Chapter 8. Securing the Postfix service
Postfix is a mail transfer agent (MTA) that uses the Simple Mail Transfer Protocol (SMTP) to deliver electronic messages between other MTAs and to email clients or delivery agents. Although MTAs can encrypt traffic between one another, they might not do so by default. You can also mitigate risks to various attacks by changing setting to more secure values.
8.2. Postfix configuration options for limiting DoS attacks
An attacker can flood the server with traffic, or send information that triggers a crash, causing a denial of service (DoS) attack. You can configure your system to reduce the risk of such attacks by setting limits in the /etc/postfix/main.cf
file. You can change the value of the existing directives or you can add new directives with custom values in the <directive> = <value>
format.
Use the following list of directives for limiting a DoS attack:
smtpd_client_connection_rate_limit
-
Limits the maximum number of connection attempts any client can make to this service per time unit. The default value is
0
, which means a client can make as many connections per time unit as Postfix can accept. By default, the directive excludes clients in trusted networks. anvil_rate_time_unit
-
Defines a time unit to calculate the rate limit. The default value is
60
seconds. smtpd_client_event_limit_exceptions
- Excludes clients from the connection and rate limit commands. By default, the directive excludes clients in trusted networks.
smtpd_client_message_rate_limit
- Defines the maximum number of message deliveries from client to request per time unit (regardless of whether or not Postfix actually accepts those messages).
default_process_limit
-
Defines the default maximum number of Postfix child processes that provide a given service. You can ignore this rule for specific services in the
master.cf
file. By default, the value is100
. queue_minfree
-
Defines the minimum amount of free space required to receive mail in the queue file system. The directive is currently used by the Postfix SMTP server to decide if it accepts any mail at all. By default, the Postfix SMTP server rejects
MAIL FROM
commands when the amount of free space is less than 1.5 times themessage_size_limit
. To specify a higher minimum free space limit, specify aqueue_minfree
value that is at least 1.5 times themessage_size_limit
. By default, thequeue_minfree
value is0
. header_size_limit
-
Defines the maximum amount of memory in bytes for storing a message header. If a header is large, it discards the excess header. By default, the value is
102400
bytes. message_size_limit
-
Defines the maximum size of a message including the envelope information in bytes. By default, the value is
10240000
bytes.
8.3. Configuring Postfix to use SASL
Postfix supports Simple Authentication and Security Layer (SASL) based SMTP Authentication (AUTH). SMTP AUTH is an extension of the Simple Mail Transfer Protocol. Currently, the Postfix SMTP server supports the SASL implementations in the following ways:
- Dovecot SASL
- The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a UNIX-domain socket or a TCP socket. Use this method if Postfix and Dovecot applications are running on separate machines.
- Cyrus SASL
- When enabled, SMTP clients must authenticate with the SMTP server using an authentication method supported and accepted by both the server and the client.
Prerequisites
-
The
dovecot
package is installed on the system
Procedure
Set up Dovecot:
Include the following lines in the
/etc/dovecot/conf.d/10-master.conf
file:service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
The previous example uses UNIX-domain sockets for communication between Postfix and Dovecot. The example also assumes default Postfix SMTP server settings, which include the mail queue located in the
/var/spool/postfix/
directory, and the application running under thepostfix
user and group.Optional: Set up Dovecot to listen for Postfix authentication requests through TCP:
service auth { inet_listener { port = port-number } }
Specify the method that the email client uses to authenticate with Dovecot by editing the
auth_mechanisms
parameter in/etc/dovecot/conf.d/10-auth.conf
file:auth_mechanisms = plain login
The
auth_mechanisms
parameter supports different plaintext and non-plaintext authentication methods.
Set up Postfix by modifying the
/etc/postfix/main.cf
file:Enable SMTP Authentication on the Postfix SMTP server:
smtpd_sasl_auth_enable = yes
Enable the use of Dovecot SASL implementation for SMTP Authentication:
smtpd_sasl_type = dovecot
Provide the authentication path relative to the Postfix queue directory. Note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in
chroot
or not:smtpd_sasl_path = private/auth
This step uses UNIX-domain sockets for communication between Postfix and Dovecot.
To configure Postfix to look for Dovecot on a different machine in case you use TCP sockets for communication, use configuration values similar to the following:
smtpd_sasl_path = inet: ip-address : port-number
In the previous example, replace the ip-address with the IP address of the Dovecot machine and port-number with the port number specified in Dovecot’s
/etc/dovecot/conf.d/10-master.conf
file.Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note that you can specify different mechanisms for encrypted and unencrypted sessions.
smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
The previous directives specify that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted user names or passwords are allowed. For encrypted sessions that use TLS, only non-anonymous authentication mechanisms are allowed.