Protect Postfix with AppArmor Templates
Server Training - Mail Server

 Using Pre-Built Templates to Protect Postfix
Ubuntu provides a number of valuable templates to use with AppArmor that can be used to protect  a Postfix Mail Server.

Add the pre-built templates for Postfix.

sudo apt-get install apparmor-profiles

This will load many pre-built templates that you can use.

cd /usr/share/doc/apparmor-profiles/extras

Now copy all of the Postfix related profiles into /etc/apparmor.d/.

postfix


sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/

 

8 Week Course for $499.95  ORDER NOW

 Don't Outsource Your Mail Server, Learn how to run it yourself!
Postfix Training

We specialize in helping companies become independent of outsourcing Linux services.
8 Week Course for $499.95  ORDER NOW

 



Restart your the AppArmor daemon.

sudo /etc/init.d/apparmor restart

Now check the number of active profiles.

sudo aa-status

32 profiles are in enforce mode.

/usr/lib/postfix/spawn

/usr/lib/postfix/tlsmgr

/usr/sbin/saslauthd

/usr/lib/postfix/pipe

/usr/lib/postfix/proxymap

/usr/lib/postfix/bounce

/usr/sbin/postalias

/usr/lib/postfix/pickup

/usr/lib/postfix/qmqpd

/usr/lib/postfix/showq

/usr/sbin/avahi-daemon

/usr/lib/postfix/local

/usr/lib/postfix/nqmgr

/usr/sbin/postdrop

/usr/lib/postfix/scache

/usr/lib/postfix/virtual

/usr/lib/postfix/lmtp

/usr/lib/postfix/discard

/usr/lib/postfix/error

/usr/lib/postfix/smtpd

/usr/lib/postfix/smtp

/usr/lib/postfix/cleanup

/usr/sbin/postfix

/usr/sbin/postmap

/usr/sbin/postqueue

/usr/lib/postfix/anvil

/usr/lib/postfix/qmgr

/usr/lib/postfix/master

/usr/lib/postfix/verify

/usr/lib/postfix/flush

/usr/lib/postfix/trivial-rewrite

/usr/lib/postfix/oqmgr

You may not need all of these profiles depending upon what you are running, so remove those you do not need. You can change these to complain mode so you can test. Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command. This will make sure that your system is running effectively.

aa-logprof

Reading log entries from /var/log/messages.

Updating AppArmor profiles in /etc/apparmor.d.

Enforce-mode changes:

Profile: /usr/sbin/postfix

Capability: sys_tty_config

Severity: 8

(A)llow / [(D)eny] / Abo(r)t / (F)inish

Adding capability sys_tty_config to profile.

Profile: /usr/sbin/postfix

Path: /etc/postfix/main.cf

Mode: r

Severity: 3

[1 - /etc/postfix/main.cf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish

Adding /etc/postfix/main.cf r to profile.

Profile: /usr/sbin/saslauthd

Path: /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock

Mode: w

Severity: unknown

[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish

Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /usr/sbin/postfix]

2 - /usr/sbin/saslauthd

(S)ave Changes / [(V)iew Changes] / Abo(r)t

Writing updated profile for /usr/sbin/postfix.

Writing updated profile for /usr/sbin/saslauthd.