Posted by mike Filed Under Postfix Configuration with Comments Off
The postcont -n command for Postfix shows you changes made to the default configuration. Here is a listing of the new Ubuntu 9.10 and the output for Postfix. As you can see nothing too significant except you see a focus on TLS for secure communication which is great, however this really needs to be addressed for users from the client side as TLS is still a problem with some clients. The other change you see with Ubuntu 9.10 is there is no limit to mailbox size which by default is limited to 50 MB. As an admin you will want to keep this in mind as no mailbox limits could bite you if you are not careful.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ub910, localhost.localdomain, , localhost
myhostname = ub910
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Posted by mike Filed Under Security with Comments Off
Using Pre-Built Templates
Add the pre-built templates for Postfix.
sudo apt-get install apparmor-profiles
This will load many pre-built templates that you can use.
cd /usr/share/doc/apparmor-profiles/extras
Now copy all of the Postfix related profiles into /etc/apparmor.d/.
sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/
Restart your the AppArmor daemon.
sudo /etc/init.d/apparmor restart
Now check the number of active profiles.
sudo aa-status
32 profiles are in enforce mode.
/usr/lib/postfix/spawn
/usr/lib/postfix/tlsmgr
/usr/sbin/saslauthd
/usr/lib/postfix/pipe
/usr/lib/postfix/proxymap
/usr/lib/postfix/bounce
/usr/sbin/postalias
/usr/lib/postfix/pickup
/usr/lib/postfix/qmqpd
/usr/lib/postfix/showq
/usr/sbin/avahi-daemon
/usr/lib/postfix/local
/usr/lib/postfix/nqmgr
/usr/sbin/postdrop
/usr/lib/postfix/scache
/usr/lib/postfix/virtual
/usr/lib/postfix/lmtp
/usr/lib/postfix/discard
/usr/lib/postfix/error
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/cleanup
/usr/sbin/postfix
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/lib/postfix/anvil
/usr/lib/postfix/qmgr
/usr/lib/postfix/master
/usr/lib/postfix/verify
/usr/lib/postfix/flush
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/oqmgr
You may not need all of these profiles depending upon what you are running, so remove those you do not need. You can change these to complain mode so you can test. Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command. This will make sure that your system is running effectively.
aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /usr/sbin/postfix
Capability: sys_tty_config
Severity: 8
(A)llow / [(D)eny] / Abo(r)t / (F)inish
Adding capability sys_tty_config to profile.
Profile: /usr/sbin/postfix
Path: /etc/postfix/main.cf
Mode: r
Severity: 3
[1 - /etc/postfix/main.cf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/postfix/main.cf r to profile.
Profile: /usr/sbin/saslauthd
Path: /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock
Mode: w
Severity: unknown
[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /usr/sbin/postfix]
2 – /usr/sbin/saslauthd
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/postfix.
Writing updated profile for /usr/sbin/saslauthd.
