Setting up a secure Postfix server in 2019 - what to consider?

Postfix is great, and widely used, but freshly installed it's like a newborn child. Nowadays there's a lot of work required to get it to an acceptable level to face the wild west of the Internet.

NB: This is a living document and will probably change over time as I revise my own methods for managing my servers.

Running an MTA to an 'acceptable' standard now requires lots of additional config and tuning, but it's satisfying once done. Be prepared to learn lots about DNS, TLS, certificate structure, mail filtering (miltering), regular expression and monitoring - crucial once your system is operational.

Once you've had your fill of the RFCs (https://www.fastmail.com/help/technical/standards.html), there's plenty other stuff to learn. http://www.emailarchivestaskforce.org/documents/guide-to-email-standards/ is worth a read, and are you sure you know how to validate an email address? https://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx/

For newcomers, important areas to cover are:

  • understanding quirks of different email clients, some of the odd scenarios with specific email services
  • familiarising oneself with the certificate process
  • how TLS is employed with email
  • Hands-on experience is crucial!
  • Doing dry runs with a dev system is invaluable - you must be able to make and break things without taking down customers' email 🙂

I administer shared Postfix servers for numerous clients. Some are newest releases of Postfix, and some, due to legacy requirements, are older. Nothing necessarily wrong with that, but some configuration options aren't always available.

If I was setting up a new Postfix server today, I'd go through these steps:

Continue reading "Setting up a secure Postfix server in 2019 - what to consider?"

Quirky / curious email of the week: Anonymous - "Operation Jubilee"

This dropped into my inbox early this morning, a lovely abuse of the email spec and some poor person's mailserver (more fool them for not securing it properly)...

To: me
From: Anonymous@OperationJubilee.in
 Subject: Anonymous Operation Jubilee - 5 November 2012

 Dear Anonymous,

 Rally Millions To
 Parliament, London
 5 November 2012

 Cancel All Debt
 Stop War
 Redistribute the Land
 Eliminate Poverty

 Please, spread this message to everyone you know.

This message was, quite cleverly, entirely included in the email subject field, newlines and all. Thunderbird enjoyed parsing it.

So, November the 5th, Parliament Square? See you there.

"Tesco" Facebook scam returns, as Timeline Removal Plugin

  • File under '...really, Amazon?!'

In another example of Amazon's AWS abuse detection failing spectacularly, likely the same culprits behind last week's Tesco Voucher Giveaway scam have targeted Facebook users again -- this time with a "Timeline Removal Plugin" scam.

The scam seems to function thusly: victim clicks the link from a previous victim's event, creates a Facebook event with the same TinyURL in the Event description (containing a link to a Google Translate-wrapped AmazonAWS link) and so the cycle repeats. This doesn't involve the sharing feature, probably a technique Facebook locked down after last week's abuse.

Here are some screenshots of what will appear in your feed when a friend falls victim... Continue reading ""Tesco" Facebook scam returns, as Timeline Removal Plugin"

If you knew your site had been hacked, would you do anything about it?

Earlier this week a PayPal phishing email dropped into one of my work inboxes. I usually delete them instantly, but I checked out the compromised URL -- and surprise surprise, it was a UK domain. "OK," I thought, "I can do something about this."

Little did I know that the problem - a hacked subdomain hosting PHP redirector files to HTML on other compromised domains, and a fairly simple one to fix in five minutes - still wouldn't be fixed by the web site owner a week later... Continue reading "If you knew your site had been hacked, would you do anything about it?"

I