Mail Server Series — Part 20
After completing all major components in the previous 19 articles—including Postfix, Dovecot, Amavis, SpamAssassin, SQL Bayes, Piler, Manticore Chinese search, Roundcube, and monitoring—we now reach the most critical layer of enterprise email infrastructure:
Comprehensive Mail Security Hardening
Modern email threats include:
- Phishing
- Sender spoofing
- Man-in-the-Middle (MITM) attacks
- TLS downgrade attacks
- Certificate replacement
- Unauthorized relay / spam abuse
- DNS tampering
To counter these threats, today’s secure email systems rely on six major security mechanisms:
✔ TLS — Transport Encryption
✔ SPF — Sender Policy Framework
✔ DKIM — Cryptographic Message Signing
✔ DMARC — Anti-Spoofing Policy Enforcement
✔ MTA-STS — Enforced Secure SMTP Transport
✔ DANE — DNSSEC-Protected TLS Identity
Once these are properly implemented, your mail environment will gain:
- Strong anti-spoofing protection
- Guaranteed encrypted SMTP transport
- Protection from MITM and downgrade attacks
- Resistance against forged certificates
- Improved trust scoring from Gmail/Outlook
- Reduced SPAM classification
- Higher overall deliverability
1. TLS — Secure Transport Layer Encryption
SMTP communication uses three main encrypted modes:
| Port | Protocol | Purpose |
|---|---|---|
| 25 | STARTTLS | External mail exchange (optional encryption) |
| 587 | Submission (STARTTLS mandatory) | Client mail submission |
| 465 | SMTPS | Full TLS (wrapper mode) |
In our setup:
- Port 25 →
may(use TLS if available) - Port 587 →
encrypt(TLS required) - Port 465 → Wrapper TLS
Real certificate usage
smtpd_tls_chain_files = \
/etc/letsencrypt/live/it.demo.tw/privkey.pem, \
/etc/letsencrypt/live/it.demo.tw/fullchain.pem
Enforce strong ciphers
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
If your SSL Labs rating is A+, your TLS configuration is correctly hardened.
2. SPF — Sender Policy Framework
SPF helps receivers verify whether a server is authorized to send mail for your domain.
Basic SPF example
v=spf1 mx a ip4:YOUR.SERVER.IP -all
If using multiple services (Google Workspace, SendGrid, Mailgun), use includes:
v=spf1 mx include:_spf.google.com include:sendgrid.net -all
Remember:
✔ SPF alone does not block spoofing
You need DMARC.
3. DKIM — DomainKeys Identified Mail
DKIM cryptographically signs outgoing messages so recipients can verify:
- The message was not modified
- The sender domain is legitimate
Amavis automatically handled DKIM for you:
/var/lib/amavis/dkim/DOMAIN.pem
To view your DKIM key:
amavisd-new showkeys
Add the result into your DNS:
default._domainkey TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"
4. DMARC — Domain-Level Anti-Spoofing Policy
DMARC combines SPF + DKIM results and enforces policies.
Recommended configuration:
_dmarc TXT "
v=DMARC1;
p=quarantine;
sp=reject;
rua=mailto:postmaster@it.demo.tw;
ruf=mailto:postmaster@it.demo.tw;
fo=1;
adkim=s;
aspf=s;
"
Key policies:
| Policy | Meaning |
|---|---|
| none | Monitoring only |
| quarantine | Suspicious mail goes to spam |
| reject | Fully block spoofed mail |
Enterprises typically start with:
✔ p=quarantine → observe
Then move to:
✔ p=reject → strict enforcement
5. MTA-STS — Enforced Secure SMTP Transport
MTA-STS ensures:
- SMTP connections must use TLS
- Prevents downgrade attacks
- Prevents MITM certificate replacement
It requires three components:
(1) DNS TXT record
_mta-sts TXT "v=STSv1; id=20250101"
(2) HTTPS policy file
Served at:
Content:
version: STSv1
mode: enforce
mx: it.demo.tw
max_age: 86400
(3) Policy updating
Increment the id= value whenever you change policies.
6. DANE — DNSSEC-Protected TLS Assurance
DANE (DNS-Based Authentication of Named Entities):
- Protects TLS using DNSSEC
- Prevents forged certificates
- Strongest SMTP transport security available today
Example TLSA record:
_25._tcp.it.demo.tw TLSA 3 1 1 <CERT-HASH>
Requirements:
✔ DNSSEC enabled
✔ TLSA records configured
✔ Postfix compiled with TLSA support (ours is)
Cloudflare, PowerDNS, and Knot DNS make DANE deployment simple.
7. Enterprise-Grade Mail Security Checklist
| Feature | Required? | Status |
|---|---|---|
| TLS | ✔ Required | Completed |
| SPF | ✔ Required | Completed |
| DKIM | ✔ Required | Completed |
| DMARC | ✔ Required | Completed |
| MTA-STS | ✔ Strongly Recommended | Ready to deploy |
| DANE | Recommended for enterprises | Deploy after DNSSEC |
Your system is already “secure”, but enabling:
⭐ MTA-STS
⭐ DANE (after enabling DNSSEC)
will elevate your environment to world-class security.
8. Summary
In this chapter, we implemented all key components of a modern secure mail system:
- TLS for encrypted transport
- SPF for sender verification
- DKIM for message integrity
- DMARC for anti-spoofing policy control
- MTA-STS for secured SMTP enforcement
- DANE for DNSSEC-based TLS integrity
These protections provide:
✔ Strong anti-spoofing
✔ Guaranteed encrypted SMTP transport
✔ Protection from certificate tampering
✔ Higher deliverability and trust scores
✔ Compliance with enterprise security standards
Your mail platform is now operating at international security standards.