Put restrictions on servers sending mail to you.
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
Use some regular expressions to prevent some meta data like a client’s ip address from being leaked.
echo "/^Received:.*/ IGNORE /^X-Originating-IP:/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE" >> /etc/postfix/header_checks
Add this file to the postfix configuration:
postconf -e "header_checks = regexp:/etc/postfix/header_checks"
If you’re not familiar with fail2Ban, it’s essentially a program which blocks bot’s and hacker’s login requests after a few invalid attempts.
apt-get install fail2ban
Make a local copy of the configuration file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Go down to the
# Mail servers line and paste this:
[postfix] enabled = true port = smtp,ssmtp,submission filter = postfix logpath = /var/log/mail.log [sasl] enabled = true port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.warn maxretry = 1 bantime = 21600 [dovecot] enabled = true port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
This will only grant 2 login attempts and then block the requester for 6 hours. Now restart
systemctl restart fail2ban