postfix TLS & ipv6


smtp Vs smtpd


  • postfix/smtp
    • The SMTP daemon is for sending emails to the Internet (outgoing mail server).
  • postfix/smtpd
    • The SMTP daemon is for receiving emails from the Internet (incoming mail server).


Encryption on mail transport is what we call: opportunistic. If both parties (sender’s outgoing mail server & recipient’s incoming mail server) agree to exchange encryption keys, then a secure connection may be used. Otherwise a plain connection will be established. Plain as in non-encrypted aka cleartext over the wire.

SMTP - Outgoing Traffic

In the begging there where only three options in postfix:

  • none
  • may
  • encrypt

The default option on a Centos 6x is none:

# postconf -d | grep smtp_tls_security_level
smtp_tls_security_level =

Nowadays, postfix supports more options, like:

  • dane
  • verify
  • secure

Here is the basic setup, to enable TLS on your outgoing mail server:

smtp_tls_security_level = may
smtp_tls_loglevel = 1

From postfix v2.6 and later, can you disable weak encryption by selecting the cipher suite and protocols you prefer to use:

smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3

You can also define where the file that holds all the root certificates on your linux server is, and thus to verify the certificate that provides an incoming mail server:

smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

I dont recommend to go higher with your setup, cause (unfortunately) not everyone is using TLS on their incoming mail server!

SMTPD - Incoming Traffic

To enable TLS in your incoming mail server, you need to provide some encryption keys aka certificates!

I use letsencrypt on my server and the below notes are based on that.

Let’s Encrypt

A quick explanation on what exists on your letsencrypt folder:

# ls -1 /etc/letsencrypt/live/example.com/

privkey.pem    ===>  You Private Key
cert.pem       ===>  Your Certificate
chain.pem      ===>  Your Intermediate
fullchain.pem  ===>  Your Certificate with Your Intermediate 


Below you can find the most basic configuration setup you need for your incoming mail server.

smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

Your mail server is asking for a certificate so that a trusted TLS connection can be established between outgoing and incoming mail server.
The servers must exchange certificates and of course, verify them!

Now, it’s time to present your own domain certificate to the world. Offering only your public certificate cert.pem isnt enough. You have to offer both your certificate and the intermediate’s certificate, so that the sender’s mail server can verify you, by checking the digital signatures on those certificates.

smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_CApath = /etc/pki/tls/certs

CAfile & CApath helps postfix to verify the sender’s certificate by looking on your linux distribution file, that holds all the root certificates.

And you can also disable weak ciphers and protocols:

smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, EXPORT
smtpd_tls_protocols = !SSLv2, !SSLv3


Here is an example from gmail:

SMTPD - Incoming Mail from Gmail

You can see that there is a trusted TLS connection established From google:

Jun  4 11:52:07 kvm postfix/smtpd[14150]:
        connect from mail-oi0-x236.google.com[2607:f8b0:4003:c06::236]
Jun  4 11:52:08 kvm postfix/smtpd[14150]:
        Trusted TLS connection established from mail-oi0-x236.google.com[2607:f8b0:4003:c06::236]:
        TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun  4 11:52:09 kvm postfix/smtpd[14150]:
        4516420F32: client=mail-oi0-x236.google.com[2607:f8b0:4003:c06::236]
Jun  4 11:52:10 kvm postfix/smtpd[14150]:
        disconnect from mail-oi0-x236.google.com[2607:f8b0:4003:c06::236]

SMTP - Outgoing Mail from Gmail

And this is the response To gmail :

Jun  4 12:01:32 kvm postfix/smtpd[14808]:
        initializing the server-side TLS engine
Jun  4 12:01:32 kvm postfix/smtpd[14808]:
        connect from example.com[2a00:1838:20:1::XXXX:XXXX]
Jun  4 12:01:33 kvm postfix/smtpd[14808]:
        setting up TLS connection from example.com[2a00:1838:20:1::XXXX:XXXX]
Jun  4 12:01:33 kvm postfix/smtpd[14808]:
        example.com[2a00:1838:20:1::XXXX:XXXX]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!aNULL:!MD5:!EXPORT:!aNULL"
Jun  4 12:01:33 kvm postfix/smtpd[14808]:
        Anonymous TLS connection established from example.com[2a00:1838:20:1::XXXX:XXXX]:
        TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun  4 12:01:35 kvm postfix/smtpd[14808]:
        disconnect from example.com[2a00:1838:20:1::XXXX:XXXX]

As you can see -In both cases (sending/receiving)- the mail servers have established a trusted secure TLSv1.2 connection.
The preferred cipher (in both scenarios) is : ECDHE-RSA-AES128-GCM-SHA256


Tell postfix to prefer ipv6 Vs ipv4 and use TLS if two mail servers support it !

smtp_address_preference = ipv6
Tag(s): postfix, tls, ipv6
Use a different email address for every online account

Reading through “Smart Girl’s Guide to Privacy - Practical Tips for Staying Safe Online by Violet Blue” (totally recommend it), there is a great tip in the first few pages:

- Use different email addresses for different online accounts.

… but is it possible ?

Different Passwords

We already know that we need to use a different password for every site. So we use lastpass or password managers for keeping our different passwords safe. We are nowadays used to create/generate complex passwords for every site, but is it absolutely necessary to also have a different email address for every single one ?

Different Email Addresses

Let me be as clear as I can: There is no obvious answer.

If you value your online privacy and your security threat model is set really high, then Yes you also need a different email address.

But it depends entirely on you and how you use your online identity. Perhaps in social media sites (like facebook or twitter) you dont need to give your personal email address, but perhaps on linkedin you want to use your well-known email-identity. So again, it depends on your security thread model.

Another crucial tip: DO NOT cross-connect your online personas from different social medias.

Disposable Email Server

In this blog post, I will try to describe the simple steps you need to take, to create your own personal disposable email server. In simple words, that means that you can dynamically create and use a unique/specific-site-only email address that you can use for sign-up or register to a new site. Using a different email address & a different passwords for every site online, you are making it really difficult for someone to hack you.

Even if someone can get access to this specific website or -somehow- can retrieve your online account (sites are been hacked every day), you are sure that none of your other online accounts/identities can not be accessed too.


To do that you will need a disposable domain. It does not have to be something clever or even useful. It needs to be something easy to write & remember. In my opinion, just get a cheap domain. If your registar support WHOIS Privacy, then even better. If dont, then try to find a registar that supports WHOIS Privacy but it isnt a blocking issue.

For this blog post I will use: example.org


In theory, we will create a “catch-all” domain/mail server, that will catch and forward all these emails to our current/primary email address.


So nice, you have a disposable domain. What next ?

You need to setup a new domain dns zone for your disposable domain.
And then add a MX record, like the notes below:

example.org.    86400   IN  MX  0 mail.example.org.
mail.example.org.   86400   IN  A

replace with the server’s IP !!

Mail Server

Just install postfix !

My “notable” settings are these below:

# postconf -n

inet_interfaces = all
inet_protocols = all

message_size_limit = 35651584

smtp_address_preference = ipv6

smtpd_banner = The sky above the port was the color of television, tuned to a dead channel

virtual_alias_domains = example.org
virtual_alias_maps = hash:/etc/postfix/virtual

In my /etc/postfix/virtual I have these lines:

@example.org    my_email_address@example.net

(dont forget to postmap and reload)

# postmap /etc/postfix/virtual 

# postfix reload

…. and …. that is it, actually !!!

a. Be aware the my disposable email server is dual stack.

b. If you need to create an emailing list, try something like this:

list@example.org           my_email_address@example.net, my_other_email_address@gmail.com

dont forget to:

# postmap /etc/postfix/virtual

and reload postfix:

# postfix reload

How to use it

From now on, whenever you need to type an email address somewhere, just type a new (random or not) email address with this new disposable domain.

The catch-all setting will FWD any email to your primary email address.

I like to use the below specific pattern: When you need to sign-up to a new site, use the sites url as your new email address.

eg. twitter.com


It’s now obvious that next time you get SPAM, you will know which one to blame (I am not suggesting that twitter is sending spam, it is just an example!).

You can also change your email address from all the sites that you have already subscribe (github, mailing lists, etc etc).

Hope this post has been helpful and easy enough for everyone.

Sender Policy Framework

UPDATE Thu Nov 26 11:28:05 EET 2015

Does SPF break forwarding?
(like in mailing lists)

  • Yes, it does break forwarding.

So learn from my mistake and think this through.

Wednesday, 25 November 2015

There is a very simply way to add spf [check] support to your postfix setup.
Below are my notes on CentOS 6.7

Step One: install python policy daemon for spf

# yum -y install pypolicyd-spf

Step Two: Create a new postfix service, called spfcheck

# vim + /etc/postfix/master.cf

spfcheck     unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/libexec/postfix/policyd-spf

Step Three: Add a new smtp daemon recipient restrictions

# vim +/^smtpd_recipient_restrictions /etc/postfix/main.cf
smtpd_recipient_restrictions =
    check_policy_service unix:private/spfcheck
policy_time_limit = 3600

And that’s what we see in the end on a receiver’s source-view email:

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=xxx.xxx.xxx.xxx;
helo=server.mydomain.tld; envelope-from=user@mydomain.tld; receiver=username@example.com

where xxx.xxx.xxx.xxx is the IP of the sender mail server
server.mydomain.tld is the name of the sender mail server
user@mydomain.tld is the sender’s email address
and of-course
username@example.com is the receiver’s mail address

You can take a better look on postfix python SPF policy daemon by clicking here: python-postfix-policyd-spf

SPF Record Checker

Tag(s): postfix, spf
greek spammers v3

Dec 1 2014 - Jan 21 2015

top five spammers:

1. adsgreece.com
2. mailendo.com
3. 4udeals.gr
4. eliamep.org
5. mailinglist.gr

Blocked via postfix:


/massnews\.gr/                  REJECT  "Plz stop sending SPAM id= 1 "
/glc-emea\.com/                 REJECT  "Plz stop sending SPAM id= 2 "
/To:.*info@balaskas\.gr/        REJECT  "Plz stop sending SPAM id= 3 "
/Akis.Angelakis/i       REJECT  "Plz stop sending SPAM id= 4 "
/from.*mailendo.com/            REJECT  "Plz stop sending SPAM id= 5 "
/specisoft\.biz/                REJECT  "Plz stop sending SPAM id= 6 "
/advantech\.gr/                 REJECT  "Plz stop sending SPAM id= 7 "
/adsgreece\.com/                REJECT  "Plz stop sending SPAM id= 8 "
/2020web\.gr/                   REJECT  "Plz stop sending SPAM id= 9 "
/nfs\.gr/                       REJECT  "Plz stop sending SPAM id= 10 "
/polimonotiki/                  REJECT  "Plz stop sending SPAM id= 11 "
/eliamep\.org/                  REJECT  "Plz stop sending SPAM id= 12 "
/ellak\.gr/                     REJECT  "Plz stop sending SPAM id= 13 "
/seminaria\.gr/         REJECT  "Plz stop sending SPAM id= 14 "
/stock-house\.gr/       REJECT  "Plz stop sending SPAM id= 15 "
/Lesfemmes/i            REJECT  "Plz stop sending SPAM id= 16 "
/aldridge\.com/         REJECT  "Plz stop sending SPAM id= 17 "
/inter\.net/            REJECT  "Plz stop sending SPAM id= 18 "
/plexpr\.tk/            REJECT  "Plz stop sending SPAM id= 19 "
/industrydisruptors\.org/   REJECT  "Plz stop sending SPAM id= 20 "
/xinis\.com/            REJECT  "Plz stop sending SPAM id= 21 "
/globalgreece\.gr/      REJECT  "Plz stop sending SPAM id= 22 "
/hostzone\.gr/          REJECT  "Plz stop sending SPAM id= 23 "
/mailinglist\.gr/       REJECT  "Plz stop sending SPAM id= 24 "
/profitconsult\.gr/     REJECT  "Plz stop sending SPAM id= 25 "
/pedersenco\.com/       REJECT  "Plz stop sending SPAM id= 26 "
/diadima\.gr/           REJECT  "Plz stop sending SPAM id= 27 "
/helenco\.gr/           REJECT  "Plz stop sending SPAM id= 28 "
/adplus\.gr/            REJECT  "Plz stop sending SPAM id= 29 "
/entos\.gr/         REJECT  "Plz stop sending SPAM id= 30 "
/4udeals\.gr/           REJECT  "Plz stop sending SPAM id= 31 "
/oncseminars\.gr/       REJECT  "Plz stop sending SPAM id= 32 "
/enimerwsi\.gr/         REJECT  "Plz stop sending SPAM id= 33 "
/eliamep\.gr/           REJECT  "Plz stop sending SPAM id= 34 "
/ymlpsrv\.com/          REJECT  "Plz stop sending SPAM id= 35 "
/dailysoccertip\.com/       REJECT  "Plz stop sending SPAM id= 36 "
/bookbazaar\.gr/        REJECT  "Plz stop sending SPAM id= 37 "
/zizoo\.gr/         REJECT  "Plz stop sending SPAM id= 38 "
/anthemionflowers\.gr/      REJECT  "Plz stop sending SPAM id= 39 "
/kourkouta\.com/        REJECT  "Plz stop sending SPAM id= 40 "
/ipatata\.com/          REJECT  "Plz stop sending SPAM id= 41 "
/ephost\.info/          REJECT  "Plz stop sending SPAM id= 42 "
/kadoikonte\@gmail\.com/    REJECT  "Plz stop sending SPAM id= 43 "
/mandrillapp\.com/      REJECT  "Plz stop sending SPAM id= 44 "
/springer\.com/         REJECT  "Plz stop sending SPAM id= 45 "
/mailchimp\.com/        REJECT  "Plz stop sending SPAM id= 46 "
/altec\.gr/         REJECT  "Plz stop sending SPAM id= 47 "
/winizi\.net/           REJECT  "Plz stop sending SPAM id= 48 "
/sed\.gr/           REJECT  "Plz stop sending SPAM id= 49 "
/pournara\.com/         REJECT  "Plz stop sending SPAM id= 50 "
/emailmarketingnow\.gr/     REJECT  "Plz stop sending SPAM id= 51 "
/entypa\.net/           REJECT  "Plz stop sending SPAM id= 52 "
/4green\.gr/            REJECT  "Plz stop sending SPAM id= 53 "
/imagemail\.eu/         REJECT  "Plz stop sending SPAM id= 54 "
/cbr300r\.bike/         REJECT  "Plz stop sending SPAM id= 55 "
/PRINTEX\ DIGITAL/i        REJECT  "Plz stop sending SPAM id= 56 "
/drassi\.gr/            REJECT  "Plz stop sending SPAM id= 57 "
/mailstudio\.gr/        REJECT  "Plz stop sending SPAM id= 58 "
/extratips\.net/        REJECT  "Plz stop sending SPAM id= 59 "
/crmedia\.gr/           REJECT  "Plz stop sending SPAM id= 60 "
/venan\.gr/         REJECT  "Plz stop sending SPAM id= 61 "
/tonerflow\.info/       REJECT  "Plz stop sending SPAM id= 62 "
/epiteugma\.com/        REJECT  "Plz stop sending SPAM id= 63 "

Tag(s): Greek, spam, postfix
greek spammers part two

Nov 2 2014 - Dec 1 2014

Top spammers:

1. adsgreece.com
2. globalgreece.gr
3. nfs.gr
4. specisoft.biz
5. aldridge.com

Blocked via postfix:


/massnews\.gr/                  REJECT "Plz stop sending SPAM id=1"
/glc-emea\.com/                 REJECT "Plz stop sending SPAM id=2"
/To:.*info@balaskas\.gr/        REJECT "Plz stop sending SPAM id=3"
/Akis.Angelakis/        REJECT "Plz stop sending SPAM id=4"
/from.*mailendo.com/            REJECT "Plz stop sending SPAM id=5"
/specisoft\.biz/                REJECT "Plz stop sending SPAM id=6"
/advantech\.gr/                 REJECT "Plz stop sending SPAM id=7"
/adsgreece\.com/                REJECT "Plz stop sending SPAM id=8"
/2020web\.gr/                   REJECT "Plz stop sending SPAM id=9"
/nfs\.gr/                       REJECT "Plz stop sending SPAM id=10"
/polimonotiki/                  REJECT "Plz stop sending SPAM id=11"
/eliamep\.org/                  REJECT "Plz stop sending SPAM id=12"
/ellak\.gr/                     REJECT "Plz stop sending SPAM id=13"
/seminaria\.gr/         REJECT "Plz stop sending SPAM id=14"
/stock-house\.gr/       REJECT "Plz stop sending SPAM id=15"
/Lesfemmes/i            REJECT "Plz stop sending SPAM id=16"
/aldridge\.com/         REJECT "Plz stop sending SPAM id=17"
/inter\.net/            REJECT "Plz stop sending SPAM id=18"
/plexpr\.tk/            REJECT "Plz stop sending SPAM id=19"
/industrydisruptors\.org/   REJECT "Plz stop sending SPAM id=20"
/xinis\.com/            REJECT "Plz stop sending SPAM id=21"
/globalgreece\.gr/      REJECT "Plz stop sending SPAM id=22"
/hostzone\.gr/          REJECT "Plz stop sending SPAM id=23"
/mailinglist\.gr/       REJECT "Plz stop sending SPAM id=24"
/profitconsult\.gr/     REJECT "Plz stop sending SPAM id=25"
/pedersenco\.com/       REJECT "Plz stop sending SPAM id=26"
/diadima\.gr/           REJECT "Plz stop sending SPAM id=27"
/helenco\.gr/           REJECT "Plz stop sending SPAM id=28"
/adplus\.gr/            REJECT "Plz stop sending SPAM id=29"
/entos\.gr/         REJECT "Plz stop sending SPAM id=30"
/4udeals\.gr/           REJECT "Plz stop sending SPAM id=31"
/oncseminars\.gr/       REJECT "Plz stop sending SPAM id=32"
/enimerwsi\.gr/         REJECT "Plz stop sending SPAM id=33"

Tag(s): greek, spam, postfix
postfix body and header checks

Postfix has the ability to DISCARD (or Reject) any email, by using simple regular expressions. This can be done on your incoming or outgoing mail farm and you can either check the header or body of an email.

For me header_checks is a more powerful tool but the main problem with phishing bots is that the headers arent always the same (different IPs, different Froms etc etc).

And on half of them scam situations there is an ugly url or email inside the body of the email.

Our abuse department informed us today for a scam bot that “WANTS YOU TO REPLY TO THEM WITH YOUR PASSWORDS” and we took the appropriate measures against it. None of our outgoing mail servers can be used to send a reply to the abuser mail address.

There is a debate in our team about future incoming of this specific scam bot. We could use body_check to silent DISCARD any new incoming mail but that also make it very difficult for us to communicate with each other.

The main problem is that i cant “report” to my manager about that OR the security/abuse department cant send me any email that has the “BAD email address” inside the body or our mails.

Tag(s): postfix
postfix & dovecot LDA

Χρησιμοποιώ dovecot για imap και postfix για λήψη/αποστολή αλληλογραφίας.

Τους χρήστες της υποδομής τους έχω δημιουργήσει σε ένα dovecot userdb αρχείο.
Σε αυτό περιέχονται τα usernames, συνθηματικά πρόσβασης και πληροφορίες που σχετίζονται με το mail τους.
Ένα από αυτά είναι και ο τύπος του λογαριασμού κι ένα άλλο η τοποθεσία στην οποία αποθηκεύονται τα emails.

Στο αρχείο /etc/aliases έχω περασμένα τα FirstName.LastName aliases που δείχνουν στα username.

Το postfix ΔΕΝ έχει ιδέα για τους χρήστες - παρά μόνο για τα aliases.
Το postfix by default στέλνει reject στους Unknown users. Αφού λοιπόν μόνο ο dovecot ξέρει τους χρήστες, το postfix στέλνει reject για όλους.

Μία λύση είναι η δημιουργία ενός dovecot command στο master.cf κι αλλάζοντας το mail transport.
Αυτό όμως ΔΕΝ μου φάνηκε και πολύ καλή ιδέα.

Σε περίπτωση επίθεσης, το postfix θα αναλάβει να προωθήσει όλα τα emails στο dovecot.
Οπότε δεν θα περιορίσει κάτι, απλά θα μεταβιβάσει το πρόβλημα στο dovecot.
Το catch all options ήταν κάποτε (ίσως) λύση, μα πλέον είναι κατά την γνώμη μου λάθος να μπαίνει.

Σκέφτηκα να κάνω χρήση του dovecot-LDA, μα το postfix προσπαθεί να παραδώσει local τα emails επειδή βρήκε τα usernames & τα Ευάγγελος.Μπαλάσκας λογαριασμούς στο /etc/aliases. Έτσι δεν κάνει χρήση του mail_command γιατί χρησιμοποιεί το local.

Έτσι σκέφτηκα ότι η απλούστερη λύση είναι μονάχα η τροποποίηση του /etc/aliases, προσθέτοντας τα usernames με το αντίστοιχο dovecot-lda command

π.χ. “/etc/aliases”

Evaggelos.Balaskas: ebal
ebal: | “/usr/local/libexec/dovecot/deliver -d ebal”

Ακόμα και τώρα που το σκέφτομαι, θεωρώ ότι είναι η καλύτερη και απλούστερη λύση που μπορώ να σκεφτώ.

Μα τα προβλήματά μου, μόλις τώρα ξεκινάνε!!!
Κι όλα αυτά γιατί ο Wietse Venema θεώρησε καλό κάθε service να τρέχει με διαφορετικό χρήστη και να μην έχουν πρόσβαση στα ίδια πράγματα. Στα ίδια πρότυπα λειτουργεί και ο Timo Sirainen (dovecot).

Τώρα δεν φταίει αυτός - το αυτονόητο έκανε. Πρόσθεσε ασφάλεια!

Ο mail owner του postfix είναι ο postfix μα τα δικαιώματα που κληρονομούνται στις διεργασίες είναι του nobody.
Έτσι χθες κατέληξα στο πρόβλημα, πως ο nobody θα μιλήσει με τον dovecot που εκτελείτε ως postfix (για χάρη ευκολίας) . Μα o dovecot deliver πρέπει να μιλήσει στο auth-userdb για να πάρει το mail_location, το οποίο έχει και setuid κι όλα αυτά τρέχουν ως root.

Μα ακόμα κι εάν τα έφτιαξα όλα αυτά … έφτασα στο συμπέρασμα ότι οι virtual users, ανήκουν σε διαφορετικό uid/gid και δεν μπορεί να τα παραδώσει εν τέλη! Οπότε πρέπει να διορθώσω κι αυτό …

Αλλά μετά από όλα αυτά - έπαιξε !!!

Για κάθε αλλαγή στο dovecot userdb, θα πρέπει να κάνω μια παρόμοια αλλαγή στο /etc/aliases. ΑΛΛΑ δεν χρειάζεται να αλλάξω κάτι στην αρχιτεκτονική ή στα configuration files των δαιμόνων.

Tag(s): postfix, dovecot