So I set up my own mail server a little over a year ago. I didn't get TLS connections set up to allow myself to use it remotely because I didn't get around to it when I initially set it up. I've noticed the amount of spam I receive steadily increasing as I participate in different mailing lists and open source projects. I figured that since my classes were over, I should spend the small amount of time, and paste in what I needed in my config file to get the behavior I wanted.
We use postfix at work, and I use postfix for my mail server. My server is largely inspired by the way the servers are set up at work. I know how things work if I make them work. I looked at the config file from at work, and more or less pasted in what was there that I didn't have, and I wanted. The first thing I was concerned about was authentication via TLS. Postfix can only authenticate against a SASL mechanism. I remember being slightly annoyed at that the first time, because I didn't want to go to the trouble of setting up a SASL server.
I use Dovecot for imap. I can authenticate against it just fine. Dovecot can provide a SASL interface for other servers to use for authentication. All I had to do was add the following to my dovecot.conf file:
socket listen {
client {
path = /var/run/dovecot/auth-client
mode = 0660
}
}
To get postfix to use TLS, and the dovecot SASL interface, I did this:
### SMTP AUTH and TLS
### These settings manage authentication for SMTP and TLS
# Allow auth against sasl
smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
# Never, ever allow anonymous logins.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
## TLS Settings:
# TLS is good
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
# urandom is non-blocking and relies on random until random blocks
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1
# Puts tls information in the header
# TLS cache, reduces server load
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600
TLS/SASL authentication with Postfix isn't much good if it doesn't give me more services than it did without authenticating. The way to allow sending from someone who authenticates is to add permit_sasl_authenticated to smtpd_recipient_restrictions.
Since I was pasting settings from the postfix configuration at work, I ended up getting a whole lot of checks that seemed to reduce spam. I didn't keep everything that I pasted, but this is what I ended up with:
smtpd_recipient_restrictions =
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
reject_multi_recipient_bounce
reject_non_fqdn_sender
reject_invalid_hostname
reject_non_fqdn_hostname
check_policy_service inet:127.0.0.1:10030
permit
The check_policy_service points to my postgrey daemon. I didn't have to do much at all to set up postgrey. I just installed it, started it, and told my rc scripts to start it at boot time.
I was watching my logs to see if greylisting had taken effect, and I noticed that reject_non_fqdn_sender was rejecting a message that was obviously spam to my inbox. Those extra checks are really great.
Since my mail server supports TLS, other mailservers that support it will use an encrypted connection when sending me mail. This is a good thing.