sys/mta: improve postfix hardening

author: Alejandro Soto <alejandro@34project.org> 2025-04-16 16:57:40 -0600
committer: Alejandro Soto <alejandro@34project.org> 2025-04-19 11:10:00 -0600
commit: 6074fd428ca87e6964416e299a6d341acd1f97dc (patch)
tree: 683053a9fa9b72f15742184d6d51abb0c761894a /sys/mta/default.nix
parent: 750f76baf34bdd8293216f5c84d55b313f9d714e (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/mta/default.nix b/sys/mta/default.nix
index 64e08f3..7a10146 100644
--- a/sys/mta/default.nix
+++ b/sys/mta/default.nix
@@ -161,6 +161,10 @@ in
           # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9
 
           tls_append_default_CA = false; # Crítico
+
+          # https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+          smtpd_helo_required = true;
+          disable_vrfy_command = true;
         } // optionalAttrs isPrimary {
           virtual_alias_maps = mkAfter [ "pcre:/etc/postfix/virtual_rules" ];
           virtual_mailbox_domains = attrNames virtualDomains;
author	Alejandro Soto <alejandro@34project.org>	2025-04-16 16:57:40 -0600
committer	Alejandro Soto <alejandro@34project.org>	2025-04-19 11:10:00 -0600
commit	6074fd428ca87e6964416e299a6d341acd1f97dc (patch)
tree	683053a9fa9b72f15742184d6d51abb0c761894a /sys/mta/default.nix
parent	750f76baf34bdd8293216f5c84d55b313f9d714e (diff)