This article is about hardening a Linux Postfix mail server.
We’re discussing a Postfix mail server used as a relay to our company Exchange server.
When the business uses Microsoft Exchange to host the company email, Postfix can easily be the mail filter blocking out the spam and virus infected emails before they get to the company Exchange server. The idea is that Postfix is the inbound mail host which then will forward mail onto the Exchange server. Exchange can send email out directly to the smart-host (mail relay) of the ISP – it doesn’t have to use the Postfix server for outbound relaying. But that’s up to you. In this article, the Exchange server sends out directly – bypassing the Postfix server.
Here is an extract from a mail server that is doing a great job. The “/etc/postfix/main.cf” file has the following sections:
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname smtpd_sender_restrictions = permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client dsbl.dnsbl.net.au, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dsn.rfc-ignorant.org, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit
And the “/etc/postfix/transport” file looks like this:
example.com smtp:exchange.local example2.com smtp:exchange.local * error: We only relay our domains.
Why the “transport” section above? Well, if we’re configuring a mail relay, we want to ensure we can’t be abused and one way is to ensure Postfix will only forward mail to the servers/domains that we specifically specify. Remember at the beginning of this article we stated that this mail server is a mail filter sitting in-front of our Exchange server and not used for outbound mail.
And given that this email server (Postfix) is doing plenty of Spam minimisation, we can be pretty sure that ‘most’ of the email being forwarded is legitimate.
Challenge: Adapt the following to prevent certain attachments from coming in. To get you started, research “mime_header_checks”.