0

I'm creating a Postfix email server. It's bare-bones- I'm only using the email server to receive from my gmail account. So far I have TLS/SSL encryption on Postfix and Dovecot.

Is TLS/SSL enough? What other security and encryption do I need to safely run this server?

Here are my config files:

postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/host-name.domain.name/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/host-name.domain.name/privkey.pem/privkey.pem

myhostname = host-name
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = host-name.domain.name, domain.name, localhost.domain.name, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
home_mailbox = Maildir/

postfix/master.cf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"

protocol imap {
  mail_plugins = " autocreate"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"

protocol imap {
  mail_plugins = " autocreate"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

ssl=required
ssl_cert = </etc/letsencrypt/live/host-name.domain.name/fullchain.pem
ssl_key = </etc/letsencrypt/live/host-name.domain.name/privkey.pem
trouble_bucket
  • 13
  • 3
  • If you do not intend to send email, make that explicit in your configuration, to reduce potential for abuse. If you only want to receive mail from certain domains, make that explicit in your configuration so you do not have to deal with 3rd-party spam. Consider how you are going to apply upgrades swiftly, when security vulnerabilities in either dovecot or postfix are identified. – anx Sep 19 '22 at 16:55

0 Answers0