Use the forwarding server to enhance the security of the Postfix Mail Server

Source: Internet
Author: User
Tags openssl x509 vps

Use the forwarding server to enhance the security of the Postfix Mail Server

After you start and run the application server, you need a good mail server to deliver the mail for you. I have activated the Postfix mail service for all my servers. below is my common configuration.

Install Postfix on CentOS 6
  1. Yum install postfix

Sendmail is installed by default, so it is best to stop and remove it.

  1. Service sendmail stop
  2. Yum remove sendmail

Postfix contains two configuration files: main. cf and master. cf. for basic configuration, You need to modify main. cf. At the same time, postfix can define parameters like shell variables and call them through $. These parameters do not need to be defined before they are used. Postfix queries a parameter only when it is required during running.

Configure postfix
  1. Vim/etc/postfix/main. cf

Remove comments from the following line

  1. # Your host name
  2. Myhostname =
  4. # Your sending domain
  5. Myorigin = $ myhostname
  7. # Specify the network interface used to receive emails. the localhost is specified here because it is only used to receive delivery from local programs.
  8. Inet_interfaces = localhost
  10. # Use "all" to add IPv6 support for the specified Protocol
  11. Inet_protocols = ipv4
  14. # Specify the accepted email domain
  15. Mydestination = $ myhostname, localhost. $ mydomain, localhost
  17. # Only forward emails from the local host, not the network of the host
  18. Mynetworks_style = host

Start postfix

  1. Service postfix start

These basic postfix configurations allow your machine to send emails. You can verify by sending emails and checking the "maillog" log file.

  1. Echo test mail | mail-s "test" & sudo tail-f/var/log/maillog
  3. # Output logs are similar to the following:
  4. Aug2514: 16: 21 vps postfix/smtp [32622]: E6A372DC065D: to =, relay = [], delay = 0.8, delays = 0.1/0/0.43/0.27, dsn = 2.0.0, status = sent (250 Great success)
  5. Aug2514: 16: 21 vps postfix/qmgr [5355]: E6A372DC065D: removed

However, the above configuration is not enough, because the mail service is mostly spam, and you need to add SPF, PTR, and DKIM records. Even so, your email may still be shipped as a spam because your IP address is blacklisted, most of the time because your vps has been intruded.

Another option is to use the mail service provided by a third-party mail provider, such as Gmail or even Mailgun. I use Mailgun because they provide 10000 free emails per month, while Gmail provides about 100 emails per day.

In "/etc/postfix/main. in cf, you need to add "" as your "forwarding host" and enable "SASL" verification, so that the postfix can be connected and verified to the remote Mailgun server.

Add or remove comments for the following rows.

  1. Relayhost = []
  2. Smtp_sasl_auth_enable = yes
  3. Smtp_sasl_password_maps = static: your_username: your_password
  4. Smtp_sasl_security_options = noanonymous

Postfix itself does not implement "SASL" verification, so you need to install "cyrus-sasl-plain ".

  1. Sudo yum install cyrus-sasl-plain

If you do not install this package, you will receive the error message "SASL authentication failed; cannot authenticate to server []: no mechanic available )"

Restart postfix

  1. Sudo service postfix restart
Use TLS to reinforce Postfix Security

Postfix supports TLS, which is the successor of SSL and allows you to encrypt data using key-based authentication. I recommend you read the to learn how TLS works with postfix.

To use TLS, You need to generate a private key and a certificate issued by the certificate authority. In this example, I will use a self-issued certificate.

  1. Sudo yum install mod_ssl openssl
  2. # Generating a private key
  3. Openssl genrsa-out smtp. key 2048
  5. # Generate a CSR
  6. Openssl req-new-key smtp. key-out smtp. csr
  8. # Generate a self-Signed key
  9. Openssl x509-req-days 365-in smtp. csr-signkey smtp. key-out smtp. crt
  11. # Copy the file to the correct location
  12. Cp smtp. crt/etc/pki/tls/certs
  13. Cp smtp. key/etc/pki/tls/private/smtp. key
  14. Cp smtp. csr/etc/pki/tls/private/smtp. csr

Open the postfix configuration file and add the following parameters.

  1. Sudo vim/etc/postfix/main. cf
  3. Smtp_tls_security_level = may
  4. Smtpd_tls_security_level = may
  5. Smtp_tls_note_starttls_offer = yes
  7. Smtpd_tls_key_file =/etc/pki/tls/private/smtp. key
  8. Smtpd_tls_cert_file =/etc/pki/tls/certs
  9. Smtp_tls_CAfile =/etc/ssl/certs/ca. crt
  10. Smtp_tls_loglevel = 1

The security level "may" indicates the support for STARTTLS on the remote SMTP client, but the client does not need to use encryption. Here, I follow the message "may" in the mailgun document, but if you want to force TLS encryption, you can use "encrypt ".

  1. Service postfix restart
  2. # Send a test email
  3. Echo test mail | mail-s "test" & sudo tail-f/var/log/maillog

You should see the following information

  1. Aug2100: 00: 06 vps postfix/smtp [4997]: setting up TLS connection to []: 587
  2. Aug2100: 00: 06 vps postfix/smtp [4997]: Trusted TLS connection established to []: 587: TLSv1.2with cipher AES256-GCM-SHA384 (256/256 bits)

If everything works, you can comment out the following parameters.

"Smtp_tls_loglevel = 1"

For troubleshooting, I recommend that you read the Postfix tips and troubleshooting commands.

Install and configure the Postfix email service in CentOS 6.4

Install the mail server Postfix in CentOS 5.5

Build a Postfix email server for Red Hat Enterprise Linux 5.4

Postfix (authentication) for secure email servers in Linux)

20 questions about Postfix

Postfix details: click here
Postfix: click here

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.