Here are the security policies. Those on bold are policies which I haven’t manage to implement. If someone knows a way please share. I will then try it and edit this post to reflect the solution.
Policy #1 - I/O port 25, 443 and 587 access control:
Use of the above ports must be controlled and should only be open on a mail server. Also, use of port 25 should be avoided if possible. This policy can be implemented on Nethserver by going to [Network Services] and editing [postfix (SMTP)]
Policy #2 - Anti-relay rules implementation:
Anti-relay rules ensures that our server doesn’t end up as a mail spammer. Nethserver Email module accomplish this by going to [Email] -> [SMTP Access] and setting [Allow relay from IP addresses] to our internal mail server IP.
Policy #3 - Reverse DNS:
Some receiving mail servers may use this as an indication of a possible spam source in a scoring system. In my case I asked my ISP to setup a reverse record (PTR) that matches the hostname of my mail server
Policy #4 - Audit logging policy:
Nethserver logs can be accessed via web UI on [Log viewer]
Policy #5 - Maximum number of recipients in a SMTP transaction:
Maximum number of recipients in a SMTP transaction must at least be lower than 100.
As @mrmarkuz suggested we create a custom template and restart the service:
Policy #6 - Max size per message:
The name is self-explanatory. We can so this by going to [Email] -> [Messages] and set [Queue message max size]. If the web UI doesn’t give us the value we need we can also do it by CLI like this:
config setprop postfix MessageSizeMax 2000000 && signal-event nethserver-mail-common-save
Policy #7 - SPF record definition:
As the name suggest, you must have a SPF record on a public DNS server.
Policy #8 - SPF record check on incoming mail:
Our server must also do a SPF record check on incoming mails and actions must be established for mails which don’t have SPF record. So far Nethserver web UI doesn’t seems to have way to setup this policy. However if we want our server to only accept incoming mails from host having SPF records on a public SPF we can do it like this:
config setprop postfix SpfStatus enabled
Moreover, Nethserver Email2 has SPF record check, though it’s still in Beta.
Policy #9 - Unknown recipients control:
As the name implies, our internal mail server must have a rejection control enabled. I’m also planing to migrate my internal mail server to Nethserver7, right now I’m leaving this as homework.
Policy #10 - SMTP flow control:
Our server must have a way to control the maximum number of connections that an SMTP client may make in the time interval. This policy is a way to stop email flooding attacks. I haven’t find a way to do it over the web UI.
Policy #11 - NTP
Self-explanatory. Go to [Date and time] and set a NTP server. Nethserver provides [pool.ntp.org] by default
Policy #12 - Secured mail
Self-explanatory. In Nethserver all protocols for mail access (HTTP, SMTP, POP and IMAP) are secured (SSL/TLS) by default. Great work guys !!!
Policy #13 - Anti-virus
Self-explanatory. Enabled by default, check it on [Email] -> [Filter] -> [Anti-virus]
Policy #14 - Mail Authentication:
Self-explanatory. This policy applies to internal mail server. You can bind your Nethserver mail server to an AD or LDAP service. I will write the details in due time.
Policy #15 - Periodic Password Renewal:
Self-explanatory. This policy applies to internal mail server. Again, I will write the details in due time.
Policy #16 - Anti-Spam:
Self-explanatory. Enabled by default, check it on [Email] -> [Filter] -> [Anti-spam]