed by postmap to created an optimized version, which is used as the database for lookups.

postmap /etc/postfix/sasl/sasl_passwd

The last part is configuring encryption. To enable this, we have to configure this separately.

# Enable STARTTLS encryption
smtp_use_tls = yes
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Now restart Postfix, and send a test email.

echo “test” | mail -s “test”

Related and useful commands

  • postqueue -f (flush mail queue and retry delivering all emails)

Cryptography, encryption, and privacy

Enable TLS logging

To see the details from TLS, increase the level of Postfix logging. Set smtp_tls_loglevel (outgoing) or  smtpd_tls_loglevel (incoming) to the value one (1).

postconf -e smtp_tls_loglevel=1

Testing keys

With OpenSSL you can easily test your SMTP configuration and related ciphers. One of the areas to test is the strength of the initial connection handshake. This is typically done with the DiffieHellman (DH) algorithm, that exchanges the cryptographic keys.

echo | openssl s_client -starttls smtp -connect localhost:25 -cipher "EDH" 2>/dev/null | grep -i -e "Server .* key"

Note: you need at least version 1.02 of OpenSSL, otherwise not all details are displayed. Use openssl version to double check that you are on a recent version.

This command should give you two lines of output. The first line is the temporary key and should be at least 1024 bits when using DH, to prevent the Logjam attack.

Server Temp Key: DH, 2048 bits

The second line is the public key size. This will typically be a 2048 bit key (or higher) on modern systems.

Server public key is 2048 bit