rss feed Twitter Page Facebook Page Github Page Stack Over Flow Page

Secure Postfix

Posted on Sunday March 13, 2016 by Eric Potvin

Make sure the Postfix is running with non-root account:

ps aux | grep postfix | grep -v '^root'

Change permissions and ownership on the destinations below:

sudo chmod 755 /etc/postfix
sudo chmod 644 /etc/postfix/*.cf
sudo chmod 755 /etc/postfix/postfix-script*
sudo chmod 755 /var/spool/postfix
sudo chown root:root /var/log/mail*
sudo chmod 600 /var/log/mail*

Configuration update

Make the following changes in the configuration file:

sudo vi /etc/postfix/

Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:

myhostname =

Configure network interface addresses that the Postfix service should listen on, for example:

mydestination = $myhostname, localhost.$mydomain, localhost
inet_interfaces = localhost

Configure Trusted Networks, for example:

mynetworks =,,

Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:

myorigin =

Configure the SMTP domain destination, for example:

mydomain =

Configure to which SMTP domains to relay messages to, for example:

relay_domains =

Configure SMTP Greeting Banner:

smtpd_banner = $myhostname

Limit Denial of Service Attacks:

default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

disable_vrfy_command = yes

It will allows Postfix to log recipient address when denying a client or sender address. Basically, it is not possible to find out which mail is being rejected.

smtpd_delay_reject = yes

Requiring that the client sends the HELO or EHLO command before sending the MAIL FROM or ETRN command. This may cause problems with home-grown applications that send mail.

smtpd_helo_required = yes

Reject email if remote hostname is not in fully-qualified domain form.

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname

Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname. (If you use the previous directive, you will need to add it at the end).

smtpd_helo_restrictions = reject_invalid_hostname

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.

smtpd_recipient_restrictions =
 reject_invalid_hostname, 		// Reject email if it not valid hostname
 reject_non_fqdn_hostname, 		// Reject email if it not valid FQDN
 reject_non_fqdn_sender, 		// Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
 reject_non_fqdn_recipient, 		// Reject the request when the RCPT TO address is not in fully-qualified domain form
 reject_unknown_sender_domain,		// Reject email, if sender domain does not exists
 reject_unknown_recipient_domain,	// Reject email, if recipient domain does not exists
 reject_rbl_client, 	// Configure spam black lists

Set the limits for error sleep, soft and hard error limits:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Foward emails

To foward emails, open the /etc/postfix/virtual file:

sudo vi /etc/postfix/virtual

Now, to foward emails, you simply need to add both email addresses on the same line:

This will foward all emails from to

You can also have a catch-all email address.

Make sure following two line exists in /etc/postfix/

virtual_alias_domains =
# virtual_alias_domains = ..
virtual_alias_maps = hash:/etc/postfix/virtual

Restart the Postfix daemon:

sudo service postfix restart