Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 8. Securing network services

Red Hat Enterprise Linux supports many different types of network servers. Their network services can expose the system security to risks of various types of attacks, such as denial of service attacks (DoS), distributed denial of service attacks (DDoS), script vulnerability attacks, and buffer overflow attacks.

To increase the system security against attacks, it is important to monitor active network services that you use. For example, when a network service is running on a machine, its daemon listens for connections on network ports, and this can reduce the security. To limit exposure to attacks over the network, all services that are unused should be turned off.

8.1. Securing the rpcbind service
Copiar o link

The rpcbind service is a dynamic port-assignment daemon for remote procedure calls (RPC) services such as Network Information Service (NIS) and Network File System (NFS). Because it has weak authentication mechanisms and can assign a wide range of ports for the services it controls, it is important to secure rpcbind.

You can secure rpcbind by restricting access to all networks and defining specific exceptions using firewall rules on the server.

Note
  • The rpcbind service is required on NFSv3 servers.
  • The rpcbind service is not required on NFSv4.

Prerequisites

  • The rpcbind package is installed.
  • The firewalld package is installed and the service is running.

Procedure

  1. Add firewall rules, for example:

    • Limit TCP connection and accept packages only from the 192.168.0.0/24 host via the 111 port: 

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
      Copy to Clipboard Toggle word wrap

    • Limit TCP connection and accept packages only from local host via the 111 port: 

      # firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept'
      Copy to Clipboard Toggle word wrap

    • Limit UDP connection and accept packages only from the 192.168.0.0/24 host via the 111 port: 

      # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop'
      Copy to Clipboard Toggle word wrap

      To make the firewall settings permanent, use the --permanent option when adding firewall rules.

  2. Reload the firewall to apply the new rules: 

    # firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Verification

  • List the firewall rules: 

    # firewall-cmd --list-rich-rule
rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop
rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept
rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop
    Copy to Clipboard Toggle word wrap

8.2. Securing the rpc.mountd service
Copiar o link

The rpc.mountd daemon implements the server side of the NFS mount protocol. The NFS mount protocol is used by NFS version 3 (RFC 1813).

You can secure the rpc.mountd service by adding firewall rules to the server. You can restrict access to all networks and define specific exceptions using firewall rules.

Prerequisites

  • The rpc.mountd package is installed.
  • The firewalld package is installed and the service is running.

Procedure

  1. Add firewall rules to the server, for example:

    • Accept mountd connections from the 192.168.0.0/24 host: 

      # firewall-cmd --add-rich-rule 'rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop'
      Copy to Clipboard Toggle word wrap

    • Accept mountd connections from the local host: 

      # firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="127.0.0.1" service name="mountd" accept'
      Copy to Clipboard Toggle word wrap

      To make the firewall settings permanent, use the --permanent option when adding firewall rules.

  2. Reload the firewall to apply the new rules: 

    # firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Verification

  • List the firewall rules: 

    # firewall-cmd --list-rich-rule
rule family="ipv4" service name="mountd" source address="192.168.0.0/24" invert="True" drop
rule family="ipv4" source address="127.0.0.1" service name="mountd" accept
    Copy to Clipboard Toggle word wrap

8.3. Securing the NFS service
Copiar o link

You can secure Network File System version 4 (NFSv4) by authenticating and encrypting all file system operations using Kerberos. When using NFSv4 with Network Address Translation (NAT) or a firewall, you can turn off the delegations by modifying the /etc/default/nfs file. Delegation is a technique by which the server delegates the management of a file to a client. In contrast, NFSv3 do not use Kerberos for locking and mounting files.

The NFS service sends the traffic using TCP in all versions of NFS. The service supports Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module.

NFS allows remote hosts to mount file systems over a network and interact with those file systems as if they are mounted locally. You can merge the resources on centralized servers and additionally customize NFS mount options in the /etc/nfsmount.conf file when sharing the file systems.

8.3.1. Export options for securing an NFS server
Copiar o link

The NFS server determines a list structure of directories and hosts about which file systems to export to which hosts in the /etc/exports file.

You can use the following export options on the /etc/exports file:

ro
Exports the NFS volume as read-only.
rw
Allows read and write requests on the NFS volume. Use this option cautiously because allowing write access increases the risk of attacks. If your scenario requires mounting the directories with the rw option, make sure they are not writable for all users to reduce possible risks.
root_squash
Maps requests from uid/gid 0 to the anonymous uid/gid. This does not apply to any other uids or gids that might be equally sensitive, such as the bin user or the staff group.
no_root_squash
Turns off root squashing. By default, NFS shares change the root user to the nobody user, which is an unprivileged user account. This changes the owner of all the root created files to nobody, which prevents the uploading of programs with the setuid bit set. When using the no_root_squash option, remote root users can change any file on the shared file system and leave applications infected by trojans for other users.
secure
Restricts exports to reserved ports. By default, the server allows client communication only through reserved ports. However, it is easy for anyone to become a root user on a client on many networks, so it is rarely safe for the server to assume that communication through a reserved port is privileged. Therefore the restriction to reserved ports is of limited value; it is better to rely on Kerberos, firewalls, and restriction of exports to particular clients.
Warning

Extra spaces in the syntax of the /etc/exports file can lead to major changes in the configuration.

In the following example, the /tmp/nfs/ directory is shared with the bob.example.com host and has read and write permissions. 

/tmp/nfs/     bob.example.com(rw)
Copy to Clipboard Toggle word wrap

The following example is the same as the previous one but shares the same directory to the bob.example.com host with read-only permissions and shares it to the world with read and write permissions due to a single space character after the hostname. 

/tmp/nfs/     bob.example.com (rw)
Copy to Clipboard Toggle word wrap

You can check the shared directories on your system by entering the showmount -e <hostname> command.

Additionally, consider the following best practices when exporting an NFS server:

  • Exporting home directories is a risk because some applications store passwords in plain text or in a weakly encrypted format. You can reduce the risk by reviewing and improving the application code.
  • Some users do not set passwords on SSH keys which again leads to risks with home directories. You can reduce these risks by enforcing the use of passwords or using Kerberos.
  • Restrict the NFS exports only to required clients. Use the showmount -e command on the NFS server to review what the server is exporting. Do not export anything that is not specifically required.
  • Do not allow unnecessary users to log in to a server to reduce the risk of attacks. You can periodically check who and what can access the server.
Warning

Export an entire file system because exporting a subdirectory of a file system is not secure. An attacker might access the unexported part of a partially-exported file system.

8.3.2. Mount options for securing an NFS client
Copiar o link

You can pass the following options to the mount command to increase the security of NFS-based clients:

nosuid
Use the nosuid option to disable the set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program and you can use this option opposite to setuid option.
noexec
Use the noexec option to disable all executable files on the client. Use this to prevent users from accidentally executing files placed in the shared file system.
nodev
Use the nodev option to prevent the client’s processing of device files as a hardware device.
resvport
Use the resvport option to restrict communication to a reserved port and you can use a privileged source port to communicate with the server. The reserved ports are reserved for privileged users and processes such as the root user.
sec
Use the sec option on the NFS server to choose the RPCGSS security flavor for accessing files on the mount point. Valid security flavors are none, sys, krb5, krb5i, and krb5p.
Important

The MIT Kerberos libraries provided by the krb5-libs package do not support the Data Encryption Standard (DES) algorithm in new deployments. DES is deprecated and disabled by default in Kerberos libraries because of security and compatibility reasons. Use newer and more secure algorithms instead of DES, unless your environment requires DES for compatibility reasons.

8.3.3. Securing NFS with firewall
Copiar o link

To secure the firewall on an NFS server, keep only the required ports open. Do not use the NFS connection port numbers for any other service.

Prerequisites

  • The nfs-utils package is installed.
  • The firewalld package is installed and running.

Procedure

  • On NFSv4, the firewall must open TCP port 2049.

  • On NFSv3, open four additional ports with 2049:

    1. rpcbind service assigns the NFS ports dynamically, which might cause problems when creating firewall rules. To simplify this process, use the /etc/nfs.conf file to specify which ports to use:

      1. Set TCP and UDP port for mountd (rpc.mountd) in the [mountd] section in port=<value> format.
      2. Set TCP and UDP port for statd (rpc.statd) in the [statd] section in port=<value> format.

    2. Set the TCP and UDP port for the NFS lock manager (nlockmgr) in the /etc/nfs.conf file:

      1. Set TCP port for nlockmgr (rpc.statd) in the [lockd] section in port=value format. Alternatively, you can use the nlm_tcpport option in the /etc/modprobe.d/lockd.conf file.
      2. Set UDP port for nlockmgr (rpc.statd) in the [lockd] section in udp-port=value format. Alternatively, you can use the nlm_udpport option in the /etc/modprobe.d/lockd.conf file.

Verification

  • List the active ports and RPC programs on the NFS server: 

    $ rpcinfo -p
    Copy to Clipboard Toggle word wrap

8.4. Securing the FTP service
Copiar o link

You can use the File Transfer Protocol (FTP) to transfer files over a network. Because all FTP transactions with the server, including user authentication, are unencrypted, make sure it is configured securely.

Red Hat Enterprise Linux provides two FTP servers:

Red Hat Content Accelerator (tux)
A kernel-space web server with FTP capabilities.
Very Secure FTP Daemon (vsftpd)
A standalone, security-oriented implementation of the FTP service.

The following security guidelines are for setting up the vsftpd FTP service.

8.4.1. Securing the FTP greeting banner
Copiar o link

When a user connects to the FTP service, FTP shows a greeting banner, which by default includes version information. Attackers might use this information to identify weaknesses in the system. You can hide this information by changing the default banner.

You can define a custom banner by editing the /etc/banners/ftp.msg file to either directly include a single-line message, or to refer to a separate file, which can contain a multi-line message.

Procedure

  • To define a single line message, add the following option to the /etc/vsftpd/vsftpd.conf file: 

    ftpd_banner=Hello, all activity on ftp.example.com is logged.
    Copy to Clipboard Toggle word wrap

  • To define a message in a separate file:

    • Create a .msg file which contains the banner message, for example /etc/banners/ftp.msg: 

      ######### Hello, all activity on ftp.example.com is logged. #########
      Copy to Clipboard Toggle word wrap

      To simplify the management of multiple banners, place all banners into the /etc/banners/ directory.

    • Add the path to the banner file to the banner_file option in the /etc/vsftpd/vsftpd.conf file: 

      banner_file=/etc/banners/ftp.msg
      Copy to Clipboard Toggle word wrap

Verification

  • Display the modified banner: 

    $ ftp localhost
Trying ::1…
Connected to localhost (::1).
Hello, all activity on ftp.example.com is logged.
    Copy to Clipboard Toggle word wrap

8.4.2. Preventing anonymous access and uploads in FTP
Copiar o link

By default, installing the vsftpd package creates the /var/ftp/ directory and a directory tree for anonymous users with read-only permissions on the directories. Because anonymous users can access the data, do not store sensitive data in these directories.

To increase the security of the system, you can configure the FTP server to allow anonymous users to upload files to a specific directory and prevent anonymous users from reading data. In the following procedure, the anonymous user must be able to upload files in the directory owned by the root user but not change it.

Procedure

  • Create a write-only directory in the /var/ftp/pub/ directory: 

    # mkdir /var/ftp/pub/upload
# chmod 730 /var/ftp/pub/upload
# ls -ld /var/ftp/pub/upload
drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
    Copy to Clipboard Toggle word wrap

  • Add the following lines to the /etc/vsftpd/vsftpd.conf file: 

    anon_upload_enable=YES
anonymous_enable=YES
    Copy to Clipboard Toggle word wrap
  • Optional: If your system has SELinux enabled and enforcing, enable SELinux boolean attributes allow_ftpd_anon_write and allow_ftpd_full_access.
Warning

Allowing anonymous users to read and write in directories might lead to the server becoming a repository for stolen software.

8.4.3. Securing user accounts for FTP
Copiar o link

FTP transmits usernames and passwords unencrypted over insecure networks for authentication. You can improve the security of FTP by denying system users access to the server from their user accounts.

Perform as many of the following steps as applicable for your configuration.

Procedure

  • Disable all user accounts in the vsftpd server, by adding the following line to the /etc/vsftpd/vsftpd.conf file: 

    local_enable=NO
    Copy to Clipboard Toggle word wrap
  • Disable FTP access for specific accounts or specific groups of accounts, such as the root user and users with sudo privileges, by adding the usernames to the /etc/pam.d/vsftpd PAM configuration file.
  • Disable user accounts, by adding the usernames to the /etc/vsftpd/ftpusers file.

8.5. Securing HTTP servers
Copiar o link

8.5.1. Security enhancements in httpd.conf
Copiar o link

You can enhance the security of the Apache HTTP server by configuring security options in the /etc/httpd/conf/httpd.conf file.

Always verify that all scripts running on the system work correctly before putting them into production.

Ensure that only the root user has write permissions to any directory containing scripts or Common Gateway Interfaces (CGI). To change the directory ownership to root with write permissions, enter the following commands: 

# chown root <directory_name>
# chmod 755 <directory_name>
Copy to Clipboard Toggle word wrap

In the /etc/httpd/conf/httpd.conf file, you can configure the following options:

FollowSymLinks
This directive is enabled by default and follows symbolic links in the directory.
Indexes
This directive is enabled by default. Disable this directive to prevent visitors from browsing files on the server.
UserDir
This directive is disabled by default because it can confirm the presence of a user account on the system. To activate user directory browsing for all user directories other than /root/, use the UserDir enabled and UserDir disabled root directives. To add users to the list of disabled accounts, add a space-delimited list of users on the UserDir disabled line.
ServerTokens

This directive controls the server response header field which is sent back to clients. You can use the following parameters to customize the information:

ServerTokens Full

Provides all available information such as web server version number, server operating system details, installed Apache modules, for example: 

Apache/2.4.37 (Red Hat Enterprise Linux) MyMod/1.2
Copy to Clipboard Toggle word wrap
ServerTokens Full-Release

Provides all available information with release versions, for example: 

Apache/2.4.37 (Red Hat Enterprise Linux) (Release 41.module+el8.5.0+11772+c8e0c271)
Copy to Clipboard Toggle word wrap
ServerTokens Prod / ServerTokens ProductOnly

Provides the web server name, for example: 

Apache
Copy to Clipboard Toggle word wrap
ServerTokens Major

Provides the web server major release version, for example: 

Apache/2
Copy to Clipboard Toggle word wrap
ServerTokens Minor

Provides the web server minor release version, for example: 

Apache/2.4
Copy to Clipboard Toggle word wrap
ServerTokens Min / ServerTokens Minimal

Provides the web server minimal release version, for example: 

Apache/2.4.37
Copy to Clipboard Toggle word wrap
ServerTokens OS

Provides the web server release version and operating system, for example: 

Apache/2.4.37 (Red Hat Enterprise Linux)
Copy to Clipboard Toggle word wrap

Use the ServerTokens Prod option to reduce the risk of attackers gaining any valuable information about your system.

Important

Do not remove the IncludesNoExec directive. By default, the Server Side Includes (SSI) module cannot execute commands. Changing this can allow an attacker to enter commands on the system.

Removing httpd modules

You can remove the httpd modules to limit the functionality of the HTTP server. To do so, edit configuration files in the /etc/httpd/conf.modules.d/ or /etc/httpd/conf.d/ directory. For example, to remove the proxy module: 

echo '# All proxy modules disabled' > /etc/httpd/conf.modules.d/00-proxy.conf
Copy to Clipboard Toggle word wrap

8.5.2. Securing the Nginx server configuration
Copiar o link

Nginx is a high-performance HTTP and proxy server. You can harden your Nginx configuration with the following configuration options.

Procedure

  • To disable version strings, modify the server_tokens configuration option: 

    server_tokens off;
    Copy to Clipboard Toggle word wrap

    This option stops displaying additional details such as server version number. This configuration displays only the server name in all requests served by Nginx, for example: 

    $ curl -sI http://localhost | grep Server
Server: nginx
    Copy to Clipboard Toggle word wrap

  • Add extra security headers that mitigate certain known web application vulnerabilities in specific /etc/nginx/ conf files:

    • For example, the X-Frame-Options header option denies any page outside of your domain to frame any content served by Nginx, mitigating clickjacking attacks: 

      add_header X-Frame-Options "SAMEORIGIN";
      Copy to Clipboard Toggle word wrap

    • For example, the x-content-type header prevents MIME-type sniffing in certain older browsers: 

      add_header X-Content-Type-Options nosniff;
      Copy to Clipboard Toggle word wrap

    • For example, the X-XSS-Protection header enables Cross-Site Scripting (XSS) filtering, which prevents browsers from rendering potentially malicious content included in a response by Nginx: 

      add_header X-XSS-Protection "1; mode=block";
      Copy to Clipboard Toggle word wrap

  • You can limit the services exposed to the public and limit what they do and accept from the visitors, for example: 

    limit_except GET {
    allow 192.168.1.0/32;
    deny  all;
}
    Copy to Clipboard Toggle word wrap

    The snippet will limit access to all methods except GET and HEAD.

  • You can disable HTTP methods, for example: 

    # Allow GET, PUT, POST; return "405 Method Not Allowed" for all others.
if ( $request_method !~ ^(GET|PUT|POST)$ ) {
    return 405;
}
    Copy to Clipboard Toggle word wrap
  • You can configure SSL to protect the data served by your Nginx web server, consider serving it over HTTPS only. Furthermore, you can generate a secure configuration profile for enabling SSL in your Nginx server using the Mozilla SSL Configuration Generator. The generated configuration ensures that known vulnerable protocols (for example, SSLv2 and SSLv3), ciphers, and hashing algorithms (for example, 3DES and MD5) are disabled. You can also use the SSL Server Test to verify that your configuration meets modern security requirements.

8.6. Securing PostgreSQL by limiting access to authenticated local users
Copiar o link

PostgreSQL is an object-relational database management system (DBMS). In Red Hat Enterprise Linux, PostgreSQL is provided by the postgresql-server package.

You can reduce the risks of attacks by configuring client authentication. The pg_hba.conf configuration file stored in the database cluster’s data directory controls the client authentication. Follow the procedure to configure PostgreSQL for host-based authentication.

Procedure

  1. Install PostgreSQL: 

    # dnf install postgresql-server
    Copy to Clipboard Toggle word wrap

  2. Initialize a database storage area using one of the following options:

    1. Using the initdb utility: 

      $ initdb -D /home/postgresql/db1/
      Copy to Clipboard Toggle word wrap

      The initdb command with the -D option creates the directory you specify if it does not already exist, for example /home/postgresql/db1/. This directory then contains all the data stored in the database and also the client authentication configuration file.

    2. Using the postgresql-setup script: 

      $ postgresql-setup --initdb
      Copy to Clipboard Toggle word wrap

      By default, the script uses the /var/lib/pgsql/data/ directory. This script helps system administrators with basic database cluster administration.

  3. To allow any authenticated local users to access any database with their usernames, modify the following line in the pg_hba.conf file: 

    local   all             all                                     trust
    Copy to Clipboard Toggle word wrap

    This can be problematic when you use layered applications that create database users and no local users. If you do not want to explicitly control all user names on the system, remove the local line entry from the pg_hba.conf file.

  4. Restart the database to apply the changes: 

    # systemctl restart postgresql
    Copy to Clipboard Toggle word wrap

    The previous command updates the database and also verifies the syntax of the configuration file.

8.7. Securing the Memcached service
Copiar o link

Memcached is an open source, high-performance, distributed memory object caching system. It can improve the performance of dynamic web applications by lowering database load.

Memcached is an in-memory key-value store for small chunks of arbitrary data, such as strings and objects, from results of database calls, API calls, or page rendering. Memcached allows assigning memory from underutilized areas to applications that require more memory.

In 2018, vulnerabilities of DDoS amplification attacks by exploiting Memcached servers exposed to the public internet were discovered. These attacks took advantage of Memcached communication using the UDP protocol for transport. The attack was effective because of the high amplification ratio where a request with the size of a few hundred bytes could generate a response of a few megabytes or even hundreds of megabytes in size.

In most situations, the memcached service does not need to be exposed to the public Internet. Such exposure may have its own security problems, allowing remote attackers to leak or modify information stored in Memcached.

8.7.1. Hardening Memcached against DDoS
Copiar o link

To mitigate security risks, perform as many of the following steps as applicable for your configuration.

Procedure

  • Configure a firewall in your LAN. If your Memcached server should be accessible only in your local network, do not route external traffic to ports used by the memcached service. For example, remove the default port 11211 from the list of allowed ports: 

    # firewall-cmd --remove-port=11211/udp
# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

  • If you use a single Memcached server on the same machine as your application, set up memcached to listen to localhost traffic only. Modify the OPTIONS value in the /etc/sysconfig/memcached file: 

    OPTIONS="-l 127.0.0.1,::1"
    Copy to Clipboard Toggle word wrap

  • Enable Simple Authentication and Security Layer (SASL) authentication:

    1. Modify or add the /etc/sasl2/memcached.conf file: 

      sasldb_path: /path.to/memcached.sasldb
      Copy to Clipboard Toggle word wrap

    2. Add an account in the SASL database: 

      # saslpasswd2 -a memcached -c cacheuser -f /path.to/memcached.sasldb
      Copy to Clipboard Toggle word wrap

    3. Ensure that the database is accessible for the memcached user and group: 

      # chown memcached:memcached /path.to/memcached.sasldb
      Copy to Clipboard Toggle word wrap

    4. Enable SASL support in Memcached by adding the -S value to the OPTIONS parameter in the /etc/sysconfig/memcached file: 

      OPTIONS="-S"
      Copy to Clipboard Toggle word wrap

    5. Restart the Memcached server to apply the changes: 

      # systemctl restart memcached
      Copy to Clipboard Toggle word wrap
    6. Add the username and password created in the SASL database to the Memcached client configuration of your application.

  • Encrypt communication between Memcached clients and servers with TLS:

    1. Enable encrypted communication between Memcached clients and servers with TLS by adding the -Z value to the OPTIONS parameter in the /etc/sysconfig/memcached file: 

      OPTIONS="-Z"
      Copy to Clipboard Toggle word wrap
    2. Add the certificate chain file path in the PEM format using the -o ssl_chain_cert option.
    3. Add a private key file path using the -o ssl_key option.

8.8. Securing the Postfix service
Copiar o link

Postfix is a mail transfer agent (MTA) that uses the Simple Mail Transfer Protocol (SMTP) to deliver electronic messages between other MTAs and to email clients or delivery agents. Although MTAs can encrypt traffic between one another, they might not do so by default. You can also mitigate risks to various attacks by changing setting to more secure values.

8.8.2. Postfix configuration options for limiting DoS attacks
Copiar o link

An attacker can flood the server with traffic, or send information that triggers a crash, causing a denial of service (DoS) attack. You can configure your system to reduce the risk of such attacks by setting limits in the /etc/postfix/main.cf file. You can change the value of the existing directives or you can add new directives with custom values in the <directive> = <value> format.

Use the following list of directives for limiting a DoS attack:

smtpd_client_connection_rate_limit
Limits the maximum number of connection attempts any client can make to this service per time unit. The default value is 0, which means a client can make as many connections per time unit as Postfix can accept. By default, the directive excludes clients in trusted networks.
anvil_rate_time_unit
Defines a time unit to calculate the rate limit. The default value is 60 seconds.
smtpd_client_event_limit_exceptions
Excludes clients from the connection and rate limit commands. By default, the directive excludes clients in trusted networks.
smtpd_client_message_rate_limit
Defines the maximum number of message deliveries from client to request per time unit (regardless of whether or not Postfix actually accepts those messages).
default_process_limit
Defines the default maximum number of Postfix child processes that provide a given service. You can ignore this rule for specific services in the master.cf file. By default, the value is 100.
queue_minfree
Defines the minimum amount of free space required to receive mail in the queue file system. The directive is currently used by the Postfix SMTP server to decide if it accepts any mail at all. By default, the Postfix SMTP server rejects MAIL FROM commands when the amount of free space is less than 1.5 times the message_size_limit. To specify a higher minimum free space limit, specify a queue_minfree value that is at least 1.5 times the message_size_limit. By default, the queue_minfree value is 0.
header_size_limit
Defines the maximum amount of memory in bytes for storing a message header. If a header is large, it discards the excess header. By default, the value is 102400 bytes.
message_size_limit
Defines the maximum size of a message including the envelope information in bytes. By default, the value is 10240000 bytes.

8.8.3. Configuring Postfix to use SASL
Copiar o link

Postfix supports Simple Authentication and Security Layer (SASL) based SMTP Authentication (AUTH). SMTP AUTH is an extension of the Simple Mail Transfer Protocol. Currently, the Postfix SMTP server supports the SASL implementations in the following ways:

Dovecot SASL
The Postfix SMTP server can communicate with the Dovecot SASL implementation by using either a UNIX-domain socket or a TCP socket. Use this method if Postfix and Dovecot applications are running on separate machines.
Cyrus SASL
When enabled, SMTP clients must authenticate with the SMTP server by using an authentication method supported and accepted by both the server and the client.

Prerequisites

  • The dovecot package is installed on the system

Procedure

  1. Set up Dovecot:

    1. Include the following lines in the /etc/dovecot/conf.d/10-master.conf file: 

      service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
      Copy to Clipboard Toggle word wrap

      The previous example uses UNIX-domain sockets for communication between Postfix and Dovecot. The example also assumes default Postfix SMTP server settings, which include the mail queue located in the /var/spool/postfix/ directory, and the application running under the postfix user and group.

    2. Optional: Set up Dovecot to listen for Postfix authentication requests through TCP: 

      service auth {
  inet_listener {
      port = <port_number>
  }
}
      Copy to Clipboard Toggle word wrap

    3. Specify the method that the email client uses to authenticate with Dovecot by editing the auth_mechanisms parameter in /etc/dovecot/conf.d/10-auth.conf file: 

      auth_mechanisms = plain login
      Copy to Clipboard Toggle word wrap

      The auth_mechanisms parameter supports different plain text and non-plain text authentication methods.

  2. Set up Postfix by modifying the /etc/postfix/main.cf file:

    1. Enable SMTP Authentication on the Postfix SMTP server: 

      smtpd_sasl_auth_enable = yes
      Copy to Clipboard Toggle word wrap

    2. Enable the use of Dovecot SASL implementation for SMTP Authentication: 

      smtpd_sasl_type = dovecot
      Copy to Clipboard Toggle word wrap

    3. Provide the authentication path relative to the Postfix queue directory. Note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in chroot or not: 

      smtpd_sasl_path = private/auth
      Copy to Clipboard Toggle word wrap

      This step uses UNIX-domain sockets for communication between Postfix and Dovecot.

      To configure Postfix to look for Dovecot on a different machine in case you use TCP sockets for communication, use configuration values similar to the following: 

      smtpd_sasl_path = inet: <IP_address> : <port_number>
      Copy to Clipboard Toggle word wrap

      In the previous example, replace the <IP_address> with the IP address of the Dovecot machine and <port_number> with the port number specified in Dovecot’s /etc/dovecot/conf.d/10-master.conf file.

    4. Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note that you can specify different mechanisms for encrypted and unencrypted sessions. 

      smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
      Copy to Clipboard Toggle word wrap

      The previous directives specify that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted user names or passwords are allowed. For encrypted sessions that use TLS, only non-anonymous authentication mechanisms are allowed.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat