HowTo Secure Postfix and Sendmail Server

Securing Postfix

Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail. For more information on chroot jail, see Using Chroot Securely.

Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.

Before you continue on a Red Hat system, make sure Postfix is activated using the following command:

# alternatives --set mta /usr/sbin/sendmail.postfix

The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:

  mydestination = $myhostname, localhost.$mydomain, localhost

  inet_interfaces = localhost

The parameter mydestination lists all domains to receive emails for.
The parameter inet_interfaces specifies the network to liston on.

Once you've configured Postfix, restart the mail system with the following command:

# /etc/init.d/postfix restart

To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:

# nmap -sT -p 25 <remode_node>

# telnet <remote_node> 25

Don't run these commands on the local host since Postfix is supposed to accept connections from the local node.

 Securing Sendmail

This article focuses on security issues that pertain to most Linux servers in a production environment. Therefore, securing a mail or relay server is out of scope for this article since not all Linux servers in a production environment are mail or relay servers. However, Sendmail or Postfix is usually required for local mail delivery. Note that it is recommended to use Postfix over Sendmail for various security reasons.

On newer Linux systems Sendmail is configured to run in the background for local mail delivery and not to accept incoming network connections. If your server is not a mail or relay server, then it is important that Sendmail is not accepting incoming network connections from any host other than the local server.

The default sendmail.cf configuration file on RedHat does not allow Sendmail to accept incoming network connections. The following setting in /etc/mail/sendmail.cf tells Sendmail not to accept incoming network connections from servers other than the local node:

   O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA  

If that's not the case on your system, you can change it by setting or uncommenting the DAEMON_OPTIONS parameter in the /etc/mail/sendmail.mc file. Uncomment the DAEMON_OPTIONS line in /etc/mail/sendmail.mc to read:

 

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Then run:

# mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

# /etc/init.d/sendmail restart

To verify whether Sendmail is still listening for incoming network request, you can run one of the following commands from another node (make sure that you have permissions to probe a machine):

# nmap -sT -p 25 <remode_node>

# telnet <remote_node> 25

Don't run these commands on the local host since Sendmail is supposed to accept connections from the local node.

Note that this document comes without warranty of any kind. But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmaster_at admin@linuxhowto.in

                                                       Copyright © 2012 LINUXHOWTO.IN