Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 12-31-2012, 12:57 PM   #1
LQ Newbie
Registered: Dec 2010
Posts: 2

Rep: Reputation: 0
How to configure Postfix in view of security demands

Although I'm not completely a newbie I begin to notice that my knowledge becomes somewhat outdated. I have some questions on how to secure the mail communication.
I am currently configuring an SMTP/POP/IMap mail facility on a Synology NAS box. The SMTP part is Postfix.
As I do not want this server to relay unauthorized mails I want to make sure the communication is secured. I already created some certificates using openssh, but unfortunately I do not completely understand what these are for and how to use them. My questions:
* do I use certificates to make sure to users that my server is the one it says it is?
* do I (or rather: my users) use certificates to make sure to my server that a user/client is the one it says it is?
* Are the certificates of the previous 2 questions the same?
* Is a certificate for the user/client side absolutely necessary or strongly recommended? I do not recall having loaded any client certificate for any of my external email accounts (such as gmail)

I am not so much worried about the authenticity of my server (after all, it is my own server), but much more about the authenticity of the users I want to give access to it.
As a last question: can someone recommend a forum where this kind of issues is discussed in simple language?
Thanks, Sam
Old 12-31-2012, 04:13 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
- no.
- no, only if you wish to relay ANY mail from certain users where you can not verify the source IP or similar.
- yes.
- neither.

You really only would look at a client side cert if you've a "road warrior" or some such to whom you do not extend a VPN connection, so they will be sending their email to other parties via your servers without being already within your network. This is pretty rare TBH, and a username / password is more common in this situation anyway. If you require all "clients" as you've called them to use ssl certs to identify themselves, then you will never recieve any email, as Google, Hotmail etc, are really NOT about to speak to you personally to exchange cert details over email / phone.

In all of this, it really helps to remember that SMTP communications is mostly one server to another, pushing units data from one server to another. Only a minority of it is from actual mail clients, and they are usually within our network.

The classic logic is to say you will relay email to ANYONE if the source IP is in your own network, otherwise you will only accept email for YOUR domains (or potentially a few select relay domains)
1 members found this post helpful.
Old 01-02-2013, 12:17 AM   #3
LQ Newbie
Registered: Dec 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Very helpful, Chris. I have a number of road warriors as you call them, but I guess I should put some more effort into getting them into the VPN. Thanks.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] view ./configure options? mahmoodn Linux - General 4 07-11-2011 05:35 AM
view or configure routing table Gofloss2003 Linux - Newbie 4 11-28-2008 01:15 AM
Postfix: How to configure postfix to process mail from another host m1ckey78 Linux - Server 3 10-15-2008 11:59 AM
Postfix: help required to configure postfix to redirect email. Wheddod Linux - Software 3 08-20-2008 08:55 AM
How to configure Postfix to enhance the security? zazem Linux - Security 4 05-14-2008 09:41 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration