How to configure Postfix in view of security demands
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to configure Postfix in view of security demands
Although I'm not completely a newbie I begin to notice that my knowledge becomes somewhat outdated. I have some questions on how to secure the mail communication.
I am currently configuring an SMTP/POP/IMap mail facility on a Synology NAS box. The SMTP part is Postfix.
As I do not want this server to relay unauthorized mails I want to make sure the communication is secured. I already created some certificates using openssh, but unfortunately I do not completely understand what these are for and how to use them. My questions:
* do I use certificates to make sure to users that my server is the one it says it is?
* do I (or rather: my users) use certificates to make sure to my server that a user/client is the one it says it is?
* Are the certificates of the previous 2 questions the same?
* Is a certificate for the user/client side absolutely necessary or strongly recommended? I do not recall having loaded any client certificate for any of my external email accounts (such as gmail)
I am not so much worried about the authenticity of my server (after all, it is my own server), but much more about the authenticity of the users I want to give access to it.
As a last question: can someone recommend a forum where this kind of issues is discussed in simple language?
Thanks, Sam
- no.
- no, only if you wish to relay ANY mail from certain users where you can not verify the source IP or similar.
- yes.
- neither.
You really only would look at a client side cert if you've a "road warrior" or some such to whom you do not extend a VPN connection, so they will be sending their email to other parties via your servers without being already within your network. This is pretty rare TBH, and a username / password is more common in this situation anyway. If you require all "clients" as you've called them to use ssl certs to identify themselves, then you will never recieve any email, as Google, Hotmail etc, are really NOT about to speak to you personally to exchange cert details over email / phone.
In all of this, it really helps to remember that SMTP communications is mostly one server to another, pushing units data from one server to another. Only a minority of it is from actual mail clients, and they are usually within our network.
The classic logic is to say you will relay email to ANYONE if the source IP is in your own network, otherwise you will only accept email for YOUR domains (or potentially a few select relay domains)
Very helpful, Chris. I have a number of road warriors as you call them, but I guess I should put some more effort into getting them into the VPN. Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.