Child pages
  • Serversetup multi-tenant Kopano+Postfix+SASL+rspamd+openLDAP (Debian 10 buster)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
~# apt install firehol fail2ban ulogdulogd2


Edit the fail2ban configuration:

...

Code Block
~# systemctl enable fail2ban.service
~# systemctl enable ulogdulogd2.service
~# systemctl enable firehol.service

~# systemctl start fail2ban.service
~# systemctl start ulogdulogd2.service


Test the firewall setup:

...

Code Block
title/etc/postfix/main.cf
collapsetrue
compatibility_level     = 2
smtpd_banner            = $myhostname ESMTP NO UCE
sendmail_path           = /usr/sbin/sendmail
newaliases_path         = /usr/bin/newaliases
mailq_path              = /usr/bin/mailq
myhostname              = example.com
biff                    = no
append_dot_mydomain     = no
mynetworks              = 127.0.0.0/8 [::1]/128 1.2.3.4
recipient_delimiter     = +
owner_request_special   = no
inet_interfaces         = all
inet_protocols          = ipv4
alias_maps              = hash:/etc/aliases

myorigin                = $myhostname
mydestination           = localhost


# virtual maps
virtual_mailbox_domains = mail.example.com mail2.example.com
virtual_mailbox_maps    = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps      = ldap:/etc/postfix/ldap-aliases.cf
virtual_transport       = lmtp:127.0.0.1:2003

# prevent leaking valid e-mail addresses
disable_vrfy_command    = yes

#sasl
smtpd_sasl_path                 = smtpd
smtpd_sasl_auth_enable          = yes
broken_sasl_auth_clients        = yes

# TLS encryption - server
smtpd_tls_security_level        = may
smtpd_tls_auth_only             = no
smtpd_tls_cert_file             = /etc/ssl/private/mail.example.com/fullchain.pem
smtpd_tls_key_file              = /etc/ssl/private/mail.example.com/privkey.pem
smtpd_tls_loglevel              = 0
smtpd_tls_received_header       = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source               = dev:/dev/urandom
smtpd_tls_dh1024_param_file     = /etc/postfix/dhparams_4096.pem
smtpd_tls_session_cache_database        = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_exclude_ciphers     = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols           = !SSLv2, !SSLv3
smtpd_tls_protocols                     = !SSLv2 !SSLv3

# TLS encryption - client
smtp_tls_security_level         = may
smtp_tls_loglevel               = 1
smtp_tls_mandatory_ciphers      = high
smtp_tls_mandatory_protocols    = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### Before-220 tests
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        z.mailspike.net*2
        bl.mailspike.net
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        swl.spamhaus.org*-4
postscreen_whitelist_interfaces = $mynetworks, static:all

# spam filter and DKIM signatures via rspamd
smtpd_milters         = inet:localhost:11332
non_smtpd_milters     = inet:localhost:11332
milter_protocol       = 6
milter_mail_macros    = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept

# check incoming mail for 'stuff'
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_recipient_domain,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_invalid_hostname

smtpd_data_restrictions =
        reject_unauth_pipelining

# client restrictions
smtpd_client_restrictions =
        permit_mynetworks,
        permit_auth_destination,
        permit_sasl_authenticated,

# anybody out there?
smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_hostname

# who may send
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access hash:/etc/postfix/sender_domain_checks,
        reject_unknown_sender_domain,

# mail reject codes
unknown_address_reject_code             = 550
unknown_client_reject_code              = 550
unknown_hostname_reject_code            = 554
unknown_local_recipient_reject_code     = 550
unknown_relay_recipient_reject_code     = 554
unknown_virtual_alias_reject_code       = 550
unknown_virtual_mailbox_reject_code     = 550

# deferred mail intervals

queue_run_delay                 = 900
# (default: 300 seconds; before Postfix 2.4: 1000s)
# How often the queue manager scans the queue for deferred mail.

# (default: 300 seconds; before Postfix 2.4: 1000s)
# The minimal amount of time a message won't be looked at, and the minimal amount of time to stay away from a "dead" destination.
minimal_backoff_time            = 450

# (default: 4000 seconds)
# The maximal amount of time a message won't be looked at after a delivery failure.
maximal_backoff_time            = 1800

# (default: 5 days)
# How long a message stays in the queue before it is sent back as undeliverable. Specify 0 for mail that should be returned immediately after the first unsuccessful delivery attempt.
maximal_queue_lifetime          = 14

# (default: 5 days, available with Postfix version 2.1 and later)
# How long a MAILER-DAEMON message stays in the queue before it is considered undeliverable. Specify 0 for mail that should be tried only once.
bounce_queue_lifetime           = 14

# (default: 20000)
# The size of many in-memory queue manager data structures. Among others, this parameter limits the size of the short-term, in-memory list of "dead" destinations. Destinations that don't fit the list are not added.
qmgr_message_recipient_limit    = 1000000

# mail size
message_size_limit              = 21360000

...

Code Block
title/etc/cron.d/mailjobs
# minute (0-59),
# |     hour (0-23),
# |     |       day of the month (1-31),
# |     |       |       month of the year (1-12),
# |     |       |       |       day of the week (0-7 with 0=7=Sunday).
# |     |       |       |       |       user
# |     |       |       |       |       |       command

# sync LDAP to Kopano regularly
*/30    *       *       *       *       root    /usr/sbin/kopano-admin --sync
 
# purge soft-deleted items after 30 days
330      3 30      *       *       *       root    /usr/sbin/kopano-srvadm --purge-softdelete=30

...