Secure Postfix
Make sure the Postfix is running with non-root account:
ps aux | grep postfix | grep -v '^root'
Change permissions and ownership on the destinations below:
sudo chmod 755 /etc/postfix sudo chmod 644 /etc/postfix/*.cf sudo chmod 755 /etc/postfix/postfix-script* sudo chmod 755 /var/spool/postfix sudo chown root:root /var/log/mail* sudo chmod 600 /var/log/mail*
Configuration update
Make the following changes in the configuration file:
sudo vi /etc/postfix/main.cf
Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
myhostname = myserver.mydomain.com
Configure network interface addresses that the Postfix service should listen on, for example:
mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost
Configure Trusted Networks, for example:
mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
myorigin = mydomain.com
Configure the SMTP domain destination, for example:
mydomain = mydomain.com
Configure to which SMTP domains to relay messages to, for example:
relay_domains = mydomain.com
Configure SMTP Greeting Banner:
smtpd_banner = $myhostname
Limit Denial of Service Attacks:
default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100
Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
disable_vrfy_command = yes
It will allow Postfix to log recipient address when denying a client or sender address. Basically, it is not possible to find out which mail is being rejected.
smtpd_delay_reject = yes
Requiring that the client sends the HELO or EHLO command before sending the MAIL FROM or ETRN command. This may cause problems with home-grown applications that send mail.
smtpd_helo_required = yes
Reject email if remote hostname is not in fully-qualified domain form.
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname
Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname. (If you use the previous directive, you will need to add it at the end).
smtpd_helo_restrictions = reject_invalid_hostname
You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
smtpd_recipient_restrictions = reject_invalid_hostname, // Reject email if it not valid hostname reject_non_fqdn_hostname, // Reject email if it not valid FQDN reject_non_fqdn_sender, // Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected. reject_non_fqdn_recipient, // Reject the request when the RCPT TO address is not in fully-qualified domain form reject_unknown_sender_domain, // Reject email, if sender domain does not exists reject_unknown_recipient_domain, // Reject email, if recipient domain does not exists permit_mynetworks, reject_rbl_client list.dsbl.org, // Configure spam black lists reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
Set the limits for error sleep, soft and hard error limits:
smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20
Forward emails
To forward emails, open the /etc/postfix/virtual
file:
sudo vi /etc/postfix/virtual
Now, to forward emails, you simply need to add both email addresses on the same line:
email1@domain.com email2@domain.com
This will forward all emails from email1@domain.com
to email2@domain.com
.
You can also have a catch-all email address.
@some-other-domain.com email3@domain.com
Make sure following two line exists in /etc/postfix/main.cf
:
virtual_alias_domains = mydomain.com # virtual_alias_domains = mydomain.com myotherdomain.com .. virtual_alias_maps = hash:/etc/postfix/virtual
Restart the Postfix daemon:
sudo service postfix restart