Postfix setup on mkirby.org

I run Postfix as my MTA at mkirby.org
As I’ve stated before, this blog isn’t to show people how to set up services but rather how to secure them.

I disabled the VRFY command to prevent user account lookups:
disable_vrfy_command = yes

Here is how I setup ingress TLS:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file = /etc/postfix/certs/mkirby.org.crt
smtpd_tls_key_file = /etc/postfix/certs/mkirby.org.key
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_CAfile = /etc/postfix/certs/ca.crt
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_security_level = may
smtpd_tls_ask_ccert = yes
broken_sasl_auth_clients = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, TLSv1.0, SSLv3, !SSLv2
smtpd_tls_eecdh_grade = ultra
smtpd_tls_dh1024_param_file = /etc/postfix/certs/dh_2048.pem

As you can see, I enforce strong’ish ciphers/hashes by disabling aNull, MD5, and RC4.
I also setup ephemeral DH for additional encryption.  If my SSL cert were stolen, the hacker would not be able to decrypt the connection because DH encryption takes place after the first key exchange.  This is done through the smtpd_tls_dh1024/512_param_file settings.  You will want to generate your own DH files so that postfix doesn’t use the built-in DH certs.
openssl gendh -out /etc/postfix/certs/dh_2048.pem -2 -rand /dev/urandom 2048
Notice that the parameter name is smtpd_tls_dh1024_param_file, but I’m using a 2048 bit key.
As of mid-2015, SMTP clients are starting to reject TLS handshakes with primes smaller than 2048 bits.
As a side note, make sure you have restrictive permissions on the directory that contains the certs.  You don’t want that readable by everyone on the system.
Newer versions of postfix and openssl support elliptical curve cryptography.  It is enabled with the smtpd_tls_eecdh_grade parameter.  I set mine to ultra, which is substantially more cpu intensive.
I used urandom instead of random due to the length of time it takes to generate entropy.

Here is the postfix log showing that the inbound connection was encrypted when I sent myself an email from the outside (btw, aol is my spam account):
Oct  7 22:02:11 goemon postfix/smtpd[21758]: initializing the server-side TLS engine
Oct  7 22:02:12 goemon postfix/smtpd[21758]: connect from omr-m5.mx.aol.com[64.12.232.237]
Oct  7 22:02:12 goemon postfix/smtpd[21758]: setting up TLS connection from omr-m5.mx.aol.com[64.12.232.237]
Oct  7 22:02:12 goemon postfix/smtpd[21758]: omr-m5.mx.aol.com[64.12.232.237]: TLS cipher list “aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL”
Oct  7 22:02:12 goemon postfix/smtpd[21758]: setting up TLS connection from omr-m5.mx.aol.com[64.12.232.237]
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:before/accept initialization
Oct  7 22:02:12 goemon postfix/smtpd[21758]: omr-m5.mx.aol.com[64.12.232.237]: TLS cipher list “aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL”
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client hello A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write server hello A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write certificate A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:before/accept initialization
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client hello A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write server hello A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write certificate A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write key exchange A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write certificate request A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 flush data
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client certificate A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client key exchange A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read finished A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write change cipher spec A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client certificate A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read client key exchange A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 read finished A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write finished A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write change cipher spec A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 flush data
Oct  7 22:02:12 goemon postfix/smtpd[21758]: Anonymous TLS connection established from omr-m5.mx.aol.com[64.12.232.237]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 write finished A
Oct  7 22:02:12 goemon postfix/smtpd[21758]: SSL_accept:SSLv3 flush data
Oct  7 22:02:12 goemon postfix/smtpd[21758]: Anonymous TLS connection established from omr-m5.mx.aol.com[64.12.232.237]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct  7 22:02:12 goemon postfix/smtpd[21758]: 905AD801E1: client=omr-m5.mx.aol.com[64.12.232.237]

As you can see, the connection was established using TLSv1 with DHE-RSA-AES256-SHA.

 

 

Here is how I setup egress TLS:
smtp_tls_cert_file = /etc/postfix/certs/mkirby.org.crt
smtp_tls_key_file = /etc/postfix/certs/mkirby.org.key
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_CAfile = /etc/postfix/certs/ca.crt
smtp_tls_loglevel = 2
smtp_tls_session_cache_timeout = 360s
smtp_use_tls = yes
smtp_enforce_tls = no

I didn’t exclude any ciphers or protocols for egress because I’d rather have weak encryption rather than no encryption.
Here is the postfix log showing that the outbound connection was encrypted when I sent an email to my gmail account:
Oct  7 17:51:26 goemon postfix/qmgr[1210]: 749028075E: from=<nobody@lunari.net>, size=3218244, nrcpt=1 (queue active)
Oct  7 17:51:26 goemon postfix/smtpd[19585]: disconnect from camera.mk.lan[192.168.1.86]
Oct  7 17:51:26 goemon postfix/smtp[19589]: initializing the client-side TLS engine
Oct  7 17:51:28 goemon postfix/smtp[19589]: setting up TLS connection to gmail-smtp-in.l.google.com[74.125.201.26]:25
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: TLS cipher list “aNULL:-aNULL:ALL:+RC4:@STRENGTH”
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:before/connect initialization
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv2/v3 write client hello A
Oct  7 17:51:28 goemon postfix/smtp[19589]: setting up TLS connection to gmail-smtp-in.l.google.com[74.125.201.26]:25
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: TLS cipher list “aNULL:-aNULL:ALL:+RC4:@STRENGTH”
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:before/connect initialization
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv2/v3 write client hello A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server hello A
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=2 verify=0 subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=2 verify=0 subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=1 verify=1 subject=/C=US/O=Google Inc/CN=Google Internet Authority G2
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=0 verify=1 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server certificate A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server key exchange A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server done A
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=2 verify=0 subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=1 verify=1 subject=/C=US/O=Google Inc/CN=Google Internet Authority G2
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: certificate verification depth=0 verify=1 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server certificate A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server key exchange A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write client key exchange A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write change cipher spec A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write finished A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 flush data
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server session ticket A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read finished A
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: subject_CN=mx.google.com, issuer_CN=Google Internet Authority G2, fingerprint=88:C0:85:C8:CB:96:29:8F:4E:15:11:80:C5:9A:89:0D, pkey_fingerprint=E0:32:29:21:69:38:EA:F9:B6:0C:F6:BD:86:12:16:B9
Oct  7 17:51:28 goemon postfix/smtp[19589]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.201.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server done A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write client key exchange A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write change cipher spec A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 write finished A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 flush data
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read server session ticket A
Oct  7 17:51:28 goemon postfix/smtp[19589]: SSL_connect:SSLv3 read finished A
Oct  7 17:51:28 goemon postfix/smtp[19589]: gmail-smtp-in.l.google.com[74.125.201.26]:25: subject_CN=mx.google.com, issuer_CN=Google Internet Authority G2, fingerprint=88:C0:85:C8:CB:96:29:8F:4E:15:11:80:C5:9A:89:0D, pkey_fingerprint=E0:32:29:21:69:38:EA:F9:B6:0C:F6:BD:86:12:16:B9
Oct  7 17:51:28 goemon postfix/smtp[19589]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.201.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)