Secure Postfix

Posted on Sunday March 13, 2016 / by Eric Potvin

Make sure the Postfix is running with non-root account:

ps aux | grep postfix | grep -v '^root'

Change permissions and ownership on the destinations below:

sudo chmod 755 /etc/postfix
sudo chmod 644 /etc/postfix/*.cf
sudo chmod 755 /etc/postfix/postfix-script*
sudo chmod 755 /var/spool/postfix
sudo chown root:root /var/log/mail*
sudo chmod 600 /var/log/mail*

Configuration update

Make the following changes in the configuration file:

sudo vi /etc/postfix/

Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:

myhostname =

Configure network interface addresses that the Postfix service should listen on, for example:

mydestination = $myhostname, localhost.$mydomain, localhost
inet_interfaces = localhost

Configure Trusted Networks, for example:

mynetworks =,,

Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:

myorigin =

Configure the SMTP domain destination, for example:

mydomain =

Configure to which SMTP domains to relay messages to, for example:

relay_domains =

Configure SMTP Greeting Banner:

smtpd_banner = $myhostname

Limit Denial of Service Attacks:

default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

disable_vrfy_command = yes

It will allows Postfix to log recipient address when denying a client or sender address. Basically, it is not possible to find out which mail is being rejected.

smtpd_delay_reject = yes

Requiring that the client sends the HELO or EHLO command before sending the MAIL FROM or ETRN command. This may cause problems with home-grown applications that send mail.

smtpd_helo_required = yes

Reject email if remote hostname is not in fully-qualified domain form.

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname

Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname. (If you use the previous directive, you will need to add it at the end).

smtpd_helo_restrictions = reject_invalid_hostname

You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.

smtpd_recipient_restrictions =
 reject_invalid_hostname, 		// Reject email if it not valid hostname
 reject_non_fqdn_hostname, 		// Reject email if it not valid FQDN
 reject_non_fqdn_sender, 		// Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
 reject_non_fqdn_recipient, 		// Reject the request when the RCPT TO address is not in fully-qualified domain form
 reject_unknown_sender_domain,		// Reject email, if sender domain does not exists
 reject_unknown_recipient_domain,	// Reject email, if recipient domain does not exists
 reject_rbl_client, 	// Configure spam black lists

Set the limits for error sleep, soft and hard error limits:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Foward emails

To foward emails, open the /etc/postfix/virtual file:

sudo vi /etc/postfix/virtual

Now, to foward emails, you simply need to add both email addresses on the same line:

This will foward all emails from to

You can also have a catch-all email address.

Make sure following two line exists in /etc/postfix/

virtual_alias_domains =
# virtual_alias_domains = ..
virtual_alias_maps = hash:/etc/postfix/virtual

Restart the Postfix daemon:

sudo service postfix restart