Firewall CentOS 7 now uses FirewallD, which is not bad, but I don’t think it’s mature enough. So to just disable it and get back to the classic iptables service there are some steps:

systemctl stop firewalld
systemctl disable firewalld
yum -y install iptables-services
systemctl enable iptables
systemctl restart iptables

If you run dual stack, you could also enable and run ip6tables.

Now you have to edit your iptables configuration file, mine looks like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "ALREADY ESTABLISHED" -j ACCEPT
-A INPUT -p icmp -m comment --comment "ICMP" -j ACCEPT
-A INPUT -i lo -m comment --comment "localhost" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A INPUT -m state --state NEW -m multiport -p tcp --dports 80,443 -m comment --comment "HTTP" -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --dports 25,465,587 -m comment --comment "SMTP" -j ACCEPT
-A INPUT -m state --state NEW -m multiport -p tcp --dports 110,143,993,995 -m comment --comment "POP3/IMAP" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Further Postfix configuration To make sure that your server respects some rules and rejects the lowest rate spamers we need to setup some extra SMTP parameters. In main.cf we add some lines:

inet_interfaces = all

smtp_sasl_type = dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

smtpd_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client rbl.abuse.ro,
        reject_rbl_client dnsbl-1.uceprotect.net,
        reject_rbl_client dnsbl-2.uceprotect.net,
        reject_rbl_client b.barracudacentral.org,
        check_client_access cidr:/etc/postfix/ips,
        check_sender_access hash:/etc/postfix/sender_checks,
        check_policy_service unix:postgrey/socket,
        check_policy_service unix:private/policyd-spf

smtpd_sender_restrictions =
  reject_unknown_sender_domain,
  reject_unknown_address,
  reject_rhsbl_sender dsn.rfc-ignorant.org,
  permit_sasl_authenticated,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client b.barracudacentral.org

Now touch the files called and /etc/postfix/ips and /etc/postfix/sender_checks, and run postmap /etc/postfix/sender_checks. These files will help you later on, when administering the mail server, to block known spammers, by IP or by domain name.

For instance /etc/postfix/ips could contain informations like theese:

205.201.128.0/20        REJECT
89.32.124.0/24          REJECT
31.215.203.0/24         REJECT
88.198.111.205/32       REJECT
91.211.240.0/23         REJECT
86.107.197.0/24         REJECT
70.38.0.0/17            REJECT
176.223.202.15/32       REJECT
199.187.172.0/22        REJECT
89.36.199.0/24          REJECT
188.210.91.0/24         REJECT

And /etc/postfix/sender_checks something like:

serveftp.com                    554 To much spam from your domain
mandrillapp.com                 554 To much spam from your domain
mlsend2.com                     554 To much spam from your domain
doublelife.biz                  554 To much spam from your domain
delosmail.com                   554 To much spam from your domai

Every time you add something to ips file you need to restart Postfix and every time you add something to sender_checks you need to run postmap it.

SPF For some reason CentOS 7 does not include a SPF checking daemon that could be integrated with Postfix. To make SPF records checking possible we sadly need to manually compile some packages.

First we need to install some extra python packages (yum install python-dns python-pydns python-ipaddr python-iptools), then download another two’s sources: pyspf and pypolicyd-spf.

wget https://pypi.python.org/packages/source/p/pyspf/pyspf-2.0.10.tar.gz
tar xzvf pyspf-2.0.10.tar.gz
cd pyspf-2.0.10/
./setup.py  build
./setup.py  install

wget https://pypi.python.org/packages/source/p/pypolicyd-spf/pypolicyd-spf-1.3.1.tar.gz
tar xzvf pypolicyd-spf-1.3.1.tar.gz
cd pypolicyd-spf-1.3.1/
python ./setup.py build
python ./setup.py install

Now try running /usr/bin/policyd-spf and make sure it does not stop with any error. Here you might need to install some extra python modules, normally they are all available thru Yum. To quit just press Ctrl+Z or Ctrl+C.

Now you need to add two extra lines to Postfix’s master.cf

policyd-spf  unix  -       n       n       -       0       spawn
                   user=mails argv=/usr/bin/policyd-spf

And if you opened master.cf you might just uncomment some lines:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

These will enable Submission (587) and SMTPS(465) ports on your server.

SSL When using SSL you need a digital certificate. You can either chose a trusted certification authority and create a new digital certificate. The procedure is the same as if you would create/sign it for your web server, except it will be used by your mail server.

If you prefer using a “self signed” certificate the most comprehensive way to do it is using EasyRSA (a part of OpenVPN). To get started you need to download and unpack it.

wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
unzip 2.x.zip
cd easy-rsa-release-2.x/easy-rsa/2.0/

Now edit the file called vars with your information then load it and create the certificates.

source vars
./clean-all
./build-ca
./build-key-server $YOUR_SERVER_HOSTNAME
cd keys
cat $YOUR_SERVER_HOSTNAME.crt $YOUR_SERVER_HOSTNAME.key ca.crt >$YOUR_SERVER_HOSTNAME.pem
cp $YOUR_SERVER_HOSTNAME.pem /etc/postfix
cp $YOUR_SERVER_HOSTNAME.pem /etc/dovecot

Now configure Postfix to use that certificate, in /etc/postfix/main.cf just put:

smtpd_tls_CAfile=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem
smtpd_tls_cert_file=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem
smtpd_tls_key_file=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem
smtpd_use_tls=yes

And Dovecot, in /etc/dovecot/conf.d/10-ssl.conf configure:

ssl_cert = </etc/dovecot/$YOUR_SERVER_HOSTNAME.pem
ssl_key = </etc/dovecot/$YOUR_SERVER_HOSTNAME.pem
ssl_ca = /etc/dovecot/$YOUR_SERVER_HOSTNAME.pem

Don’t forget to restart both daemons (systemctl restart postfix and systemctl restart dovecot).

If you want to use Thunderbird with your “self-signed” setup, you need to locally download the ca.crt file and import it into Thunderbird. To do that go to Options, Advanced, Certificates, click on View certificates, go to Authorities and click on Import, browse to the file and click on at leas the first two boxes than OK, and close “Certificate Manager” and “Options” windows. Now you can setup your new account. Repeat the same thing for your Firefox browser, it will help accessing your webmail.