Is my Postfix and Dovecot configuration secure?

Question

Today I set up my first server with Dovecot and Postfix.

These are excerpts from the configuration files:

Dovecot:

disable_plaintext_auth = yes
ssl = required
ssl_prefer_server_ciphers = yes
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_protocols = !SSLv2 !SSLv3
ssl_cert = /etc/dovecot/private/4096-rsa-public.crt
ssl_key = /etc/dovecot/private/4096-rsa-private.key
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
protocols = imap sieve

Postfix:

tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes  
; Outgoing connections
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3
; smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
; smtp_tls_mandatory_ciphers = high
smtp_tls_cert_file = /etc/postfix/private/4096-rsa-public.crt
smtp_tls_key_file = /etc/postfix/private/4096-rsa-private.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1  
; Incoming connections
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
; smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
; smtpd_tls_mandatory_ciphers = high
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_cert_file = /etc/postfix/private/4096-rsa-public.crt
smtpd_tls_key_file = /etc/postfix/private/4096-rsa-private.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

Can you spot any missing settings mandatory for security ?

IMAP connections should be as secure as possible, SMTP connections should also be as secure as possible but I don't want to reject mails from senders who don't support TLS.

Answer 1

Regarding encryption, your postfix and dovecot configuration was fine enough to send and receive email, especially encryption-related configuration. Your SSL configuration was safe enough to secure the email transportation when travel from and to your server.

Anyway, in the question you don't specify how your MTA handle mail client. For that, you should force mail client to go through encryption. For postfix, set smtpd_tls_security_level = encrypt for submission port should be enough.

You still half way to securing public mail server, as earlier specification of SMTP wasn't designed for security. You need think about securing from malicious email

• Regarding outgoing email, you need to secure mail server so (1) it won't become open relay (fortunately your comment about smtpd_recipient_resctriction indicating that you won't become open relay). Another concern is (2) spammer hijacked your user/password (via phising or weak password) and start to pump out spam from the server or (3) the web/server was compromised and spammer treat your mail server as spam bot. Many question on SO and SF deal with this stuff :)

• Regarding incoming email, the user should be kept safe from spam, malicious email, phising and another threats who use email as vector. You can setup SPF, DKIM add-on to postfix to help it battle against email spoofing. Spam and virus can also be filtered via external content filter from postfix.