{"id":2308,"date":"2016-12-16T15:28:27","date_gmt":"2016-12-16T13:28:27","guid":{"rendered":"https:\/\/upcloud.com\/global\/us\/resources\/tutorials\/secure-postfix-using-lets-encrypt\/"},"modified":"2016-12-16T15:28:27","modified_gmt":"2016-12-16T13:28:27","slug":"secure-postfix-using-lets-encrypt","status":"publish","type":"tutorial","link":"https:\/\/upcloud.com\/global\/resources\/tutorials\/secure-postfix-using-lets-encrypt\/","title":{"rendered":"How to secure Postfix using Let&#8217;s Encrypt"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">If you have registered a domain name and would like to use it for email, you might want to set up\u00a0a mail transfer agent (MTA) through which you can send and receive messages. An excellent option for MTA software is the free and open-source Postfix, which aims to be fast, easy to administer, and secure. Ensuring a secure Postfix server in any network requires great care in its configuration, but with the help of Let\u2019s Encrypt and Dovecot, the whole process is practically plug-and-play.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This guide goes through the steps required in configuring a secure Postfix STMP server with certificates provided by the Let\u2019s Encrypt certificate authority and Dovecot that is used for client authentication. The instructions listed below are intended for Ubuntu 16.04, but the components are available on other distributions as well, with just minor changes to the installation command.<\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Creating DNS records<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The first step in setting up a trustworthy email server is to create the required domain name and mail exchanger records.&nbsp;This process will differ depending on which Domain Name Server you are using to manage your domain name. Most domain name servers will provide instructions or documentation on how these settings can be done.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, you could add a subdomain for your SMTP server, such as <em>mail.example.com<\/em> and enable an MX record that points to that subdomain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The records that you will need to configure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS A record, that maps your domain name to the server\u2019s public IP address.\n<pre>example.com   A    83.136.253.111<\/pre>\n<\/li>\n\n\n\n<li>MX record, which will tell other mail servers where messages sent to your domain should be delivered. <pre>example.com   MX   1   mail.example.com. @             MX   2   mail.example.com.<\/pre> <\/li>\n\n\n\n<li>Reverse DNS record that allows servers to check what domain your server\u2019s IP address belongs to.<br><img loading=\"lazy\" decoding=\"async\" width=\"1170\" height=\"127\" class=\"alignnone size-full wp-image-6230\" src=\"https:\/\/upcloud.com\/media\/editing-ptr-record.png\" alt=\"Editing the PTR record\" \/><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You can set the reverse DNS name per public IP address at your <a href=\"https:\/\/hub.upcloud.com\/\">UpCloud control panel<\/a> under the Server settings and&nbsp;IP Addresses tab.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These settings might take a moment to propagate to other DNS servers, so it is good to get them done early.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/signup.upcloud.com\/\">Try UpCloud for free!<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Postfix<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Postfix is the default MTA for Ubuntu and can be installed directly with the package manager. Use the following command to install the required packages.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install postfix<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once the installation is complete, the setup will run a configuration script that asks to define a few settings; select the defaults for now by pressing enter to continue.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Postfix installed, run the full configuration script to define the settings as below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo dpkg-reconfigure postfix<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The reconfiguration command will display the configuration interface again. Select the following values in order of appearance.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>General type of mail configuration:\n<pre>Internet Site<\/pre>\n<\/li>\n\n\n\n<li>System mail name \u2013 Replace the &lt;example.com&gt; with your domain name:\n<pre>&lt;example.com&gt;<\/pre>\n<\/li>\n\n\n\n<li>Root and postmaster mail recipient \u2013 Any Unix user account:\n<pre>root<\/pre>\n<\/li>\n\n\n\n<li>Other destinations to accept mail for \u2013 Include $mydomain as the final destination:\n<pre>$mydomain, $myhostname, localhost.$myhostname, , localhost<\/pre>\n<\/li>\n\n\n\n<li>Force synchronous updates on the mail queue? <pre>No<\/pre> <\/li>\n\n\n\n<li>Local networks:\n<pre>127.0.0.0\/8 [::ffff:127.0.0.0]\/104 [::1]\/128<\/pre>\n<\/li>\n\n\n\n<li>Mailbox size limit (bytes):\n<pre>0<\/pre>\n<\/li>\n\n\n\n<li>Local address extension character:\n<pre>+<\/pre>\n<\/li>\n\n\n\n<li>Internet protocols to use:\n<pre>all<\/pre>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">The configuration is written into the&nbsp;<em>\/etc\/postfix\/main.cf<\/em>&nbsp;file. If you want to make changes to the above settings, you can always run the reconfiguration script again.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By default, Postfix uses the&nbsp;<em><span class=\"em em-bold emphasis\">mbox<\/span><\/em>&nbsp;mailbox format. Another commonly used option is Maildir, which stores emails in individual files, reducing the chance of your mail database getting corrupted. The following settings will use Maildir, but you are free to choose any format. If you wish to use something else, remember also to configure it for Dovecot.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Rather than editing the configuration file directly, you can use the <em><span class=\"cmd command\">postconf&nbsp;-e<\/span><\/em> command to change the P<span class=\"app application\">ostfix<\/span> parameters.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'home_mailbox = Maildir\/'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Using the Maildir mailbox format, emails are stored under the recipient user\u2019s home folder \/home\/&lt;username&gt;\/Maildir.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also, tell Postfix what domain it is the final destination for&nbsp;so that it can be easily referenced as a Postfix&nbsp;variable, as was already shown in the configuration script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'mydomain = &lt;example.com&gt;'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now that Postfix is installed, you can continue with further configurations below.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Getting Let&#8217;s Encrypt certificates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Enabling the TLS will require you to obtain certificates. Let\u2019s Encrypt is a free, automated, and open Certificate Authority that allows easy certificate setup using the <a href=\"https:\/\/certbot.eff.org\/\" target=\"_blank\" rel=\"noopener\"><em>Certbot<\/em> ACME client<\/a> from the Electronic Frontier Foundation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An easy way to get the certificates issued on a server that does not have a running&nbsp;web server is to use the client with the <tt>--standalone<\/tt> plug-in. Start by installing the Let\u2019s Encrypt module.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install certbot<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once the installation is finished, you can run the process with the easy command below. Replace the&nbsp;<span style=\"color: #ff0000\"><tt>mail.example.com<\/tt>&nbsp;<\/span>with your domain name.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo&nbsp;certbot certonly --standalone -d <span style=\"color: #ff0000\">mail.example.com<\/span><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The command starts an interactive configuration script, which will ask a couple of questions to set up the certificate correctly.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Select Yes to use the default vhost&nbsp;file and specify the settings manually.<\/li>\n\n\n\n<li>Enter the email server\u2019s domain name <em>mail.example.com<\/em>.<\/li>\n\n\n\n<li>On the first installation on any specific host, you\u2019ll need to enter a contact email.<\/li>\n\n\n\n<li>Read the Let\u2019s Encrypt Terms of Service and select <em>Agree<\/em>&nbsp;to continue.<\/li>\n\n\n\n<li>Then select whether you wish to use both HTTP and HTTPS or to require all traffic to use encryption by highlighting either the&nbsp;<em>Easy<\/em> or the&nbsp;<em>Secure<\/em> option and selecting <em>OK<\/em>.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">If everything works correctly, you\u2019ll get a message that HTTPS was successfully enabled.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you already have a web service installed on your mail server, you can&nbsp;find more about how to obtain certificates with <a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/install-lets-encrypt-apache\/\" target=\"_blank\" rel=\"noreferrer noopener\">Apache2<\/a> or <a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/install-lets-encrypt-nginx\/\" target=\"_blank\" rel=\"noreferrer noopener\">Nginx<\/a>&nbsp;in their software-specific instructions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once you have finished the process, the certificates will be stored under <tt>\/etc\/letsencrypt\/live\/&lt;your.domain&gt;\/<\/tt>. You can add your new certificates to the Postfix configuration using the two commands below. Replace the <tt>&lt;your.domain&gt;<\/tt> with your email server\u2019s domain name.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtpd_tls_cert_file = \/etc\/letsencrypt\/live\/&lt;your.domain&gt;\/fullchain.pem'\nsudo postconf -e 'smtpd_tls_key_file = \/etc\/letsencrypt\/live\/&lt;your.domain&gt;\/privkey.pem'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can configure the rest of the email server with the certificate installed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up SMTP authentication<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Next, you should enable SMTP-AUTH, which allows a client to identify itself through the authentication mechanism SASL. Transport Layer Security (TLS) should be used to encrypt the authentication process. Once authenticated, the server will allow the client to relay mail.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enter the following edits as they are.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtpd_sasl_type = dovecot'\nsudo postconf -e 'smtpd_sasl_path = private\/auth'\nsudo postconf -e 'smtpd_sasl_local_domain ='\nsudo postconf -e 'smtpd_sasl_security_options = noanonymous'\nsudo postconf -e 'broken_sasl_auth_clients = yes'\nsudo postconf -e 'smtpd_sasl_auth_enable = yes'\nsudo postconf -e 'smtpd_recipient_restrictions =&nbsp;permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, configure Postfix to provide TLS encryption for both incoming and outgoing mail.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtp_tls_security_level = may'\nsudo postconf -e 'smtpd_tls_security_level = may'\nsudo postconf -e 'smtp_tls_note_starttls_offer = yes'\nsudo postconf -e 'smtpd_tls_loglevel = 1'\nsudo postconf -e 'smtpd_tls_received_header = yes'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enabling the SASL lets users send messages outside the local domain without compromising the security of the relay.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Virtual alias mapping<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The last bit of Postfix configuration is to map the email addresses you wish to use to your user accounts. With virtual alias domains, each hosted address can be aliased to a local UNIX system account or a remote address. Enable virtual alias mapping with the following two edit commands.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'virtual_alias_domains = $mydomain'\nsudo postconf -e 'virtual_alias_maps = hash:\/etc\/postfix\/virtual'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can then create the alias map indicated above. The example below shows how to use this mechanism for the <em>example.com<\/em> domain. Assign the email addresses you want to enable to a username using the same &lt;email@domain.com&gt; &lt;username&gt; pattern.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/postfix\/virtual<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">postmaster@example.com root\nroot@example.com root\ninfo@exampe.com info<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once you have configured the virtual aliases, tell Postfix to generate the required database file from the list.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postmap \/etc\/postfix\/virtual<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then restart Postfix itself to apply the full configuration.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl restart postfix<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You might also want to add the Maildir setup to the user home directory template so that it is automatically configured when a new user account is created.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo maildirmake.dovecot \/etc\/skel\/Maildir\nsudo maildirmake.dovecot \/etc\/skel\/Maildir\/.Drafts\nsudo maildirmake.dovecot \/etc\/skel\/Maildir\/.Sent\nsudo maildirmake.dovecot \/etc\/skel\/Maildir\/.Trash\nsudo maildirmake.dovecot \/etc\/skel\/Maildir\/.Templates<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The same Maildir can be added to the current user using the commands below. If that user does not have sudo privileges, replace the $USER with any existing username.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp -r \/etc\/skel\/Maildir \/home\/$USER\/\nsudo chown -R $USER:$USER \/home\/$USER\/Maildir\nsudo chmod -R 700 \/home\/$USER\/Maildir\nsudo adduser $USER mail<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, include the Maildir location in your terminal and mail profiles.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo 'export MAIL=~\/Maildir' | sudo tee -a \/etc\/bash.bashrc | sudo tee -a \/etc\/profile.d\/mail.sh<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Relog to the terminal to apply the group changes by reopening the SSH connection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring Dovecot<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Postfix supports two SASL implementations that are used for authentication, Cyrus and Dovecot. Of these two, Dovecot is relatively simple to configure and was therefore selected for this guide. To enable Dovecot SASL you will need to&nbsp;install the <span class=\"app application\"><em>dovecot-common<\/em>&nbsp;<\/span>package. You might also wish to install the Dovecot plugins for IMAP and POP3 to allow connections from mail clients such as Thunderbird or Outlook.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install dovecot-common dovecot-imapd dovecot-pop3d<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once installed, you will need to make some changes to a few of the configuration files. Dovecot configuration is split between a number of files under \/etc\/dovecot\/conf.d\/. To enable the required security features, make the changes indicated below to the next four .conf files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start by disabling the plaintext authentication at the top and enabling the login authentication mechanism near the end of the <em>auth.conf<\/em> file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/dovecot\/conf.d\/10-auth.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">disable_plaintext_auth = yes\n...\nauth_mechanisms = plain login<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, instruct the mail directory to use the same format as Postfix.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/dovecot\/conf.d\/10-mail.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">mail_location = maildir:~\/Maildir<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Next, configure the IMAP and POP3 protocols for email clients in the <em>master.conf<\/em> file as shown below. Uncomment the port lines shown underneath by deleting the \u2018#\u2019 sign at the start of these lines. In the same file, also edit the <em>service auth<\/em> segment to allow user authentication.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/dovecot\/conf.d\/10-master.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">service imap-login {\n   inet_listener imap {\n      port = 143\n   }\n...\n}\nservice pop3-login {\n   inet_listener pop3 {\n      port = 110\n   }\n   ...\n}\n...\nservice auth {\n...\n   # Postfix smtp-auth\n   unix_listener \/var\/spool\/postfix\/private\/auth {\n      mode = 0660\n      user = postfix\n      group = postfix\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Most email clients default to the standard ports, 143 for IMAP and 110 for POP3. With STARTTLS required for every connection, there is no need to duplicate the services to the SSL-dedicated ports.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You must also include your certificates in the Dovecot <em>ssl.conf<\/em> file, and replace the &lt;mail.example.com&gt; with your server\u2019s domain name. Select to require SSL and also disable the insecure SSLv2 and SSLv3 protocols.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/dovecot\/conf.d\/10-ssl.conf<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># SSL\/TLS support: yes, no, required. &lt;doc\/wiki\/SSL.txt&gt;\nssl = required\n...\nssl_cert = &lt;\/etc\/letsencrypt\/live\/&lt;mail.example.com&gt;\/fullchain.pem\nssl_key = &lt;\/etc\/letsencrypt\/live\/&lt;mail.example.com&gt;\/privkey.pem\n...\n# SSL protocols to use\nssl_protocols = !SSLv2 !SSLv3<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">When you are done editing the files, you can check the Dovecot configuration using the following command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dovecot -n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once everything looks correct, restart Dovecot to apply the new settings.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl restart dovecot<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">That is it! Congratulations, your mail server is now ready to receive and send emails using secure authentication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Testing the SMTP server locally<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You can test the Postfix server locally from the terminal by using a&nbsp;direct connection with <em>netcat<\/em>, <em>telnet<\/em> or similar. The following commands need to be executed in the correct order, or the server will close the connection.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc&nbsp;mail.example.com 25\nEHLO&nbsp;$hostname\nMAIL FROM:&lt;root@example.com&gt;\nRCPT TO:&lt;info@example.com&gt;\nDATA\nSubject: Test email\n\nBody of the email\n.\nQUIT<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If the configuration worked correctly, you should see a confirmation that the email you just wrote has been placed in the queue and will arrive momentarily.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Note that using this method, you can only send emails to your own domain addresses. When attempting to set a recipient outside your domain, you will see a message stating that relay access is denied and the connection will be closed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another more convenient way to use email from the terminal is to install Mailutils.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install mailutils<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It can be used to check mail using the simple command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mail<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can also test sending mail using the same utility by adding the recipient address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mail test@example.com<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, complete the email form with the subject and body text. Send the message by pressing Ctrl+D, which exits the utility. Using this method will allow you to send messages outside your network. However, the sender and return addresses will show your username and server domain name, e.g. root@mail.example.com, instead of the probably more desirable email@domain.com. Therefore, this method should only be used for testing purposes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional security options<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The main concern of running a private SMTP server will be combating both incoming and outgoing spam messages. A secure configuration and strong user passwords will help with the latter, but you might wish to take additional steps to prevent incoming spam.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Reject bad connections and spam messages<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Tightening the rules for SMTP connections can stop many of the common spambots that disregard email etiquette.&nbsp;Requiring a valid HELO or EHLO command with a&nbsp;fully qualified domain name can do just that. Add the following parameters to improve your secure Postfix configuration further.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtpd_helo_required = yes'\nsudo postconf -e 'smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Postfix supports a verify (VRFY) command which allows anyone to determine if an account exists on the system, which can provide significant assistance to any brute force attack on your user accounts. VRFY may also give out sensitive information about the users, such as the account owner&#8217;s full name. Disabling the VRFY command with the following parameter is recommended.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'disable_vrfy_command = yes'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You might also wish to delay the reject message to allow Postfix to log recipient address information when the connected client breaks any of the reject rules. This allows you to later find out who the spammers were trying to target.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtpd_delay_reject = yes'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The Postfix recipient restrictions that were set in the SASL configuration part are important in securing the server while allowing users to connect with email clients such as Thunderbird or Outlook. Keeping these parameters in the right order will retain this ability, but you can include further restrictions that incoming messages will need to comply with.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org'\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The parameters above are fairly self-explanatory though a little difficult to read in a terminal copy-paste-friendly format. The general idea is to reject connections from made-up addresses that do not use a fully qualified domain name or simply do not exist. Here is possible to also add external spam filters such as the Spamhaus or CBL blacklists. If you wish to find out more, Postfix has very extensive <a href=\"http:\/\/www.postfix.org\/postconf.5.html#smtpd_recipient_restrictions\" target=\"_blank\" rel=\"noopener\">documentation<\/a> on its configuration options.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Directing spam to \/dev\/null<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Postfix supports a so-called catch-all address with virtual aliases. Any emails sent to an address not specified in the virtual map will be directed according to the catch-all address. This is useful for hiding valid addresses by allowing mail delivery to any address, hence preventing spammers from finding real users through simple trial and error.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enable the catch-all address by adding a line as shown in the example below to the end of your virtual mapping without any local part and direct the messages to a virtual user <em>nobody<\/em>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/postfix\/virtual<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">...\n@example.com&nbsp;nobody<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To prevent spam from filling up all of your storage space, edit the system aliases list to direct messages sent to invalid addresses straight to \/dev\/null.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/aliases<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># See man 5 aliases for format\npostmaster: root\nnobody: \/dev\/null<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once you have configured both the system and virtual aliases, tell Postfix to regenerate the required database files from these lists.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo postmap \/etc\/postfix\/virtual\nsudo postalias \/etc\/aliases<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, reload Postfix to enable the new settings.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo service postfix reload<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can test the spam trap by sending a message to any random unconfigured email address. The mail should be delivered successfully but will not be stored. Another way to test this is by using an address validator such as the <a href=\"http:\/\/email-checker.net\/check\" target=\"_blank\" rel=\"noopener\">Email Checker<\/a>, any address should show up as valid, even the none existing ones.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Maintaining security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Configuring and maintaining a secure Postfix SMTP server only requires a&nbsp;basic understanding of the components, but simple mistakes in the setup can render the security settings ineffective, therefore most important part is to make sure the server does not become an open relay. Conveniently&nbsp;MX Toolbox, an online network testing utility, provides an <a href=\"https:\/\/mxtoolbox.com\/diagnostic.aspx\" target=\"_blank\" rel=\"noopener\">SMTP diagnostics<\/a>&nbsp;tool with which you can easily test your configuration by just entering your mail server domain name such as <em>mail.example.com.<\/em> With the setup used in this guide, everything should show green in their tests, granted that the DNS rules have propagated.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While a configuration helps to keep your SMTP server secure, strong user passwords are also very important. In such a case that a third party was to gain unauthorised access to one of the user accounts, they would be able to send spam messages unhindered using your infrastructure and tarnish your network reputation. A common way to reduce the chance of someone guessing your user\u2019s passwords is to impose limitations on failed logging attempts with Fail2ban. You can read more about&nbsp;<a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/install-fail2ban-ubuntu\/\">installing Fail2ban on Ubuntu<\/a>&nbsp;in its own article to further improve server security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Good usage practices can also improve your server security a long way. In addition to the aforementioned security methods, Linux systems offer documentation ways to minimise vulnerabilities and harden your cloud server against abuse. Take a look at our introductory guide on <a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/secure-linux-cloud-server\/\">how to secure your Linux cloud server<\/a> if you wish to learn more.<\/p>\n","protected":false},"author":3,"featured_media":27359,"comment_status":"open","ping_status":"closed","template":"","community-category":[223],"class_list":["post-2308","tutorial","type-tutorial","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/tutorial"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=2308"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2308\/revisions"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=2308"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/community-category?post=2308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}