Postfix TLS and Security

Discussion in 'Installation/Configuration' started by Lotek, Jun 25, 2009.

  1. Lotek

    Lotek New Member

    So I'm using gmail as my email relay with postfix and unfortunately it seems to have opened a large security hole for my server to be used for spam. To alleviate this I decided to use stmp_tls_security_level at the fingerprint level. I added in gmails sha1 key and I have no error in the logs, but I can't send mail. I seem to be able to receive it, but not send. Here's the output of my main.cf. (sorry for the length of it)

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    
    
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = imalways.scrapping.cc
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost = [smtp.gmail.com]:587
    mynetworks = 192.168.1.0/24, 127.0.0.0/8 
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain = 
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous 
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_mechanism_filter = digest-md5
    
    smtp_sasl_security_options =
    
    # More security fixes: Disable if they interfere
    smtp_tls_security_level = fingerprint
    smtp_tls_fingerprint_digest = sha1
    smtp_tls_fingerprint_cert_match = AB:BE:5E:B4:93:88:4E:E4:60:C6:EF:F8:EA:D4:B1:55:4B:C9:59:3C
    
    virtual_maps = hash:/etc/postfix/virtusertable
    
    mydestination = /etc/postfix/local-host-names
    
    # Disable DNS Lookups
    disable_dns_lookups = yes
    
    Is it wrong somewhere? Am I doing something that I shouldn't be? I am no postfix guru by any stretch of the imagination, so any harsh, otherwise, criticisms are welcome. Thanks everyone!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Why do you think that? Have you tested your server with an external mail relay check tool? Postfix setups are secure by default after you installed ISPConfig, so adding smtp_fingerprinting is not needed.
     
  3. Lotek

    Lotek New Member

    Thanks for the response Till.

    To answer your question, yes actually I did check it with some standard security software I use to test common vulnerabilities. When I run my scan it turns up that my smtp is configured as a relay, which I assumed was because I'm using gmail to relay my mail. Once I enabled the fingerprint setting, however, the issue disappeared. I'm gathering that it's because it was not able to escalate privileges because there was that security enabled.

    So do you have any suggestions?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    How did you test? I guess you tested from the local server which explains the wrong result. A mailserver always allows relaying from localhost, otherwise local shell and web scripts would not work. This does not mean that any third party can relay emails trough your server. Better use this for testing:

    http://www.abuse.net/relay.html
     
    Last edited: Jun 25, 2009
  5. Lotek

    Lotek New Member

    I actually tested from an outside machine to the outside ip address and received the results. When I tested from inside my network it did not return that it was running as a relay.

    However, after running your test it appears that it is not acting as a relay. I'll have to find another way to test it to totally confirm that either test is correct now that I have two different results, but I'm glad you helped to shed a bit of light onto the subject.

    Thanks again Till!
     

Share This Page