1

Topic: Postfix security tunning.

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CENTOS
- Related log if you're reporting an issue: NONE
====
I set some options to make some improvements in POSTFIX security. Apparently everything is working fine, so I share it hoping that it will be useful!

Complete alternative solution from: https://calomel.org/postfix.html && Postfix Man pages
********************************************** In /etc/postfix/main.cf **********************************************
## reject dangerous and undesirable file types attachments directly from Postfix (Don't waste time, CPU and bandwidth)
header_checks = pcre:/etc/postfix/header_checks.pcre

#### user%domain != user@domain
allow_percent_hack = no

#### user!domain != user@domain
swap_bangpath = no

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2

### Reject codes == 554
access_map_reject_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
plaintext_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

### Limit the info given to outside servers
show_user_unknown_table_name = no

### How long do messages stay in the queue before being sent back to the sender. (in days)
### By default, postfix attempts to resend the message every (1000 secs)x(# attempts)x(days).
bounce_queue_lifetime = 4h
maximal_queue_lifetime = 4h
delay_warning_time = 1h

****************************************************************************************************************************************

********************************************** In /etc/postfix/header_checks.pcre **********************************************
# REJECT specific file attachments extensions
# Notice that some Microsoft Office files with macros and auto executable PowerPoint presentations are blocked (docm|pps[xm]?|xlsm)
/^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|docm|exe|hlp|ht[at]|inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|ops|pps[xm]?|pptm|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|vb[esx]?|vxd|ws[cfh]|xlsm))(\?=)?"?\s*(;|$)/x REJECT (PCRE)Attachment name "$2" has not allowed file extension "(.$4)"

2

Re: Postfix security tunning.

- I'd like to add two in iRedMail: allow_percent_hack=no, swap_bangpath=no. but no more.
- It's not a good idea to block attachments in iRedMail by default, it should be finished by system admin, not iRedMail. So i won't use it in iRedMail.

Thanks very much for your sharing. smile