Security
Certificates
We should use valid certificates. The best way to do that is with the certbot
utility.
Certbot
Certbot automates the process of getting and renewing certs, and only requires a brief connection to port 80 as proof it’s you. There’s also a DNS based approach, but we use the port method for simplicity. It only runs once every 60 days so there is little risk of exploit.
Forward Port 80
You probably already have a web server and can’t just change where port 80 goes. To integrate certbot, add a name-based virtual host proxy to that web server.
# Here is a caddy example. Add this block to your Caddyfile
http://mail.your.org {
reverse_proxy * mail.internal.lan
}
# You can also use a well-known URL if you're already using that vhost
http://mail.your.org {
handle /.well-known/acme-challenge/ {
reverse_proxy mail.internal.lan
}
}
Install Certbot
Once the port forwarding is in place, you can install certbot and use it to request a certificate. Note the --deploy-hook
argument. This reloads services after a cert is obtained or renewed. Else, they’ll keep using an expired one.
DOMAIN=your.org
sudo apt install certbot
sudo certbot certonly --standalone --domains mail.$DOMAIN --non-interactive --agree-tos -m postmaster@$DOMAIN --deploy-hook "service postfix reload; service dovecot reload"
Once you have a cert, Certbot will keep keep it up-to-date by launching periodically from a cronjob in /etc/cron.d
and scanning for any needed renewals.
Postfix
Tell Postfix about the cert by using the postconf utility. This will warn you about any potential configuration errors.
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.$DOMAIN/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.$DOMAIN/privkey.pem'
sudo postfix reload
Dovecot
Change the Dovecot to use the cert as well.
sudo sed -i 's/^ssl_cert = .*/ssl_cert = <\/etc\/letsencrypt\/live\/mail.$DOMAIN\/fullchain.pem/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/^ssl_key = .*/ssl_key = <\/etc\/letsencrypt\/live\/mail.$DOMAIN\/privkey.pem/' /etc/dovecot/conf.d/10-ssl.conf
sudo dovecot reload
Verifying
You can view the certificates with the commands:
openssl s_client -connect mail.$DOMAIN:143 -starttls imap -servername mail.$DOMAIN
openssl s_client -starttls smtp -showcerts -connect mail.$DOMAIN:587 -servername mail.$DOMAIN
Privacy and Anti-Spam
You can take advantage of Cloudflare (or other) services to accept and inspect your email before forwarding it on to you. As far as the Internet is concerned, Cloudflare is your email server. The rest is private.
Take a look at the Forwarding section, and simply forward your mail to your own server instead of Google’s. That will even allow you to remove your mail server from DNS and drop connections other than CloudFlare if desired.
Intrusion Prevention
In my testing it takes less than an hour before someone discovers and attempts to break into your mail server. You may wish to GeoIP block or otherwise limit connections. You can also use crowdsec.
Crowdsec
Crowdsec is an open-source IPS that monitors your log files and blocks suspicious behavior.
Install as per their instructions.
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install -y crowdsec
sudo apt install crowdsec-firewall-bouncer-nftables
sudo cscli collections install crowdsecurity/postfix
Postfix
Most services now log to the system journal rather than a file. You can view them with the journalctl
command
# What is the exact service unit name?
sudo systemctl status | grep postfix
# Anything having to do with that service unit
sudo journalctl --unit [email protected]
# Zooming into just the identifiers smtp and smtpd
sudo journalctl --unit [email protected] -t postfix/smtp -t postfix/smtpd
Crowdsec accesses the system journal by adding a block to it’s log acquisition directives.
sudo tee -a /etc/crowdsec/acquis.yaml << EOF
source: journalctl
journalctl_filter:
- "[email protected]"
labels:
type: syslog
---
EOF
sudo systemctl reload crowdsec
Dovecot
Install the dovecot collection as well.
sudo cscli collections install crowdsecurity/dovecot
sudo tee -a /etc/crowdsec/acquis.yaml << EOF
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=dovecot.service"
labels:
type: syslog
---
EOF
sudo systemctl reload crowdsec
Is it working? You won’t see anything at first unless you’re actively under attack. But after 24 hours you may see some examples of attempts to relay spam.
allen@mail:~$ sudo cscli alerts list
╭────┬────────────────────┬────────────────────────────┬─────────┬──────────────────────────────────────────────┬───────────┬─────────────────────────────────────────╮
│ ID │ value │ reason │ country │ as │ decisions │ created_at │
├────┼────────────────────┼────────────────────────────┼─────────┼──────────────────────────────────────────────┼───────────┼─────────────────────────────────────────┤
│ 60 │ Ip:187.188.233.58 │ crowdsecurity/postfix-spam │ MX │ 17072 TOTAL PLAY TELECOMUNICACIONES SA DE CV │ ban:1 │ 2023-05-24 06:33:10.568681233 +0000 UTC │
│ 54 │ Ip:177.229.147.166 │ crowdsecurity/postfix-spam │ MX │ 13999 Mega Cable, S.A. de C.V. │ ban:1 │ 2023-05-23 20:17:49.912754687 +0000 UTC │
│ 53 │ Ip:177.229.154.70 │ crowdsecurity/postfix-spam │ MX │ 13999 Mega Cable, S.A. de C.V. │ ban:1 │ 2023-05-23 20:15:27.964240044 +0000 UTC │
│ 42 │ Ip:43.156.25.237 │ crowdsecurity/postfix-spam │ SG │ 132203 Tencent Building, Kejizhongyi Avenue │ ban:1 │ 2023-05-23 01:15:43.87577867 +0000 UTC │
│ 12 │ Ip:167.248.133.186 │ crowdsecurity/postfix-spam │ US │ 398722 CENSYS-ARIN-03 │ ban:1 │ 2023-05-20 16:03:15.418409847 +0000 UTC │
╰────┴────────────────────┴────────────────────────────┴─────────┴──────────────────────────────────────────────┴───────────┴─────────────────────────────────────────╯
If you’d like to get into the details, take a look at the Crowdsec page .
Next Steps
Now that your server is secure, let’s take a look at how email is authenticated and how to ensure yours is.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.