Saturday, 6 September 2014

Postfix Hardening

Postfix Hardening 

Make sure the Postfix is running with non-root account:    
    root@SysAdmin-Desktop:~#ps aux | grep postfix | grep -v '^root'   

Change permissions and ownership on the destinations below: 
    root@SysAdmin-Desktop:~#chmod 755 /etc/postfix
root@SysAdmin-Desktop:~#chmod 644 /etc/postfix/*.cf
root@SysAdmin-Desktop:~#chmod 755 /etc/postfix/postfix-script*
root@SysAdmin-Desktop:~#chmod 755 /var/spool/postfix
root@SysAdmin-Desktop:~#chown root:root /var/log/mail*
root@SysAdmin-Desktop:~#chmod 600 /var/log/mail*

    Edit file /etc/postfix/ and add if necessary check & make the following changes:Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
        myhostname =

Configure network interface addresses that the Postfix service should listen on, for example:
        inet_interfaces =

Configure Trusted Networks, for example:
        mynetworks =,,

Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
        myorigin =

Configure the SMTP domain destination, for example:
        mydomain =

Configure to which SMTP domains to relay messages to, for example:
        relay_domains =

Configure SMTP Greeting Banner:
        smtpd_banner = $myhostname

Limit Denial of Service Attacks:
        default_process_limit = 100
        smtpd_client_connection_count_limit = 10
        smtpd_client_connection_rate_limit = 30
        queue_minfree = 20971520
        header_size_limit = 51200
        message_size_limit = 10485760
        smtpd_recipient_limit = 100

Restart the Postfix daemon:
    service postfix restart


No comments:

Post a Comment