Configuring Postfix for holly


smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/postfix/private/postfix.key
smtpd_tls_cert_file = /etc/pki/postfix/certs/postfix.crt
smtpd_tls_CAfile = /etc/pki/postfix/certs/startssl.pem
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous
smtpd_helo_required = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_client_restrictions =
    permit_auth_destination,
    permit_sasl_authenticated,
    reject
smtpd_recipient_restrictions =
    permit_auth_destination,
    permit_sasl_authenticated,
    reject

holly is my personal server with a mail server. I want to send mail out to anywhere, but only recieve or relay to myself.

Most of the lines just secure the daemon, requiring tls and authentication where needed.

The most important lines are the smtpd_recipient_restrictions and the smtpd_client_restrictions lines.

This was a tricky one to get right.

Basically, the two lines force all mail to have 2 checks. If either one matches, the message is accepted: 1. The message is destined for this server, or a server that it relays messages to. 2. The client has encrypted the communications and successfully logged into the system. Mail that passes this test can be sent anywhere in the world.

By default, every client (including external mail hosts) must be encrypted and authenticated. Only authenticated clients can send mail to anywhere too (which is what we want). We can (and will) relax these restrictions shortly.

Postfix's postconf(5) documentation is a little misleading about permit_sasl_authenticated. It says it only applies to smtpd_client_restrictions; however, it lets mail go to its recipient if the client is authenticated.

The documentation is also misleading about permit_auth_destination, saying it only applies to smtpd_recipient_restrictions. The same as the above happens here too (see postconf(5)'s permit_auth_destination).

The SMTP RFCs specify that port smtp/25 is used for server-to-server communications[Citation Needed]. We loosen the requirement that all data must be encrypted. Many mail servers do not encrypt this stage of mail delivery. Of course, data hitting this port can be encrypted, so opportunistic TLS (via STARTTLS) is made available.

If the communication is not encrypted, the destination must be our server, as authentication will never take place.

We open up port smtp/25 by poking into master.cf(5).

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=may
submission inet n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes

The example submission/smtpd lines in master.cf need to be uncommented. Be careful with the options (-o) that get passed to them.

smtps/465 and submission/587 use the default restrictions from main.cf(5).

However, during our testing, some software insisted on using TLS on port smtps/465, and STARTTLS on submission/587. A single port cannot mix the two (i.e. you cannot start a plaintext session then STARTTLS on a TLS port).

Note that when using port submission/587, a plaintext session is always started before STARTTLS. You may think that is insecure. In case the encrypted session is not established, the session is closed as the requirement for encryption has not been met.