# Postfix security

## keet

As a learning experience, I am trying to set up an email server.  I followed the guide at http://wiki.gentoo.org/wiki/Postfix.  I can send mail locally, but when I try to send messages to my GMail account, mail.log says something like this:

```
myhostname postfix/smtp[18284]: connect to gmail-smtp-in.l.google.com[74.125.29.27]:25: Connection timed out
```

I tried setting a relayhost in main.cf, but it still shows a similar message:

```
myhostname postfix/smtp[18148]: AAC9BC3925: to=<myemailaddress@gmail.com>, relay=none, delay=30, delays=0.02/0/30/0, dsn=4.4.1, status=deferred (connect to smtp.secureserver.net[72.167.238.201]:25: Connection timed out
```

A likely possibility, based on what I have read, is that my I.S.P. blocks port 25.  I think that I read this in their documentation, as well.  I trying telnetting into port 587 and sending a message, but I still got the same messages in mail.log.

```
main.cf:

myhostname = hostname.domain.com

mydomain = domain.com

soft_bounce = yes

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

unknown_local_recipient_reject_code = 550

mynetworks_style = host

recipient_delimiter = +

debug_peer_level = 2

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = no

inet_protocols = ipv4

home_mailbox = .maildir/
```

```
master.cf:

smtp      inet  n       -       n       -       -       smtpd

submission inet n       -       n       -       -       smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

#smtps     inet  n       -       n       -       -       smtpd

pickup    unix  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      unix  n       -       n       300     1       qmgr

#qmgr     unix  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache
```

I tried changing smtp to use port 587 using /etc/services and restarted postfix, but I got the same message, just with port 587 instead of 25.  The ports are open in my firewall.  At this point, I feel a bit like I'm not sure that I know what I'm doing, and would appreciate some help.Last edited by keet on Sat May 17, 2014 8:29 pm; edited 1 time in total

----------

## keet

I'm not sure why people are not replying, but maybe it's because of this post:

https://forums.gentoo.org/viewtopic-t-987908-start-0-postdays-0-postorder-asc-highlight-postfix.html

I wondering whether switching to a business account would help at all.  It looks like I.S.P.s around here block 25 for residential, but only rarely and on a case-by-case basis for business accounts.

----------

## keet

Ok, I made it work, sort of.  I got a V.P.S. and set up Postfix, but it's in CentOS.  Oh, well, at least I have a working email server.  I am a bit paranoid about security, and I want to make sure that it's all encrypted whenever possible.  I've tested this using Wireshark and Tcpdump, and as far as I can tell, all transmissions are encrypted, but is there any way that I could know for sure from /var/log/maillog?

```
dovecot: imap-login: Login: user=<notmyusername>, method=PLAIN, rip=notmyremoteaddress, lip=notmyserveraddress, mpid=4925, TLS
```

I'd assume that TLS means it's encrypted using T.L.S.while logging in to check my mail, even though it's PLAIN authentication, right?

```
setting up TLS connection to someremotemailserver[theiripaddress]:25

Untrusted TLS connection established to srms[tipa]:25: TLSv1.2 with cipher AES128-SHA256 (128/128 bits)
```

This means the outgoing mail transmission looks encrypted, but my mail server doesn't trust its certificate issuer?

However, one thing that I don't see is any mention of encryption when I GET messages from another domain.  On the other hand, if I run 

```
tcpdump -A -vvv -s 0 -i eth0 > test.txt
```

 while sending a message from my GMail account to my server and then search for any trace of text from the incoming message, I don't see it.  However, I do see a STARTTLS command and what looks like certificate negotiation.  Thus, it looks like it's encrypted, right?  Unless I'm not using tcpdump properly or it's missing something...

----------

