-   Linux - Security (
-   -   Postfix security (

digilink 07-01-2010 11:14 AM

Postfix security
Hi all... venturing into unfamiliar territory so I'm hoping someone can help me and make things a little more understandable for me.

I have setup Postfix on a standalone server connected directly to the internet. I have got inbound and outbound email working for the most part, but I am worried about security.

My fear is that if I leave port 25 open to the outside world spammers will find this and start relaying mail through it and eventually blacklisting the IP attached to this box.

For now, I am hosting mail for a single domain and single user (me) with a few aliases. I plan on expanding to IMAP and SMTP access from the outside at some point, but for now I've been using Mutt in a shell and it's fine for my needs for now.

Here are my current Postfix settings:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =,, , localhost,
myhostname =
mynetworks =
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

I'm thinking the mynetworks parameter will stop all mail relay from the outside world, but I have port 25 open and I can telnet to it from the internet.

Again, this is a standalone host with a public IP address (no NAT) and a Shorewall/IPTABLES firewall configured.

Any insight appreciated :)

rweaver 07-01-2010 04:04 PM

You should be considering SMTP AUTH at a minimum and verifying you're not an open relay through one of the many checkers online ( has a few nice tools). It would also be useful to read about how to close an open relay and what steps you can take against being an open relay. As you increase incoming mail you're likely going to want a spam filter of some kind too and to implement some of the more advanced spam filtering techniques like greylisting, uri rbl, etc.

digilink 07-01-2010 04:22 PM

Thanks so much! The mxtoolbox site is a great resource, I was able to scan my mailserver and it IS NOT an open relay!!! Success :)

Now that I've got a minimal config I can focus on making it be more accessable :)

manwichmakesameal 07-01-2010 04:45 PM

@ rweaver: I'm gonna have to thank you for that site as well. Never knew it existed.

All times are GMT -5. The time now is 07:41 AM.