Sicherer Postfix Server??

Dieses Thema im Forum "Installation und Konfiguration" wurde erstellt von evilgenius, 22. Juli 2009.

  1. evilgenius

    evilgenius New Member

    Hallo HowtoForge User,

    erstmal danke für die vielen Howto's und das gute Forum, wo man sehr viel findet was einem weiterhilft. :)

    So Postfix läuft :), das ist das gute! Folgendes Setup verwende ich:
    Postfix, Dovecot, ClamSMTP steht hinter einer Firewall, die IP wird über Dyndns aufgelöst.

    main.cf
    --------------------------------------------------------------------------
    inet_interfaces = all
    inet_protocols = ipv4

    smtpd_banner = $myhostname ESMTP $mail_name (Debian)
    biff = no

    append_dot_mydomain = no
    delay_warning_time = 4h

    myhostname = pinguin.super.de
    mydomain = super.de
    mydestination = $myhostname, $mydomain
    mynetworks = 127.0.0.0/8

    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases

    virtual_maps = hash:/etc/postfix/virtual/maps
    virtual_alias_domains = test.de

    mailbox_command = /usr/lib/dovecot/deliver
    mailbox_size_limit = 0
    home_mailbox = .Maildir/
    recipient_delimiter = +
    relayhost =

    # TLS parameters

    # Postfix act as Client (Part)
    smtp_sasl_security_options = noanonymous
    smtp_tls_note_starttls_offer = yes
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # Postfix act as Server (User Authentification, TLS)
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

    smtpd_sasl_type=dovecot
    smtpd_sasl_path=private/auth
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_security_level = may
    smtpd_tls_loglevel = 3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    broken_sasl_auth_clients = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

    tls_random_source = dev:/dev/urandom

    content_filter = scan:127.0.0.1:10025
    receive_override_options = no_address_mappings
    ------------------------------------------------------------------------

    master.cf
    ------------------------------------------------------------------------
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    smtp inet n - - - - smtpd
    -o content_filter=spamassassin
    spamassassin unix - n n - - pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
    #submission inet n - - - - smtpd
    # -o smtpd_tls_security_level=encrypt
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    #smtps inet n - - - - smtpd
    # -o smtpd_tls_wrappermode=yes
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - - - - smtp
    -o smtp_fallback_relay=
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - - - - showq
    error unix - - - - - error
    retry unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}

    # AV scan filter (used by content_filter)
    scan unix - - n - 16 smtp
    -o smtp_send_xforward_command=yes

    127.0.0.1:10026 inet n - n - 16 smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    ------------------------------------------------------------------------

    Wo liegen evtl. schwächen? Ist sichergestellt das nur authentifizierte User eMails verschicken können? Ich habe mal was ausprobiert und mit geloggt und mit Wireshark mal mit getracet:

    ------------------------------------------------------------------------
    mit:
    smtpd_use_tls = no
    smtpd_tls_auth_only = no

    Part of /var/log/mail.log
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-AUTH=PLAIN LOGIN
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-ENHANCEDSTATUSCODES
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250-8BITMIME
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 250 DSN
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: < unknown[192.168.24.38]: AUTH PLAIN AGFjYW5qZQBqdW5pYmFlcg==
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AGFjYW5qZQBqdW5pYmFlcg==

    Kommentar: gesehen (AGFjYW5qZQBqdW5pYmFlcg==) im Wireshark!!!!!!!!

    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: xsasl_cyrus_server_first: decoded initial response
    Jul 22 22:38:16 pinguin postfix/smtpd[4219]: > unknown[192.168.24.38]: 235 2.7.0 Authentication successful


    mit:
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes

    Part of /var/log/mail.log
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 220 mail.pinguin.canje.zoo ESMTP Postfix (Debian)
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: < unknown[192.168.24.38]: EHLO [192.168.24.38]
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-mail.pinguin.canje.zoo
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-PIPELINING
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-SIZE 10240000
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-VRFY
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-ETRN
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: match_list_match: unknown: no match
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: match_list_match: 192.168.24.38: no match
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-STARTTLS
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-ENHANCEDSTATUSCODES
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250-8BITMIME
    Jul 22 22:43:57 pinguin postfix/smtpd[4274]: > unknown[192.168.24.38]: 250 DSN
    ------------------------------------------------------------------------
    Was haltet Ihr von dem Setup? Folgendes soll erreicht werden:
    User können eMails verschicken (intern im Netzwerk) und sie sollen von z.B. GMX Nachrichten geschickt bekommen. Also User@gmx.de schickt User@test.de eine eMail :)

    Ich bin mal auf eure Feedback gespannt.

    Mit freundlichen Grüßen

    evilgenius
     
    Zuletzt bearbeitet: 23. Juli 2009

Diese Seite empfehlen