Enterprise Open source e-mail system security Combat (ii) Postfix security protection and spam prevention

Build Secure Postfix Email server

Postfix is a free software engineering product, funded by IBM and developed by Wietse Venema, to provide users with a choice of mail servers other than Qmail. Postfix is well thought out in terms of fast, easy to manage, and providing as much security as possible. Postfix is an architecture based on a semi-resident, interoperable process, where each process completes a specific task without any specific process derivation relationship, which protects the entire system process well. At the same time Postfix can also be compatible with the Qmail mail server to meet the user's usage habits.

Compared with Qmail, Postfix is most praised for its high readability of configuration files. The Postfix primary configuration file is/etc/postfix/main.cf. Although the configuration file has more content, most of it is a comment (the line at the beginning of the "#"), and there are not many parameters that you really need to define yourself. However, in order for it to be securely configured, it is necessary to carefully set certain options.

In the main.cf file, parameters are set with a similar set of variables, and the use of these parameters consists mainly of two parts:

(1) Define and declare variables: for example definename = Good-better-best. On the left side of the equals sign is the name of the variable, and the value of the variable on the right.

(2) Reference variable: You can precede the variable with the symbol "$" to refer to the variable, such as: MyName = $ definename (equivalent to Definename = good-better-best).

Note that you need a space character on both sides of the equal sign. In addition, if the variable has more than two set values, it must be separated by commas "," or spaces "".

Once you are familiar with the definition and referencing methods of the variables described above, the following details how to securely and efficiently configure the Postfix server options.

Set up a network interface for Postfix service listening

By default, the value of the Inet_interfaces parameter is set to LocalHost, which indicates that a letter can be sent only on the local mail host. If you have more than one network interface on your mail host, and you do not want all of your network interfaces to be open Postfix services, you can use the hostname to specify which network interfaces you want to open. Typically, however, all network interfaces are open to receive messages from any network interface, and the value of the Inet_interfaces parameter is set to "all" as follows:

Inet_interfaces = All

Security settings host name or domain name that can receive mail

The Mydestination parameter is important because Postfix will receive the message only if the recipient address of the incoming message matches the value of the parameter. This option allows you to filter out many of the messages that are not authenticated and authorized, thus saving your server's storage space and saving users ' mail processing time. To give a simple example, the user can set the parameter value as follows:

Accept_domain = Test.net
Mydestination = $accept _domain

This means that regardless of whether the recipient address of the letter is X@test.net (where X represents a user's mail account name in the test.net domain), Postfix will receive the message. In addition to the mail, Postfix will not accept.

Securely set up a network that can forward mail (IP settings)

The Mynetworks parameter can be used to set up a network with security settings for forwarding messages. You can set this parameter value to the IP address of a trusted host, or to an IP subnet or multiple IP subnets that you trust (with, or "delimited").

For example, a user can set the Mynetworks parameter value to 172.168.96.0/24, which means that the mail host only forwards messages sent by clients in the subnet 172.168.96.0/24 and refuses to forward messages to other subnets:

Mynetworks = 172.168.96.0/24

In addition to the Mynetworks parameter, a parameter to control network mail forwarding is Mynetworks-style, which is primarily used to set up the way the Mail network can be forwarded. There are usually three ways to do this:

Class: In this way, Postfix automatically learns the IP network type (that is, class A, B, or C) on the IP address of the mail host, thereby opening its IP segment.

Subnet: This is the default value of Postfix, Postfix will know the IP network segment to be opened according to the IP address and subnet mask set on the network interface of the mail host.

Host: In this way, Postfix will only open the native.

Typically, users do not normally need to set the Mynetworks-style parameter and set the Mynetworks parameter directly. If both parameters are set, the setting of the Mynetworks parameter is valid.