Recently I've been thinking that I should have a crack at hardening my server a little. ISPConfig 3.0.5.3, Debian 6.07, Postfix 2.7.1-1+squeeze1 Firstly Postfix: I have hardened my install using some recommendations found here : http://www.howtoforge.com/hardening-postfix-for-ispconfig-3 I am wondering is I have gone too far in terms of antispam. In an attempt to monitor mail sending and receving I installed mailgraph. In the 24 hour period since installing mailgraph the stats are as follows: Sent : 365 Received : 634 Bounced : 1 Viruses : 1 Spam : 54 Rejected : 10170 Rejected seems exceptionally high, I am inclined to believe the numbers as the logs are full of messages like these. 450 4.7.1 Client host rejected: cannot find your hostname Relay access denied; from=<> and verification failed: Name or service not known I am a little worried that I am rejecting mail that could be legitimate and would appreciate if someone could sanity check my config. I include the relavent parts below ------------------------------------------- main.cf -------------------------------------------- smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_policy_service inet:127.0.0.1:10031 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases smtpd_client_message_rate_limit = 100 owner_request_special = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname strict_rfc821_envelopes = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, reject_unknown_recipient_domain smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes -------------------------------------------- The sections I have made additions to in main.cf are smtpd_recipient_restrictions, smtpd_sender_restrictions, smtpd_client_restrictions, smtpd_helo_required, smtpd_helo_restrictions, strict_rfc821_envelopes, smtpd_recipient_restrictions, smtpd_data_restrictions and smtpd_delay_reject. I have installed postfix-policyd so I can set a quota for sending mail. The only thing I have postfix-policyd doing is monitoring quotas and enforcing them (not yet using any of the whitelisting/greylisting/blacklisting features). The references to check_policy_service inet:127.0.0.1:10031 are the ones I have added to talk to policyd. As I say postfix works I am getting no spam at all, the worry is that I am using policies that are too strict and rejecting legitimate mail into oblivion. 2.) Mod_security I have installed Apache mod_security, which is merrily blocking injection attempts and writing to a log file. /var/log/apache2/modsec_debug.log This log file has been steadily filling up for a few days, does anyone have any suggestions for adding it to logrotate or will it be done automatically? Sorry for the long post, just thought I would provide all I could in terms of info.
1) The setup you applied is very strict. You can e.g. undo the spf part as valid senders often dont have a spf record. 2) Logrotate will rotate all files that end with ".log" in /var/log/apache2/ automatically on Debian. See /etc/logrotate.d/apache2 for details.
Hi Till, Thanks for the info. Unless I am slowly going mad I can't find any refererence to spf in my config. I don't have postfix-policyd-spf-python or postfix-policyd-spf-perl installed so can't see the reference to this. In reference to the strict policies I am running I'm not sure what to undo. The only thing I am a little wary of is reject_unknown_client_hostname as there is some discussion that this may be causing issues with non-RFC compliant hosts and perhaps I should be using reject_unknown_reverse_client_hostname instead. Any suggestions as to what I could do to reduce the strict policies without opening the server to a world of spam would be great. Many thanks
If you havent installed the spf part of the guide, then youndont have tonremove it the reject_unknown_client_hostname should be ok in my opinion.