Securing Postfix

Before I came to Virtualmin, I managed my own Postfix main.cf. I’ve discovered that Webmin’s default is to be an open relay. Yikes! So, I’d like to clamp this down.

First, here’s what I’ve done in the past:

[code:1]smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/smtp_helo_blacklist
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:2501,
reject_unknown_recipient_domain,
check_sender_access hash:/etc/postfix/access_receive,
check_client_access hash:/etc/postfix/access_client,
check_recipient_access mysql:/etc/postfix/mysql-recipient.cf,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
permit[/code:1]
You might notice that I’m using the SQLgrey code above (check_policy_service) that has been extraordinarily useful in combatting spam.

Can anyone share what you’ve done to (1) make sure that Virtualmin doesn’t allow for open relays (since we’re in a server farm with network neighbors that can’t be trusted); and, (2) make sure that Virtualmin is set to aggressively block SPAM?

Many thanks!

The open relay problem happened because the default value for mynetworks:

Servers > Postfix Mail Server > General Options > Local Networks
is:
Default (all attached networks)
When I changed mynetworks to be the IP address of the server (that is, trust only the server), the relays stopped. Since our servers are in a server farm with untrusted network neighbors, this is the thing to do, right?

I’ve had a lot of luck with greylisting too – though I’m using postgrey since there was a pretty recent Ubuntu package for that.

Like yourself, I’m also using spamhaus as an RBL. I also added in cbl.abuseat.org and bl.spamcop.net. Those all tag a decent amount of spam, but aren’t overbearing and don’t have many false positives.

Regarding the problem you had with mynetworks – I hadn’t run into that issue on the installs that I’ve performed in the past – looking at a Debian and an Ubuntu install, the settings I see in there just use localhost for the mynetworks setting. That’s not something I changed.

Perhaps we should check with Joe on this, but is it possible the installer is using whatever mynetworks value was in there whenever the installer was first run?
-Eric