diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md index a4317eb..fb78926 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md @@ -252,8 +252,9 @@ Now run the following command to get your free TLS certificate: If you have several subdomains in your nginx config that you'd like covered by the same certificate, you can omit `-d mail.domain.com` and get a certificate covering all the domains in your nginx config. On my server, I have one -certificate at `/etc/letsencrypt/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a certificate -with only one domain name, e.g. for `mail.domain.com`, it will be at `/etc/letsencrypt/mail.domain.com/`. +certificate at `/etc/letsencrypt/live/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a +certificate with only one domain name, e.g. for `mail.domain.com`, it will be at +`/etc/letsencrypt/live/mail.domain.com/`. # Postfix @@ -307,6 +308,76 @@ one at `/etc/logrotate.d/postfix`: } ``` +Add the following TLS settings, replacing `your.domain.com` with your mail server's FQDN, [or otherwise where the TLS +certificate we generated would be](#obtain-a-tls-certificate): + +```conf +# Enable TLS encryption when Postfix receives incoming emails +smtpd_tls_cert_file = /etc/letsencrypt/live/your.domain.com/fullchain.pem +smtpd_tls_key_file = /etc/letsencrypt/live/your.domain.com/privkey.pem +smtpd_tls_security_level = may +smtpd_tls_loglevel = 1 +smtpd_tls_session_cache_database = lmdb:${data_directory}/smtpd_scache + +# Enable TLS encryption when Postfix sends outgoing emails +smtp_tls_security_level = may +smtp_tls_loglevel = 1 +smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache + +# Enforce TLSv1.3 or TLSv1.2 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + +# only offer authentication after STARTTLS +smtpd_tls_auth_only = yes + +# disable SSL compression +tls_ssl_options = NO_COMPRESSION + +# Configure the allowed cipher list +smtpd_tls_mandatory_ciphers = high +smtp_tls_mandatory_ciphers = high +smtpd_tls_ciphers = high +smtpd_tls_mandatory_ciphers = high +tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 +tls_preempt_cipherlist = yes +``` + +The allowed cipher list is from [Mailcow](https://docs.mailcow.email/manual-guides/Postfix/u_e-postfix-harden_ciphers/). + +If you're using this as a personal mail server, you may not want to have a mailbox size limit, so you can set: + +```conf +mailbox_size_limit = 0 +``` + +By default, `mailbox_size_limit` is `51200000`. This number is in bytes. You can similarly set a `message_size_limit`. + +Finally, here are some various hardening settings you can add to your `/etc/postfix/main.conf`: + +```conf +# connections rate limit: no of connections allowed per unit +# `postconf anvil_rate_time_unit` will give the time unit; by default it's +# 60 seconds, so 600/60=10 connections allowed per second +smtpd_client_connection_rate_limit = 600 +# messages rate limit, again over same time limit +smtpd_client_message_rate_limit = 60 +# VRFY command used to check if an email address exists +# not needed and can be used to find spam recipients +disable_vrfy_command = yes +# servers that don't use HELO or EHLO are either not properly configured +# or sending spam usually +smtpd_helo_required = yes +smtpd_delay_reject = yes +smtpd_helo_restrictions = + permit_mynetworks, + reject_invalid_helo_hostname, + reject_unknown_helo_hostname, + permit +``` + ## Send your first email Have the `postfix` service auto-start upon boot, and start it during this session: @@ -343,6 +414,37 @@ so ultimately `revsuine` will get `postmaster`'s mail. You can continue to populate the aliases file with whatever aliases you want. +## Enable Postfix submission and smtps service + +To send emails from email clients, you'll need to enable Postfix's submission service so that Postfix can receive +emails to send via SMTP. Edit `/etc/postfix/master.cf` and ensure that the following lines are present: + +```conf +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o smtp_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + +smtps inet n - n - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth +``` + +They may be commented out, or partially present without some options. + +Restart Postfix. + + # rc-service postfix restart + # Dovecot [Dovecot](https://www.dovecot.org/) is a popular IMAP and POP3 server which we'll be using for our MDA.