Hi All
After building my new Postfix server I spent days securing it as best I
could. So far it seems to be running fine but I was wondering if someone
would mind having a look at my main.cf file to see if there are any
"holes"/issues in the config. I'm particularly interested to hear what
people think of the TLS sections (I have POODLE in mind here/SSLv3 and
Forward Secrecy). The only bit I left out was the Postscreen bit but if
anyones interested I can post that too.
Here is the config (apologies for the long post):
mynetworks_style = host
home_mailbox = Maildir/
mail_name = mail.domain.com Daemon
smtpd_banner = $mail_name. All Spam Is Reported. ESMTP
biff = no
append_dot_mydomain = no
readme_directory = /usr/local/share/doc/postfix
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 20
debug_peer_level = 2
inet_protocols = ipv4
smtp_tls_cert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.sha256.crt
smtp_tls_key_file = /usr/local/openssl/certs/mail.domain.com.sha256.key
smtpd_tls_cert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.sha256.crt
smtpd_tls_key_file = /usr/local/openssl/certs/mail.domain.com.sha256.key
smtp_tls_eccert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
smtp_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.key
smtpd_tls_eccert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
smtpd_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.key
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
lmtp_tls_mandatory_ciphers = high
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256::ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
smtp_tls_ciphers = export
smtpd_tls_ciphers = export
lmtp_tls_ciphers = export
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
bounce_queue_lifetime = 4h
maximal_queue_lifetime = 4h
delay_warning_time = 1h
in_flow_delay = 1s
strict_rfc821_envelopes = yes
show_user_unknown_table_name = no
disable_vrfy_command = yes
smtpd_helo_required = yes
allow_percent_hack = no
swap_bangpath = no
smtpd_delay_reject = yes
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2
access_map_reject_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
plaintext_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_client_restrictions = permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_destination,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_helo_restrictions = permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_policy_service
unix:private/policyd-spf
permit
smtpd_sender_restrictions = permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_address,
smtpd_etrn_restrictions = permit_sasl_authenticated,
reject
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
myhostname = mail.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = $myhostname
myorigin = $mydomain
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
message_size_limit = 20000000
recipient_delimiter = +
inet_interfaces = all
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains =
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps =
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps =
mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
milter_default_action = accept
smtpd_milters =
unix:/var/run/clamav/clmilter.sock
unix:/var/run/spamass-milter/spamass-milter.sock
unix:/var/milter-greylist/milter-greylist.sock
unix:/var/run/dkim-filter/dkim-filter.sock
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Secure-config-main-cf-tp74536.html
Sent from the Postfix Users mailing list archive at Nabble.com.
