Postfix Hardening
Make sure the Postfix is running with non-root account:
root@SysAdmin-Desktop:~#ps aux | grep postfix | grep -v '^root'
Change permissions and ownership on the destinations below:
root@SysAdmin-Desktop:~#chmod 755 /etc/postfix
root@SysAdmin-Desktop:~#chmod 644 /etc/postfix/*.cf
root@SysAdmin-Desktop:~#chmod 755 /etc/postfix/postfix-script*
root@SysAdmin-Desktop:~#chmod 755 /var/spool/postfix
root@SysAdmin-Desktop:~#chown root:root /var/log/mail*
root@SysAdmin-Desktop:~#chmod 600 /var/log/mail*
Edit file /etc/postfix/main.cf and add if necessary check & make the following changes:Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
myhostname = myserver.example.com
Configure network interface addresses that the Postfix service should listen on, for example:
inet_interfaces = 192.168.1.1
Configure Trusted Networks, for example:
mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
myorigin = example.com
Configure the SMTP domain destination, for example:
mydomain = example.com
Configure to which SMTP domains to relay messages to, for example:
relay_domains = example.com
Configure SMTP Greeting Banner:
smtpd_banner = $myhostname
Limit Denial of Service Attacks:
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
Restart the Postfix daemon:
service postfix restart
Make sure the Postfix is running with non-root account:
root@SysAdmin-Desktop:~#ps aux | grep postfix | grep -v '^root'
Change permissions and ownership on the destinations below:
root@SysAdmin-Desktop:~#chmod 755 /etc/postfix
root@SysAdmin-Desktop:~#chmod 644 /etc/postfix/*.cf
root@SysAdmin-Desktop:~#chmod 755 /etc/postfix/postfix-script*
root@SysAdmin-Desktop:~#chmod 755 /var/spool/postfix
root@SysAdmin-Desktop:~#chown root:root /var/log/mail*
root@SysAdmin-Desktop:~#chmod 600 /var/log/mail*
Edit file /etc/postfix/main.cf and add if necessary check & make the following changes:Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
myhostname = myserver.example.com
Configure network interface addresses that the Postfix service should listen on, for example:
inet_interfaces = 192.168.1.1
Configure Trusted Networks, for example:
mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
myorigin = example.com
Configure the SMTP domain destination, for example:
mydomain = example.com
Configure to which SMTP domains to relay messages to, for example:
relay_domains = example.com
Configure SMTP Greeting Banner:
smtpd_banner = $myhostname
Limit Denial of Service Attacks:
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
Restart the Postfix daemon:
service postfix restart
No comments:
Post a Comment