Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Postfix email firewall/gateway

The idea is to set up a Postfix email firewall/gateway that forwards mail for "example.com" to an inside gateway machine but rejects mail for "anything.example.com". There is only one problem: with " relay_domains = example.com", the firewall normally also accepts mail for "anything.example.com". That would not be right.

Note: this example requires Postfix version 2.0 and later. To find out what Postfix version you have, execute the command "postconf mail_version".

The solution is presented in multiple parts. This first part gets rid of local mail delivery on the firewall, making the firewall harder to break. 

1 /etc/postfix/
main.cf:
2     
myorigin = example.com
3     
mydestination =
4     
local_recipient_maps =
5     
local_transport = 
error:local mail delivery is disabled
6 
7 /etc/postfix/
master.cf:
8     Comment out the local delivery agent

Translation:

  • Line 2: Send mail from this machine as "[email protected]", so that no reason exists to send mail to "[email protected]".

  • Lines 3-8: Disable local mail delivery on the firewall machine.

For the sake of technical correctness the firewall must be able to receive mail for postmaster@[firewall ip address]. Reportedly, some things actually expect this ability to exist. The second part of the solution therefore adds support for postmaster@[firewall ip address], and as a bonus we do abuse@[firewall ip address] as well. All the mail to these two accounts is forwarded to an inside address. 

1 /etc/postfix/
main.cf:
2     
virtual_alias_maps = hash:/etc/postfix/virtual
3 
4 /etc/postfix/
virtual:
5     postmaster      [email protected]
6     abuse           [email protected]

Translation:

  • Because mydestination is empty (see the previous example), only address literals matching $ inet_interfaces or $ proxy_interfaces are deemed local. So "localpart@[a.d.d.r]" can be matched as simply "localpart" in canonical(5) and virtual(5). This avoids the need to specify firewall IP addresses into Postfix configuration files.

The last part of the solution does the email forwarding, which is the real purpose of the firewall email function. 

 1 /etc/postfix/
main.cf:
 2     
mynetworks = 127.0.0.0/8 12.34.56.0/24
 3     
relay_domains = example.com
 4     
parent_domain_matches_subdomains = 
 5         
debug_peer_list smtpd_access_maps
 6     
smtpd_recipient_restrictions =
 7         
permit_mynetworks 
reject_unauth_destination
 8 
 9     
relay_recipient_maps = hash:/etc/postfix/relay_recipients
10     
transport_maps = hash:/etc/postfix/transport
11 
12 /etc/postfix/relay_recipients:
13     [email protected]   x
14     [email protected]   x
15      . . .
16 
17 /etc/postfix/transport:
18     example.com   
smtp:[inside-gateway.example.com]

Translation:

  • Lines 1-7: Accept mail from local systems in $ mynetworks, and accept mail from outside for "[email protected]" but not for "[email protected]". The magic is in lines 4-5.

  • Lines 9, 12-14: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify " relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.

  • Lines 10, 17-18: Route mail for "example.com" to the inside gateway machine. The [] forces Postfix to do no MX lookup.

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/relay_recipients" whenever you change the relay_recipients table.

Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.

In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The inbound Postfix instance has an SMTP server listening on the external firewall interface, and the outbound Postfix instance has an SMTP server listening on the internal interface. In such a configuration is it is tempting to configure $ inet_interfaces in each instance with just the corresponding interface address.

In most cases, using inet_interfaces in this way will not work, because as documented in the $ inet_interfaces reference manual, the smtp(8) delivery agent will also use the specified interface address as the source address for outbound connections and will be unable to reach hosts on "the other side" of the firewall. The symptoms are that the firewall is unable to connect to hosts that are in fact up. See the inet_interfaces parameter documentation for suggested work-arounds.

Postfix Documentation
Previous Page Home Next Page