Postfix Hardening for Security and Privacy
Harden Your Postfix Email Server
Postfix Hardening Guide for Security and Privacy – Linux Audit for GDPR, HIPAA , ITAR . Don’t use gmail Gsuite, get your own corporate server.
Start Hardening postfix by installing a new Postfix Email Server with Webmail, Https Cert, Easy User Admin following this you will have a simple to use and hardened Postfix Email Server. Simple to use always best for Cyber Security, since complicated stuff has more friction allowing hackers to get in.
It Seems that presently so many need to have their emails in Postfix Hardend and secured. Did you know that according to GDPR you need to be able to delete every email interaction with EU folks?
The flip side of this is that health professionals need a permanent record of every interaction that is not editable or deletable.
We work with you to keep your Corporate emails up to regs.
Postfix is one of the most used components on a server that needs to receive or send emails. With all its options available, it is easy to have a weak configuration. This security guide looks into Postfix hardening, to increase the defenses against spam, abuse, and leaking sensitive data. Time to start……
Enable SASL authentication for Postfix Hardening.
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow any methods that do allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Define the sasl_passwd file location
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
Now we will edit the /etc/postfix/sasl/sasl_passwd file.
This file can be parsed by postmap to created an optimized version, which is used as the database for lookups.
The last part is configuring encryption. To enable this, we have to configure this separately.
# Enable STARTTLS encryption
smtp_use_tls = yes
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Now restart Postfix, and send a test email.
echo “test” | mail -s “test” firstname.lastname@example.org
Related and useful commands
- postqueue -f (flush mail queue and retry delivering all emails)
Cryptography, encryption, and privacy
Enable TLS logging
To see the details from TLS, increase the level of Postfix logging. Set smtp_tls_loglevel (outgoing) or smtpd_tls_loglevel (incoming) to the value one (1).
postconf -e smtp_tls_loglevel=1
With OpenSSL you can easily test your SMTP configuration and related ciphers. One of the areas to test is the strength of the initial connection handshake. This is typically done with the Diffie–Hellman (DH) algorithm, that exchanges the cryptographic keys.
echo | openssl s_client -starttls smtp -connect localhost:25 -cipher "EDH" 2>/dev/null | grep -i -e "Server .* key"
Note: you need at least version 1.02 of OpenSSL, otherwise not all details are displayed. Use openssl version to double check that you are on a recent version.
This command should give you two lines of output. The first line is the temporary key and should be at least 1024 bits when using DH, to prevent the Logjam attack.
Server Temp Key: DH, 2048 bits
The second line is the public key size. This will typically be a 2048 bit key (or higher) on modern systems.
Server public key is 2048 bit