Skip to content

Hardening

Jump to bottom Edit New page
mlan edited this page Mar 21, 2021 · 1 revision

The following postfix parameters illustrate how improved security can be achieved.

#
# Postscreen
#
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
   zen.spamhaus.org*3
   bl.spameatingmonkey.net*2
   bl.spamcop.net
   dnsbl.sorbs.net
   b.barracudacentral.org=127.0.0.[2..11]*2

# 
# Error response codes
#
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

Also

smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = 
    permit_mynetworks, 
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname, 
    permit

smtpd_relay_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated,
    reject_unauth_destination

smtpd_recipient_restrictions = 
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname, 
    reject_invalid_hostname,
    reject_non_fqdn_recipient,
    reject_unlisted_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client multi.uribl.com,
    reject_rbl_client dsn.rfc-ignorant.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client ix.dnsbl.manitu.net,
    reject_rbl_client combined.rbl.msrbl.net,
    reject_rbl_client rabl.nuclearelephant.com,
    reject_rbl_client zen.spamhaus.org, 
    reject_rhsbl_reverse_client dbl.spamhaus.org,
    reject_rhsbl_helo dbl.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    permit

smtpd_client_restrictions = 
    reject_sender_login_mismatch,
    reject_non_fqdn_sender,
    reject_unlisted_sender,
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination, 
    reject_invalid_hostname,
    reject_unknown_sender_domain,
    reject_unauth_pipelining

smtpd_sender_restrictions = 
    reject_sender_login_mismatch,
    reject_non_fqdn_sender,
    reject_unlisted_sender,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_unknown_sender_domain,
    reject_unauth_pipelining
Add a custom footer
Add a custom sidebar

Clone this wiki locally