Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Postfix Hardening Guide for Security and Privacy

$
0
0
PostfixSecurity and Privacy

Postfix is one of the most used components on a server that needs to receive or send emails. With all its options available, it is easy to have a weak configuration. This security guide looks into Postfix hardening, to increase the defenses against spam, abuse, and leaking sensitive data. Time to start!

Guide overview Why Postfix hardening Preparation Test the existing Postfix configuration Backup your Postfix configuration Find your Postfix version Hardening steps Basic hardening Disable VRFY Network interfaces Relaying Networks Domains Why Postfix hardening?

Every service that is connected to the internet is sooner or later to be abused by automated scripts. For example, an incorrectly Postfix might send messages for everyone, instead of just your network systems. This type of configuration is called an “open relay” and quickly will get your system ending up on multiple blacklists. If it is just a test system, then you are lucky. If your customers are depending on it, then you have something to explain.

Another reason for Postfix hardening is the increasing need for privacy. Most of the legacy protocols, SMTP for email delivery included, did not have a place for security or privacy on the priority list. These protocols may share data with other systems without any form of protection. This may result in unauthorized people snooping on data, from your local IT administrator to possibly the CIA or NSA.

Preparation

Time to get technical and get the configuration tested. Many hardening guides and blogs forget an important part of system hardening: the preparation. So let’s start with that, before making any changes.

Test the existing Postfix configuration

Your current configuration may have errors without you even knowing. So let’s first test for that.

postconf 1> /dev/null

The postconf command can be used to display the Postfix configuration, or make changes. In this case, we redirect all normal output (stdout) to the digital trash bin (/dev/null). If your configuration has any errors or warnings, they will show up. Guess what, one of our systems had actually a warning. This was discovered when we implemented a related test in our own auditing tool Lynis.


Postfix Hardening Guide for Security and Privacy

If you get any output, then it is wise to solve these first and restart your Postfix service to see if the error or warning is gone.

Backup your Postfix configuration

It goes without saying, but too often this step is skipped. If you do system hardening, make a backup first. The first backup is to create a copy of the /etc/postfix directory.

tar czf /root/postfix-$(date "+%F").tar.gz /etc/postfix

For later troubleshooting or comparing configurations, it is also wise to use postconf to store a copy. This one we can easily use together with the diff command.

postconf > /root/postconf-$(date "+%F")

Find your Postfix version

postconf mail_version | awk -F" = " '{print $2}'

An alternative is to use your package manager to find the version of the ‘postfix’ package. For Debian and Ubuntu users, this can be achieved with the dpkg command.

dpkg -l postfix

Hardening steps

With all the preparations taken, it is time to start with the Postfix hardening steps. Each of the steps will change a particular area within Postfix. Some are to prevent information disclosure, others to enhance stabilityor increase the privacy of the content being sent.

Basic hardening Disable VRFY (verify)

The VRFY command is short for ‘verify’. It can be used to see if an email address is valid on the mail server. While this is great for troubleshooting, it also allows others to make educated guesses if an account exists and deliver possibly spam. The VRFY command is not normally not needed for delivery between two mail servers

postconf -e disable_vrfy_command=yes

Note: after changing each item, restart or reload Postfix and monitor Postfix for errors. One way to do this is by keeping a watch on the log file.

Network interfaces (inet_interfaces)

The first setting to check is the interfaces Postfix is listening to. This setting is called inet_interfaces and by default configured with all . If you just want to relay messages to other systems, like sending outgoing emails, then there is no needed to listen on all network interfaces. Configure Postfix to listen only on the local interface. This can be achieved by setting inet_interface to loopback-only .

postconf -e inet_interfaces=loopback-only

Test your configuration after restarting Postfix. In this case, we can use the output from netstat or ss .


Postfix Hardening Guide for Security and Privacy

Important notes:

Some changes need a restart of Postfix. A reload is not enough when changing the inet_interfaces setting. If you are configuring a system that relays for other systems, then most likely you want to listen on all network interfaces, or just on localhost and the primary network interface where requests come from. Email relaying

The first rule when putting a mail server upis to avoid being an open relay system. This is a system that accepts email from all systems and forwards them. Spammers will quickly find your host and abuse it to send out their messages.

Networks

Relaying is configured with several parameters. The first one is the mynetworks setting, which typically only includes the network addresses of the local network interface (lo).

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

If you want to extend this list, simply add network segmentsor individual systems. Specify the related network mask, which is /32 for a single IPv4 address, or /128 for IPv6.

Due to the spaces in this setting, add quotes when using the postconf command.

postconf -e mynetworks="127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" Domains

The second layer to define what emails to accept and therefore relay, is using the destination domain. The related setting for this is relay_domains , which specificies for which domains to accept email in the first place.

Test Postfix relaying

You can test if your configuration is correctly set up by setting up a connection to the other system. Telnet to the other system, and run the following commands

helo yourdomain.com mail from: your.alias@yourdomain.com rcpt to: your.personal.mailbox@gmail-or-hostmail.com data

Replace the addresses and see if you can relay a message to an address outside your own domain. For example, you could use a Gmail or Hotmail address as the receiver.

If things are properly configured to avoid an open relay, you should be getting a relay access denied message.

Relay access denied (in reply to RCPT TO command)

Incoming email configuration Configuration items starting with smtpd refer to the SMTP daemon. This is the daemon that deals with incoming requests.

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images