Build a secure Postfix email service in Linux

Postfix is a free software engineering product funded by IBM and developed by Wietse Venema. It aims to provide users with choice of email servers other than Qmail. Postfix has been well considered in terms of fast, easy to manage, and providing as much security as possible. Postfix is an architecture based on semi-resident and interoperable processes. Each process completes a specific task without any specific process derivative relationships, so that the entire system process is well protected. At the same time, Postfix can also maintain compatibility with the Qmail mail server to meet users' usage habits.
Compared with Qmail, Postfix is most commendable because its configuration file is highly readable. The main configuration file of Postfix is/etc/postfix/main. cf. Although the configuration file contains a lot of content, most of the content is comments (the line starting with "#"), and there are not many parameters that need to be customized. However, in order to configure security, you still need to carefully set certain options.
Postfix configuration fileIn the main. cf file, parameters are set in a way similar to variables. The usage of these parameters mainly includes two parts:
(1) Define and declare variables: for example, definename = good-better-best. The left side of the equals sign is the name of the variable, and the right side is the value of the variable.
(2) reference variable: You can add the symbol "$" before the variable to reference the variable, for example, myname = $ definename (equivalent to definename = good-better-best ).
Note that there must be space characters on both sides of the equal sign. In addition, if the variables have more than two set values, they must be separated by commas (,) or space characters.
After getting familiar with the definition and reference methods of the above variables, the following describes how to configure the Postfix server's related options safely and efficiently.
Set the network interface of the Postfix service listenerBy default, the value of the inet_interfaces parameter is set to localhost, which indicates that messages can only be sent on the local email host. If the email host has multiple network interfaces and you do not want to enable the Postfix service for all network interfaces, you can use the host name to specify the network interfaces to be opened. However, generally all network interfaces are open to receive emails from any network interface. The inet_interfaces parameter value is set to "all", as shown below:
Inet_interfaces = all
Set the host name or domain name that can receive emails for security.The mydestination parameter is very important because the Postfix will receive the email only when the recipient address of the sent Email matches the value of this parameter. With this option, you can filter out many unauthenticated and authorized emails, saving your server storage space and saving your mail processing time. For example, you can set the parameter value to the following:
Accept_domain = test.net
Mydestination = $ accept_domain
This indicates that the Postfix will receive the mail regardless of whether the recipient address of the mail is the X@test.net (where X represents the mail account name of a user in the test.net domain. Other emails are not accepted by Postfix.
Security Settings: Network (IP settings) for mail forwarding)You can use the mynetworks parameter to set the network for which security settings can be forwarded and sent. You can set this parameter value to the IP address of a trusted host, or to a trusted IP subnet or multiple IP subnets (using ", separated by commas ).
For example, if you can set the mynetworks parameter value to 172.1696.0/24, this mail host only forwards emails sent from clients in the 172.1696.0/24 subnet, and rejects emails forwarded to other subnets:
Mynetworks = 17.096.0/24
In addition to the mynetworks parameter, the mynetworks-style parameter is also used to control the network mail forwarding. It is mainly used to set the network mode of mail forwarding. There are usually three methods:
(1) class: in this way, the Postfix automatically learns the IP network type (class A, class B, or class C) of the email host based on its IP address ), so as to open its IP network segment.
(2) subnet: This is the default value of postfix. the Postfix will know the IP network segment to be opened based on the IP address and subnet mask set on the network interface of the mail host.
(3) host: In this mode, the Postfix will only open the local host.
Generally, you do not need to set the mynetworks-style parameter, but directly set the mynetworks parameter. If both parameters are set, the mynetworks parameter settings are valid.
The mynetworks parameter described above is set for the IP address of the mail source, And the relay_domains parameter is set for the domain name or Host Name of the mail source, in principle, the relay_domains depends on the DNS infrastructure.
For example, if you set the relay_domains parameter value to test.net, it means that any emails sent from the domain test.net will be considered trusted, and Postfix will automatically forward these emails, as shown below:
Relay_domains = test.net
To enable it to transfer emails in the actual network, you must configure the DNS settings. Then, you need to define a primary region test.net on the DNS server of the network, and define the following records in the region configuration file:
// Define the IP address of the email server
Patterson.test.net. in a 172.1696.254
// Define the email server alias
Mail.test.net. in cname patterson.test.net.
// Define the priority level
Test.net. in mx 10 mail.test.net.
The above record only defines the mail server, as well as the definitions such as SOA and NS, which will not be described here.
Postfix uses SMTP Security Authentication To avoid unrestricted forwarding. By default, Postfix does not enable the forwarding function for external users, but only for local hosts. However, in actual applications, you must set the mynetworks and relay_domains parameters in the Postfix primary configuration file to open some trusted network segments or domains. Otherwise, this email server is of almost no use. After these trusted CIDR blocks or domains are enabled, you can set up SMTP authentication to verify the user identity (user account name and password) of the Client Requesting Email Forwarding. Only after the verification is passed can you receive the emails sent by the user and help forward the emails. Similarly, the SMTP authentication mechanism commonly used in Postfix is implemented through the Cyrus SASL package.
By default, the SMTP authentication mechanism is not enabled for Postfix. To enable SMTP authentication for Postfix, you must modify the master configuration file/etc/Postfix/main. cf of postfix. You need to add the following SMTP authentication settings in the main. cf file:
Smtpd_sasl_auth_enable = yes
Smtpd_sasl_local_domain =''
Smtpd_recipient_restrictions = permit_mynetworks
Permit_sasl_authenticated, reject_unauth_destination
Broken_sasl_auth_clients = yes
Smtpd_client_restrictions = permit_sasl_authenticated
Smtpd_sasl_security_options = noanonymous
The meanings of each option are as follows:
(1) smtpd_sasl_auth_enable: Specifies whether to enable SASL as the SMTP authentication method. This parameter is disabled by default. It must be enabled here, so set this parameter value to yes.
(2) smtpd_sasl_local_domain: if Cyrus-SASL is used for authentication, no setting is made here.
(3) smtpd_recipient_restrictions: Filter emails sent from the client through the recipient address. There are usually the following restrictions:
Permit_mynetworks: indicates that emails can be forwarded as long as the recipient address is located in the network segment specified in the mynetworks parameter.
Permit_sasl_authenticated: allows forwarding of SASL-authenticated emails.
Reject_unauth_destination: indicates that emails containing untrusted target addresses are rejected.
(4) broken_sasl_auth_clients: indicates whether it is compatible with non-standard SMTP authentication. Some Microsoft SMTP clients use non-standard SMTP authentication protocols. You only need to set this parameter to yes to solve such incompatibility problems.
(5) smtpd_client_restrictions: Restrict clients that can initiate SMTP connections to Postfix. If you want to prohibit unauthorized clients from initiating SMTP connections to Postfix, you can set this parameter value to permit_sasl_authenticated.
(6) smtpd_sasl_security_options: used to restrict certain logon methods. If this parameter is set to noanonymous, anonymous logon is prohibited.
After completing the preceding settings, you must use the command/etc/init. d/postfix reload: reload the configuration file, or use the/etc/init command. d/postfix restart the Postfix service to make the configuration take effect. Of course, the specific use of these two commands needs to be selected based on different Linux versions.
In addition, when Postfix requires SMTP authentication, it will read/usr/lib/sasl2/smtpd. the content in the conf file to determine the authentication method used. Therefore, if you want to use the saslauthd daemon for password authentication, you must ensure/usr/lib/sasl2/smtpd. the content in the conf file is:
Pwcheck_method: saslauthd