postfix

Postfix¶

Postfix hardening steps¶

With all the preparations taken, it is time to start with the Postfix hardening steps. Each of the steps will change a particular area within Postfix. Some are to prevent information disclosure, others to enhance stability or increase the privacy of the content being sent.

Backup your Postfix configuration

It goes without saying, but too often this step is skipped. If you do system hardening, make a backup first. The first backup is to create a copy of the /etc/postfix directory.

tar czf /root/postfix-$(date "+%F").tar.gz /etc/postfix

For later troubleshooting or comparing configurations, it is also wise to use postconf to store a copy. This one we can easily use together with the diff command.

postconf > /root/postconf-$(date "+%F")

Basic hardening¶

Disable VRFY (verify)

The VRFY command is short for ‘verify’. It can be used to see if an email address is valid on the mail server. While this is great for troubleshooting, it also allows others to make educated guesses if an account exists and deliver possibly spam. The VRFY command is not normally not needed for delivery between two mail servers

postconf -e disable_vrfy_command=yes

Note: after changing each item, restart or reload Postfix and monitor Postfix for errors. One way to do this is by keeping a watch on the log file.

Change postfix smtp_banner

The default smtp banner is not secure as it reveals Postfix and/or OS so we need to restrict that.

Default banner in mail.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

Changed smtp_banner

smtpd_banner = $myhostname ESMTP

Verify Postfix Configuration

sudo postconf 1> /dev/null

Restart Postfix Service

sudo service postfix restart