How would I set up Debian 10 and Postfix security for a limited send-only email setup?

I (me and my wife) run a small Debian 10/Buster web server with a few websites for friends and need to set up outgoing email. I've got to the point where I can send emails from the command line (echo "Message Body" | mail -s "Message Subject" TARGET_EMAIL_HERE).

We need a set up that meets the following requirements:

  • only a few emails each week are will be sent:
    • some emails from a Perl contact form on a website (which needs tighter anti-spam protection, was going to use the Google CAPTCHA)
    • some emails with document attachments from a theatre booking system that only known and trusted users can log into
  • need a 'reply to' field in outgoing emails so people can hit "reply" in their email client (appears easy when setting up scripts to use mail servers)
  • we don't want to allow any incoming email to the server

What we have:

  • user websites are set up in their user directories (which are 755), but we administer the sites and they cannot log in to the server
  • me and my wife are sudo-ers (two system admins) and the only people who login via SSH/SFTP
  • root login is disabled
  • We've changed the SSH port

I'm aware this is the bare minimum of info, but I'd like some guidance on setting up and securing Postfix for this kind of usage.


First of all you should configure Postfix to bind only to localhost if you are not receiving any email on the server. Then you could use a firewall like UFW (since you're on Debian) to block incoming tcp port 25 (it's not mandatory since Postfix only binds to localhost but it will just block incoming SMTP traffic, since you don't want it).

The website or whatever scripts you have (if they are on the same server), they can be configured to connect via localhost to send emails. When you send emails you have to add a Reply-To header with an email address where you want your users to reply.

Configure UseDNS no in /etc/ssh/sshd_config to prevent reverse DNS mapping on each user connection. I would also disable password authentication via SSH and strictly alllow auth with ssh public keys. Use strictly Protocol 2. If you do not use ipv6 for example, disable it in the SSH server:

AddressFamily inet

Also for SSH:

# Authentication:
LoginGraceTime 15s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 5

KerberosAuthentication no
GSSAPIAuthentication no
  • if a user doesn't authenticate within 15seconds then the connection is closed
  • only allows three password attempts
  • maximum 5 users connected simultaneously is allowed
  • disable Kerberos auth
  • disable GSSAPI auth

As a good rule of thumb you should strictly allow only necessary incoming ports and drop everything else. Same goes for outgoing. If your server does no forwarding then you can just DROP forwarding by default.

Additionally you could install fail2ban which can be configured according to your needs. There are plenty of tutorials on the internet so you can customize it the way you like and/or need.

It's pretty hard to provide a straight answer since the info provided is pretty general. But these should provide some basic guidance.