As a side note: this is just a thread part of my
main thread which is destinated at securing debian!
This postfix configuration should be pretty easy to read. Well you need postfix 2.x for it to work properly (rbl). You can get a backport at {URL=http://people.debian.org/~nobse/]this page[/URL]. I've chosen Postfix 2 for it's improvement for LMTP (which will be required on 1 server), and this is a base image for all servers. You can easily implement features like SMTP AUTH, SSL, etc with this configuration:
Code:
----------------------------------------------------------------------
configured postfix
----------------------------------------------------------------------
created /etc/postfix/main.cf:
# ====================================================================
# base configuration
# --------------------------------------------------------------------
alias_database = hash:/etc/aliases
alias_maps = $alias_database
allow_percent_hack = no
append_dot_mydomain = no
biff = no
#canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
inet_interfaces = 127.0.0.1
myhostname = debian.markus-welsch.de
program_directory = /usr/lib/postfix
queue_minfree = 26214400
setgid_group = postdrop
#tls_daemon_random_source = dev:/dev/urandom
#tls_random_source = dev:/dev/urandom
# ====================================================================
# ====================================================================
# smtp outgoing
# --------------------------------------------------------------------
delay_warning_time = 24h
#relayhost = [example.relayhost.net]
#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/smtpauth_password
#smtp_sasl_security_options = noanonymous
#smtp_tls_CAfile = /etc/postfix/ssl/
#smtp_tls_certfile = /etc/postfix/ssl/
#smtp_tls_keyfile = /etc/postfix/ssl/
#smtp_tls_persite = hash:/etc/postfix/tls_sites
#smtp_use_tls = yes
#transport_maps = hash:/etc/postfix/transport
# ====================================================================
# ====================================================================
# smtp incomming
# --------------------------------------------------------------------
#broken_sasl_auth_clients = yes
disable_vrfy_command = yes
local_recipient_maps = $alias_maps,unix:passwd.byname
mydestination = $myhostname
mynetworks = 127.0.0.0/8
#permix_mx_backup_networks = hash:/etc/postfix/mx_backup_networks
#relay_clientcerts = hash:/etc/postfix/relay_clientcerts
#relay_domains = hash:/etc/postfix/relay_domains
#relay_recipient_maps = hash:/etc/postfix/relay_recipient
#relocated_maps = hash:/etc/postfix/relocated
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
# permix_mx_backup,
# permit_sasl_authenticated,
# permit_tls_clientcerts,
reject_unauth_destination,
# reject_sender_login_mismatch,
# check_recipient_maps,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_hostname,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client proxies.blackholes.wirehub.net,
# reject_rbl_client proxies.relays.monkeys.com,
# reject_rbl_client relays.ordb.org,
permit
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_local_domain = $myhostname
#smtpd_sasl_security_options = noanonymous
#smtpd_sender_login_maps = hash:/etc/postfix/sender_login
#smtpd_tls_CAfile = /etc/postfix/ssl/
#smtpd_tls_cert_file = /etc/postfix/ssl/
#smtpd_tls_key_file = /etc/postfix/ssl/
#smtpd_use_tls = yes
swap_bangpath = no
#virtual_maps = /etc/postfix/virtual
# ====================================================================
adjusted /etc/postfix/master.cf:
commented out following line:
qmgr fifo n - - 300 1 qmgr
and uncommented following line:
qmgr fifo n - - 300 1 nqmgr
this will be a huge performance increasement in case the
server gets under heavy mail load. it doesn't affect the
performance under normal load!
----------------------------------------------------------------------
----------------------------------------------------------------------
disabled sync of postfix chroot files [ /etc/default/postfix ]
----------------------------------------------------------------------
# synchronization disabled due to filesystem modifications
SYNC_CHROOT="n"
----------------------------------------------------------------------
----------------------------------------------------------------------
fixed postfix init script [ /etc/init.d/postfix ]
----------------------------------------------------------------------
replaced
if [ -n "$NEED_CHROOT" -a -n "$SYNC_CHROOT" ]; then
with
if [ "$NEED_CHROOT" = "y" -a "$SYNC_CHROOT" = "y" ]; then
this stops syncing the chroot area EVERY TIME the daemon is
restarted (produces filesystem changes and AIDE reports those)
----------------------------------------------------------------------
If you have any questions just post!
