Protecting Postfix

myhostname = <Postfix server name >

Sets unqualified hostname for the machine running the mail server.

mydomain = <Postfix server domain>

The domain of the Postfix server.

inet_interfaces = <all hostname ip,...>

A list of the network interfaces on which Postfix will be active. By default it works on all active interfaces.

mydestination = <domain name, ...>

A list of domain names and hostnames for which Postfix will accept email. By default, Postfix accepts email for $myhostname and $myhostname.localhost . If your server accepts email for the entire domain, you should add $mydomain and $myhostname.$mydomain .

mynetworks_style = <classsubnethost>

Sets how Postfix determines what portion of the local network it should trust for relaying. By default, the local subnet is trusted. To trust clients in the same class, use the class setting. Finally, to trust only the local computer, use host .

mynetworks = <network/ netmask ,...>

Used in lieu of mynetwork_ style, mynetworks sets a list of network addresses that should be considered local clients. Specified in the format network/netmask, such as 10.0.1.1/24. This can also be set to a hash file, or any of the supported Postfix table lookup methods , including a Netinfo path .

relay_domains = <hostdomainfile>

A list of domains for which Postfix will relay mail. The list can consist of host or domain names, files containing host names, or lookup tables (such as hash tables or Netinfo paths). These are in addition to the mydestination and mynetworks settings.

local_recipient_maps = < user lookup tables>

A list of lookup tables for usernames that will be accepted as local for the mail server. By default, this is set to the local user accounts and any alias lookup tables that exist.

alias_maps = <alias lookup tables>

One or more lookup tables that contain the alias lists for the database. You may want to consider using hash:/etc/aliases , netinfo:/aliases ”which corresponds to the defaults for sendmail. Remember, postalias is used to regenerate the alias hash file.

home_mailbox = <mail box path>

The path to the local mailbox files. Mac OS X users should use the default /var/mail .

smtpd_banner = $myhostname <banner text>

Sets banner text to be displayed when a host connects. RFC requirements state that the hostname must come at the start of the banner ( $myhostname ).

local_destination_ concurrency_limit = <limit integer>

A limit on the number of local simultaneous deliveries that can be made to a single user. The default is 2 .

default_destination_ concurrency_limit = <limit integer>

The number of simultaneous connections that Postfix will make to deliver mail. The default is 10 . Keeping this number low can help protect against inappropriate use of your server if it is compromised. It is unlikely that your server will ever need to make 10 simultaneous connections to a single domain at a time.

disable_vrfy_command = < yesno >

Disables the VRFY SMTP command, which can be used by spammers to verify that an account exists on the server.

smtpd_recipient_limit = <limit integer>

The maximum number of recipients that will be accepted per message.Keeping this limit low makes your server unusable for mass spam.

smtpd_timeout = <timeout smhdw>

The timeout period to wait for a response from an SMTP client (in seconds, minutes, hours, days, or weeks).

strict_rfc821_envelopes = <yesno>

Sets a requirement for RFC821-compliant messages. If set to "yes," MAIL FROM and RCPT TO addresses must be specified within <> .

smtpd_helo_required = <yesno>

Determines whether postfix will require the HELO or EHLO SMTP greeting at the start of a connection.

smtpd_client_restrictions = < restrictions>

Used to fine-tune the restrictions on the postfix clients and can handle everything from real-time blacklisting to access control lists.

smtpd_helo_restrictions = < restrictions>

Used to fine-tune the restrictions on what machines are permitted within a HELO or EHLO greeting.

smtpd_sender_restrictions = < restrictions>

Used to fine-tune the restrictions on what machines are permitted within a MAIL FROM address.

smtpd_recipient_restrictions = < restrictions>

Used to fine-tune the restrictions on what machines are permitted within a RCPT TO address.

reject_unknown_client

Reject the client if the hostname is unknown.

client , helo , sender , recipient

reject_invalid_hostname

Reject the connection if the HELO/ELHO hostname is invalid.

helo , sender , recipient

reject_unknown_hostname

Reject the connection if the HELO/ELHO hostname does not have a matching DNS A or MX record.

helo , sender , recipient

reject_unknown_sender_domain

Reject if the HELO/ELHO sender does not have a matching DNS A or MX record.

sender

reject_non_fqdn_sender

Reject sender addresses that are not fully qualified.

recipient , sender

reject_non_fqdn_recipient

Reject recipient addresses that are not fully qualified.

recipient

check_client_access <lookup table>:<path>

Restricts based on a lookup table that consists of key and value pairs where the key is a hostname, domain, or address, and the value is REJECT or OK .

client , recipient

check_helo_access <lookup table>:<path>

Restricts based on a lookup table that consists of key and value pairs where the key is a hostname, domain, or address, and the value is REJECT or OK .

helo , recipient

check_sender_access <lookup table>:<path>

Restricts based on a lookup table that consists of key and value pairs where the key is a hostname, domain, or address, and the value is REJECT or OK .

sender , recipient

check_recipient_access <lookup table>:<path>

Restricts based on a lookup table that consists of key and value pairs where the key is a hostname, domain, or address, and the value is REJECT or OK .

recipient

reject_maps_rbl

Rejects the connection, message, or so on, based on blacklisting DNS.

client , helo , sender , recipient