postfix hardening

Discussion in 'General' started by nhybgtvfr, Aug 7, 2017.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    having finally migrated our email services from an old standalone postfix server, into ispconfig (currently 3.1.3), it's all working, but now i'm looking at hardening the installation a bit more, following this guide:
    before i make any significant changes though, since this involves installing extra packages, and manual editing of postfix files, i just want to check,
    will these changes get wiped out when performing any ispconfig upgrade, reconfigure services, or resync mail services?
    also, for adding reject_rbl_client <rbl host address> to the file, i've seen conflicting tutorials/instructions, some stating it should be added to smtpd_client_restrictions, others stating it should be smtpd_recipient_restrictions.
    so which one is the right? or should i just add it to both?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Personally, I won't use this guide. It is too strict and will block legitimate mails. Regarding RBL, RBÖ's are added in ISPConfig under system > server config.

    If you want to harden your setup:

    1) Choose some RBL that you want to add and add them in ISPConfig.
    2) Configure a spam-filter policy in ISPConfig to suit your needs, e.g. lower the spam tag 2 level and kill level to match the spam scores that you see in your mails.
    3) If you want to further optimize it, install e.g. razor and pyzor ind configure it in /etc/spamassassin/ and restart amavis. You can also use external filter sets in SpamAssassin if the default ones are not strict enough for you.
  3. mccharlet

    mccharlet Member HowtoForge Supporter

  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'll second the suggestion to not follow that guide; it's dated, incomplete for a lot of what you might want to do, and a little too much for some (eg. we've always found reject_unknown_client_hostname causes customer complaints and we still don't use it ... though I'm considering trying again some time). That guide does have some useful pieces though, just understand what you're doing as you evaluate and implement them.

    Postscreen is a great addition to your server (there's better config in the issue tracker for it), and I use RBL's weighted in postcreen, not in smtpd_*_restrictions, they work much better. Also use postwhite to avoid some issues from legit senders.

    Also from that hardening guide, it's good to setup SPF records for your domains, and to use DKIM; you might even setup a DMARC record as a next step. That and the various ways you can improve spamassassin/clamav scanning are not really "postfix" hardening, but are good to do and generally necessary.

Share This Page