Je rappelle que je veux juste envoyer des mails (www-data, root...) pas en recevoir sur le serveur.
Merci à tous pour votre aide
####### main.cf
smtpd_banner = $myhostname
biff = no
append_dot_mydomain = no
myhostname = ***.***.***.94.in-addr.arpa
mydestination = $myhostname, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
disable_vrfy_command = yes
####### master.cf
smtp inet n - - - - smtpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
####### netstat -ptna
root:/etc/postfix# netstat -ptna
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3655/mysqld
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 26616/perl
tcp 0 0 ***.***.***.***:80 82.231.154.26:53203 SYN_RECV -
tcp 0 0 ***.***.***.***:80 82.231.154.26:53207 SYN_RECV -
tcp 0 0 ***.***.***.***:53 0.0.0.0:* LISTEN 773/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 773/named
tcp 0 0 0.0.0.0:4854 0.0.0.0:* LISTEN 3592/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15838/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 773/named
tcp 0 0 ***.***.***.***:4854 88.120.45.12:51308 ESTABLISHED 2300/sshd: root@not
tcp 0 0 ***.***.***.***:4854 88.120.45.12:52801 ESTABLISHED 31003/sshd: www-dat
tcp 0 248 ***.***.***.***:4854 88.120.45.12:60305 ESTABLISHED 19367/1
tcp6 0 0 :::80 :::* LISTEN 11849/apache2
tcp6 0 0 ::1:53 :::* LISTEN 773/named
tcp6 0 0 :::4854 :::* LISTEN 3592/sshd
tcp6 0 0 :::25 :::* LISTEN 15838/master
tcp6 0 0 ***.***.***.***:80 46.119.121.146:56019 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:60183 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:60234 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:64417 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:55988 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 66.249.93.176:42579 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:60212 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 82.231.154.26:53206 FIN_WAIT2 16368/apache2
tcp6 0 0 ***.***.***.***:80 46.119.121.146:56040 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:64437 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 46.119.121.146:64364 TIME_WAIT -
tcp6 0 0 ***.***.***.***:80 66.249.93.3:47652 TIME_WAIT -
####### Firewall
#!/bin/sh
# Réinitialise les règles
iptables -t filter -F
iptables -t filter -X
# Bloque tout le trafic
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT # Attention, si vous avez changé le port SSH dans le fichier /etc/ssh/sshd_config, indiquez le à la place de 22
iptables -t filter -A INPUT -p tcp --dport 4854 -j ACCEPT # Attention, si vous avez changé le port SSH dans le fichier /etc/ssh/sshd_config, indiquez le à la place de 22
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP (horloge du serveur)
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# WEBMIN
iptables -t filter -A OUTPUT -p tcp --dport 10000 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT
# HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# HTTP Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8008 -j ACCEPT
# HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# HTTPS Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
# FTP
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Mail SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# Mail IMAP
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Anti Flood / Deni de service / scan de port
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
############ Fail2Ban
[DEFAULT]
bantime = 3600
findtime = 600
destemail = root@localhost
maxretry = 3
backend = auto
usedns = warn
destemail = root@localhost
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
#port = 22 # Ou votre numéro de port SSH
port = 4978 # Ou votre numéro de port SSH
maxretry = 3
[webmin-auth]
enabled = true
port = https,10000
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
port = all
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 1
bantime = 86400
[postfix]
enabled = true
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 3
