Skip to main content

How to Secure CWP Postfix and Dovecot with Lets Encrypt SSL Certificate ?

Postfix architecture is modular and contains different daemons each specifically handling only a few tasks. The most important daemons are the following:
  • master is the main daemon that starts all the other daemons.
  • smtpd is the SMTP server daemon handling incoming connections to receive emails from another mail server or client.
  • smtp is the SMTP client handling outgoing connections to send email out to another mail server.
  • local is the local delivery agent responsible for delivering email to the local server.
  • qmgr processes and controls all messages in the mail queue.
Maps are used in postfix to control email routing. Such maps are used to accept or reject email, inform postfix about local recipients and more.

The main configuration files are main.cf which is the global configuration for all daemons and the master.cf which defines the runtime environment for the daemons. The master.cf configuration thereby overrides the configuration options from the main.cf.
Lets Secure Postfix First 
# vi /etc/postfix/main.conf 

# postfix config file

# uncomment for debugging if needed
# soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man

# network settings
# The network interface addresses that this mail system receives mail on. 
# Specify "all" to receive mail on all network interfaces.
inet_interfaces = all

# The internet domain name of this mail system
mydomain = datahead.biz

# The internet hostname of this mail system
myhostname = server1.datahead.biz

# The domain name that locally-posted mail appears to come from, and that 
# locally posted mail is delivered to. Example: $mydomain
#myorigin = /etc/hostname
#myorigin = $myhostname

# Optional external command that the local delivery agent should use for 
# mailbox delivery. By default this should be empty.
#mailbox_command =

# The list of "trusted" remote SMTP clients that have more privileges 
# than "strangers" like relaying mail through Postfix.Ex: mynetworks = 127.0.0.0/8 [::1]/128
mynetworks = $config_directory/mynetworks

# The list of domains that are delivered via the $local_transport mail 
# delivery transport. Default: $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost

# What destination domains and/or subdomains this system will relay mail to. 
relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf

# ADDRESS EXTENSIONS (e.g., user+foo)
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.

# Specify the delimiter between user name and address extension
# mail delivery
recipient_delimiter = +

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport

# Lookup tables with all names or addresses of local recipients. The default 
# (proxy:unix:passwd.byname $alias_maps) will cause postfix to access 
# the /etc/passwd file.
#local_recipient_maps =

# Defines a lookup tables that alias specific mail addresses or domains to other local or remote address.
# virtual setup
#virtual_alias_domains = $mydomain
virtual_alias_maps =  proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, 
   regexp:/etc/postfix/virtual_regexp
   #hash:/etc/postfix/virtual

virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 101
virtual_uid_maps = static:101
virtual_gid_maps = static:12
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

# debugging
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
   xxgdb $daemon_directory/$process_name $process_id & sleep 5

# smtp authentication
# The SASL plug-in type that the Postfix SMTP server should use for authentication.Ex: cyrus,dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# The name of the Postfix SMTP server's local SASL authentication realm. (default: empty)
smtpd_sasl_local_domain = $myhostname

# Enable inter-operability with remote SMTP clients that implement an obsolete 
# version of the AUTH command
broken_sasl_auth_clients = yes

# Do not report the SASL authenticated user name in the smtpd Received message header.
#For cyrus
#smtpd_sasl_authenticated_header = no

# Enable SASL authentication in the Postfix SMTP server. By default, the 
# Postfix SMTP server does not use authentication. 
smtpd_sasl_auth_enable = yes

# Disallow methods that allow anonymous authentication
# Postfix SMTP server SASL security options. noanonymous disallow methods 
# that allow anonymous authentication. 
smtpd_sasl_security_options = noanonymous


# TLS config
# Opportunistic use of TLS
#It is necessary to make sure that smtpd_use_tls directive is set to yes
# With this, the Postfix SMTP server announces STARTTLS support to remote SMTP 
# clients, but does not require that clients use TLS encryption.
smtp_use_tls = yes
smtpd_use_tls = yes

# Opportunistic TLS for both server and client ( no , may, encrypt )
# With this, the Postfix SMTP server announces STARTTLS support to remote SMTP 
# clients, but does not require that clients use TLS encryption.
smtp_tls_security_level = may
smtpd_tls_security_level = may

smtp_tls_note_starttls_offer = yes
 
# only offer authentication after STARTTLS
#N.B:Disallow plain login( if you use this roundcube will not send mail )
#But outlook , thunderbird can send email
#smtpd_tls_auth_only = yes

# Request client certificate
smtpd_tls_ask_ccert = yes

# Increase the logging for incoming and outgoing
#This will allow you to verify in the server log which cipher was used for the TLS connection.
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# Add TLS info to message headers
# Enable logging of summary message for TLS handshake and to include 
# information about the protocol and cipher used as well as the client and issuer CommonName
smtpd_tls_received_header = yes
#smtp_tls_received_header = yes

# Cached Postfix SMTP server session information expires after a certain 
# amount of time.RFC2246 recommends a maximum of 24 hours. 
smtp_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# Postfix SMTP server and the remote SMTP client negotiate a session, which 
# takes some computer time and network bandwidth. SSL protocol versions other 
# than SSLv2 support resumption of cached sessions.
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache

# TLS certificates and private keys
# Change mail.example.com.* to your host name
smtpd_tls_key_file = /etc/letsencrypt/live/server1.datahead.biz/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/server1.datahead.biz/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server1.datahead.biz/fullchain.pem


# Disable SSLv2 and SSLv3 ,TLSv1, TLSv1.1 and TLSv1.2 enabled.
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1

smtpd_tls_mandatory_ciphers = medium
smtp_tls_mandatory_ciphers = medium
tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
tls_preempt_cipherlist = yes


#Path to CA file
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

# rules restrictions
smtpd_client_restrictions =
# This setting will slow down the sending from connecting clients. This trick 
# can reduce spam as spammers dont have time to wait.
#smtpd_client_restrictions = sleep 5
#smtpd_delay_reject = no

smtpd_helo_restrictions =

# Reject if the MAIL FROM domain has 1) no DNS A or MX record, or 2) a 
# malformed MX record or MAIL FROM address is not a fully-qualified domain
smtpd_sender_restrictions =
#If u use this , you must have DNS A records for both client(outlook , thunderbird) and server 
#smtpd_sender_restrictions = reject_unknown_sender_domain

# Protect against bots/spammers that trigger lots of errors or scan for 
# accounts. When the error count reaches the soft-limit, delay the response by 
# the sleep-time but if the hard-limit is reached, postfix will disconnect.
#smtpd_error_sleep_time = 30
#smtpd_soft_error_limit = 10
#smtpd_hard_error_limit = 20

# Optional restrictions that the Postfix SMTP server applies in the context of 
# a client RCPT TO command, after smtpd_relay_restrictions. 
smtpd_recipient_restrictions = permit_sasl_authenticated, 
 permit_mynetworks, 
 check_client_access hash:/etc/postfix/sender_whitelist, 
 check_client_access hash:/etc/postfix/sender_blacklist, 
 reject_unauth_destination, 
 reject_non_fqdn_sender, 
 reject_non_fqdn_recipient, 
 reject_unknown_recipient_domain, 
 reject_rbl_client zen.spamhaus.org, 
 reject_rbl_client bl.spamcop.net 


smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

# Other options
# email size limit ~20Meg
message_size_limit = 204800000
mailbox_size_limit = 2048000000

# Limit 500 emails per hour per email address
anvil_rate_time_unit = 3600s
smtpd_client_message_rate_limit = 500 

# Vacation Scripts
vacation_destination_recipient_limit = 1
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_vacation.cf

#In order to integrate OpenDKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

Now edit the dovecot configuration file :
I am using medium chiper , if you want to use high chiper then you can follow the below link:
https://access.redhat.com/articles/1468593
https://access.redhat.com/articles/1470523
https://blog.tinned-software.net/setup-postfix-with-smtp-auth-and-tls-on-centos/



Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …