To secure Postfix, there are a number of functions you can add the configuration file /etc/mail/main.cf. Edit the file and add the following lines:

smtpd_helo_required = yes
smtpd_delay_reject = no
disable_vrfy_command = yes

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname

This will force incoming requests to pause and identify themselves before proceeding, and will allow properly authenticated users to pass through and send mail. To finish, save the file and restart Postfix:

/etc/init.d/postfix restart

There are a couple of ways in which spammers will use a server to send their emails. The first is through an open relay in your mail server. This is something that you can easily fix in both Postfix and Sendmail. I will post more about fixing an open relay tomorrow. The second method is by signing up for a legitimate hosting account with your web hosting service, but then using the account to send spam. By the time you figure out what they have done, they are usually long gone.

The third and probably most nefarious method of sending spam from your server is through an actual attack on your server. When a hacker finds a hole in your security, they will install a bot on the server. That bot will then act as a small mail server for the hacker, all without your knowledge. You may not even notice it unless it causes some side effects. All three methods should be fixed with increased security and careful scanning of your server for possible threats.

Photo Source: Flickr

Many content management systems, such as Joomla, have mass email features built-in that allow you to easily send mail to your users. Usually, they will present you with two options: PHP Mail or SMTP. PHP Mail essentially calls a particular PHP function that will contact your mail server (such as Sendmail or Postfix) to send the email. SMTP functions just like a regular email client and will login to an email account.

From personal observation and the advice of people who have tried it, unless you have some pressing reason to avoid SMTP, you should prefer it over PHP Mail. Although you may not notice the difference for small mailing lists, something larger can bog down your server when using PHP Mail. It works fine for occasional contact forms, but for mass emailing, you should just go directly to the source: your mail server.

If this is the case for you and you have root access on your VPS or dedicated server, you might consider changing your SMTP port to something you know you will be able to access. To change the port in Postfix, edit your /etc/postfix/master.cf file as root, commenting out the following line:

smtp innet n - n - - smtpd

Then, add the this line:

2900 inet n - n - - smtpd

Replace “2900” with whatever port you prefer for your mail server. Next, restart Postfix:

service postfix restart

Finally, assuming you have a firewall installed, which any security-minded server administrator should, you will need to tell it to allow traffic through the new mail server port.

Answer: This is a trick that many spammers and malicious hackers will use to flood your server with their nonsense. Although a spam blocker will certainly help, it still has to process each email. If thousands of emails are sent an hour, that takes up valuable CPU power, memory, disk space, and time.

Postfix mail server allows you to limit the rate of incoming emails, keeping the spam messages from flooding your server. To configure it, edit /etc/mail/main.cf:

# nano main.cf (or vi main.cf)

Add the following directives:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

With these settings, after a client has made 10 connections, Postfix will pause and delay the next connection. If the connection is made 20 times without delivering mail, Postfix will disconnect.

Source: nixCraft

Answer: First we should be clear on what an open relay is. According to spamhelp.org, an open relay is:

“a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”

For example, someone could use yourmailserver.com to send emails from a fake account called fake@fake-accounts.com. It is a way to send spam while making sure their email address is not blocked. In some cases, they might even have software that creates fake email addresses that match the receiving server’s.

SpamHelp.org has an open relay test that you can use to check for open relays. If you find out your server does have an open relay, you should close it immediately. By default Postfix does not allow open rely, so you might want to check the security on your server if you did not open it. If you are running Postfix, you can fix an open relay by following the directions at The Drawingboard.

Source: SpamHelp.org
Photo: Flickr

Answer: Dovecot is a free and open source IMAP and POP3 mail server. It is used for receiving incoming mail and works in conjunction with Postfix, which handles sending and delivery. Dovecot runs on all Linux and Unix-like operating systems and is available in most distribution repositories. Some may even have it installed by default. Follow these simple steps to setup SSL:

Enable POP3S and IMAPS by editing the configuration file /etc/dovecot.conf. If they are enabled, the protocols setting will look like this:

protocols = imaps pop3s

Next you must set PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before dropping root privileges, so keep the key file unreadable by anyone but root (see how create certificate CSR and configure certificates for Postfix):

ssl_cert_file = /etc/postfix/ssl/smtp.theos.in.crt
ssl_key_file = /etc/postfix/ssl/smtp.theos.in.key

If key file is password protected, give the password using ssl_key_password directive:
ssl_key_password = myPassword

Save and close the file. Restart Dovecot server:
# /etc/init.d/dovecot restart

Source: nixCraft

Answer: While you should definitely not use this for purpose of spying, it is sometimes necessary to track all emails on a server, even if you have multiple users on it. Sometimes the enemy may be within, and someone sending abusive emails on your server can put everyone else’s websites in jeopardy.

Using the “always_bcc” setting, Postfix will send a blind carbon copy of every email to an administrator of your choice. This, of course, will generate a lot of email for that account, so the best thing to do is to create an account just for that purpose. Edit the Postfix main.cf file and add the following line:

always_bcc=harvestadmin@yourdomain.com

To get it started, you will need to reload postfix with:

postfix reload

Soon, that account will start receiving everything. Good luck finding the cause of whatever problem you have.

Photo: Flickr

Answer: Generally speaking, there is probably no reason for you to modify your aliases file manually. In some cases, however, a script will require you to edit the file, and it is important to know where it is and how to access it.

On a dedicated server, the Sendmail or Postfix aliases file is almost always located in /etc/mail/aliases. To edit the file, you can use vi or my preference, nano.

$ su

# vi /etc/aliases
or
# nano -w /etc/aliases

The aliases file is rather simple to use. It is presented in columns with the aliases on the left and the file or mailbox that it points to on the right.

For example,

billing: callcenter

You must edit the file as root and then run the following command also as root:

# newaliases

Photo Source: Flickr