This article is work in progress and at this time is a scratch space so I don’t lose my notes.
After some research it seems the internet is full of really bad advice on setting up postfix on Ubuntu. Most articles will get you up and running but leave you with a security problem.
I’ll attempt to share my learnings here and we’ll start with the backup server.
These are the acceptance tests identified so far:
- Server must not accept mail when an SPF check fails.
- Server must accept mail to domains it is providing backup for.
- Server must not accept mail to domains it is not providing backup for.
- Server must not accept mail to restricted destinations.
- Server must not accept mail from domains it is providing backup for.
- Server must accept mail using IPv4 and IPv6.
- Server must present a trusted X.509 certificate with matching host name.
- In all cases must not requirements take precedence.
When using a backup mail server one problem I encountered is that the SPF checking on my primary mail server, of course, did not work correctly. Configuring a whitelist in the SPF policy checker on the primary server solved the problem:
Edit /etc/postfix-policyd-spf-python/policyd-spf.conf
and add the following:
Whitelist = <ip address of backup server>