Question
Securing Postfix Emails Locally Hosted Ubuntu Server
- Posted on June 2, 2023
- Ubuntu 20.04
Asked by 9beba204b14949ce8742086778a8c2
I know this isn’t about Digital Ocean hosting, but I am working in a test/dev environment before moving to hosting.
I have a locally hosted Ubutnu Server 20.04 LTS avaialble only to the intranet, for running BookStack. I have Postfix instlled and configured properly and sending both aliased and local email to myself for things like errors and unattended upgrades. That’s really all I need, so do I need to install an SSL via Certbot to secure the send only emaail functionality to a single address: mine?
I did use this tutorial to install Certbot to obtain an ssl, but the hostname of my machine does not include my domain name since this is locally hosted and not facing the web. However, I get an error that certbot could not validate the domain when I do enter the legitimate domain of the company I work for.
So… once again, do I need to encrypt the send only emails to my address for unattended updates and local mail to root, or can I leave it at the base setup? And if I do need to encrypt that traffic, I did verify port 80 is available through ufw, but do I also need 443 to validate the domain? Or am I doing this all wrong?
Thanks
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Featured on Community
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hey there,
apart from what Bobby has already said, here is a little bit more about security. Since you’re sending emails only to yourself in a local network, SSL/TLS might not be necessary, but it’s a good practice for additional security, especially when you plan to move to a production environment. SSL/TLS provides an extra layer of encryption between your server and email, protecting sensitive information from potential snoopers. However, if you’re confident that your local network is secure, SSL/TLS might not be strictly necessary. This would be resolved by using port 587 for SMTP over TLS and 465 for SMTP over SSL.
Hi there,
You don’t necessarily need all that. Ports 80 and 443 are HTTP/HTTPS ports, so Postfix would not really need them. Depending on which article you’ve followed exactly, Certbot was probably looking for a web service like Nginx or Apache to issue an SSL certificate, which if you are running only Postfix, you don’t really need.
By default, Postfix uses port 25 for plaintext SMTP, port 587 for SMTP over TLS and port 465 for SMTP over SSL.
The reason why you might not want to use port 25 is that the emails are sent over a non-encrypted connection, and also many providers, including DigitalOcean block port 25 for outgoing TCP connections in order to prevent spam:
If you are able to send emails and receive them as expected, you don’t necessarily need to make any changes.
If not, you can switch to using port 587. This should be doable with the following steps:
/etc/postfix/master.cf#in front of the line:In general, running your own email server can be challenging, here is a good article that covers some of the reasons why you might not want to do it:
I personally usually use an SMTP service like SendGrid for most use-cases, they have a free subscription which is sufficient for a lot of use-cases.
Hope that this helps!
Best,
Bobby