Postfix is secure by design but still requires strict policy for relay, TLS, and submission services.
¶ Relay and Submission Security
- Ensure
smtpd_recipient_restrictions blocks unauthorized relaying.
- Separate port 25 relay logic from authenticated submission (587/465).
- Require SMTP AUTH for user submission.
¶ TLS and Mail Authentication
- Enforce TLS for submission and opportunistic TLS for relay paths.
- Configure strong certificate chains and key permissions.
- Integrate SPF, DKIM, and DMARC validation/signing workflows.
¶ Queue and Abuse Protection
- Limit connection rates and message rates per client.
- Enable postscreen/anti-spam integration where needed.
- Monitor queue depth and reject/deferral trends.