Chapter 10. Securing the Postfix service
Postfix is a mail transfer agent (MTA) that uses the Simple Mail Transfer Protocol (SMTP) to deliver electronic messages between other MTAs and to email clients or delivery agents. Although MTAs can encrypt traffic between one another, they might not do so by default. You can also mitigate risks to various attacks by changing setting to more secure values.
10.1. Reducing Postfix network-related security risks
To reduce the risk of attackers invading your system through the network, perform as many of the following tasks as possible.
Do not share the
/var/spool/postfix/mail spool directory on a Network File System (NFS) shared volume. NFSv2 and NFSv3 do not maintain control over user and group IDs. Therefore, if two or more users have the same UID, they can receive and read each other’s mail, which is a security risk.NoteThis rule does not apply to NFSv4 using Kerberos, because the
SECRPC_GSSkernel module does not use UID-based authentication. However, to reduce the security risks, you should not put the mail spool directory on NFS shared volumes.-
To reduce the probability of Postfix server exploits, mail users must access the Postfix server using an email program. Do not allow shell accounts on the mail server, and set all user shells in the
/etc/passwdfile to/sbin/nologin(with the possible exception of therootuser). -
To protect Postfix from a network attack, it is set up to only listen to the local loopback address by default. You can verify this by viewing the
inet_interfaces = localhostline in the/etc/postfix/main.cffile. This ensures that Postfix only accepts mail messages (such ascronjob reports) from the local system and not from the network. This is the default setting and protects Postfix from a network attack. To remove the localhost restriction and allow Postfix to listen on all interfaces, set theinet_interfacesparameter toallin/etc/postfix/main.cf.
10.2. Postfix configuration options for limiting DoS attacks
An attacker can flood the server with traffic, or send information that triggers a crash, causing a denial of service (DoS) attack. You can configure your system to reduce the risk of such attacks by setting limits in the /etc/postfix/main.cf file. You can change the value of the existing directives or you can add new directives with custom values in the <directive> = <value> format.
Use the following list of directives for limiting a DoS attack:
- smtpd_client_connection_rate_limit
-
This directive limits the maximum number of connection attempts any client can make to this service per time unit. The default value is
0, which means a client can make as many connections per time unit as Postfix can accept. By default, the directive excludes clients in trusted networks. - anvil_rate_time_unit
-
This directive is a time unit to calculate the rate limit. The default value is
60seconds. - smtpd_client_event_limit_exceptions
- This directive excludes clients from the connection and rate limit commands. By default, the directive excludes clients in trusted networks.
- smtpd_client_message_rate_limit
- This directive defines the maximum number of message deliveries from client to request per time unit (regardless of whether or not Postfix actually accepts those messages).
- default_process_limit
-
This directive defines the default maximum number of Postfix child processes that provide a given service. You can ignore this rule for specific services in the
master.cffile. By default, the value is100. - queue_minfree
-
This directive defines the minimum amount of free space required to receive mail in the queue file system. The directive is currently used by the Postfix SMTP server to decide if it accepts any mail at all. By default, the Postfix SMTP server rejects
MAIL FROMcommands when the amount of free space is less than 1.5 times themessage_size_limit. To specify a higher minimum free space limit, specify aqueue_minfreevalue that is at least 1.5 times themessage_size_limit. By default, thequeue_minfreevalue is0. - header_size_limit
-
This directive defines the maximum amount of memory in bytes for storing a message header. If a header is large, it discards the excess header. By default, the value is
102400bytes. - message_size_limit
-
This directive defines the maximum size of a message including the envelope information in bytes. By default, the value is
10240000bytes.
10.3. Configuring Postfix to use SASL
Postfix supports Simple Authentication and Security Layer (SASL) based SMTP Authentication (AUTH). SMTP AUTH is an extension of the Simple Mail Transfer Protocol. Currently, the Postfix SMTP server supports the SASL implementations in the following ways:
- Dovecot SASL
- The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a UNIX-domain socket or a TCP socket. Use this method if Postfix and Dovecot applications are running on separate machines.
- Cyrus SASL
- When enabled, SMTP clients must authenticate with the SMTP server using an authentication method supported and accepted by both the server and the client.
Prerequisites
-
The
dovecotpackage is installed on the system
Procedure
Set up Dovecot:
Include the following lines in the
/etc/dovecot/conf.d/10-master.conffile:service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }The previous example uses UNIX-domain sockets for communication between Postfix and Dovecot. The example also assumes default Postfix SMTP server settings, which include the mail queue located in the
/var/spool/postfix/directory, and the application running under thepostfixuser and group.Optional: Set up Dovecot to listen for Postfix authentication requests through TCP:
service auth { inet_listener { port = port-number } }Specify the method that the email client uses to authenticate with Dovecot by editing the
auth_mechanismsparameter in/etc/dovecot/conf.d/10-auth.conffile:auth_mechanisms = plain login
The
auth_mechanismsparameter supports different plaintext and non-plaintext authentication methods.
Set up Postfix by modifying the
/etc/postfix/main.cffile:Enable SMTP Authentication on the Postfix SMTP server:
smtpd_sasl_auth_enable = yes
Enable the use of Dovecot SASL implementation for SMTP Authentication:
smtpd_sasl_type = dovecot
Provide the authentication path relative to the Postfix queue directory. Note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in
chrootor not:smtpd_sasl_path = private/auth
This step uses UNIX-domain sockets for communication between Postfix and Dovecot.
To configure Postfix to look for Dovecot on a different machine in case you use TCP sockets for communication, use configuration values similar to the following:
smtpd_sasl_path = inet: ip-address : port-number
In the previous example, replace the ip-address with the IP address of the Dovecot machine and port-number with the port number specified in Dovecot’s
/etc/dovecot/conf.d/10-master.conffile.Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note that you can specify different mechanisms for encrypted and unencrypted sessions.
smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
The previous directives specify that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted user names or passwords are allowed. For encrypted sessions that use TLS, only non-anonymous authentication mechanisms are allowed.
