Because I had to change my antivirus and spamfilter strategy, I configured a postfix as a gateway from and to my mailserver (= Exchange 2013).

So what was the goal:

E-Mail gateway inbound (= SMTP Proxy)
E-Mail gateway outbound (= SMTP Proxy or SmartHost )
Spam-filtering
AntiVirus

That’s my setting now:

Debian stretch (kernel 4.8.0-1-amd64)
postfix (3.1.3-6)
amavisd-new (2.10.1-4)
ClamAV (0.99.2)
SpamAssassin (3.4.1-6)

Postfix

Installation

At first, we install the postfix per apt install postfix postfix-cdb. (CDB of “postfix-cdb” is a map-format for postfix, which I’m using for).

Common Configuration

With dpkg-reconfigure postfix, we’re able to do configure postfix as gateway and to disable the mailbox functions.

Enter the Domain-Name of this mailserver

If ext3 is running, you don’t need synchronous updates

Specify the IP(-Ranges) which are allowed to send mails

We don’t have any mailboxes, so leave it to 0

Disable local delivery

Because it’s just a mail gateway, we disabled any local transport functions^[1] in the /etc/postfix/main.cf file.

mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =

mydestination =

local_recipient_maps =

local_transport = error:local mail delivery is disabled

relayhost =

In the /etc/postfix/master.cf file, we have to disable the local delivery with adding “#” as prefix:

#local     unix  –       n       n       –       –       local

1	#local unix – n n – – local

Configure outbound mail relay^[1]

We already added the networks which are allowed to send mails through this gateway in the /etc/postfix/main.cf file.

mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

1 2	mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Configure Inbound mail relay^[2]

Just a couple of mail-addresses should get relayed to the internal mailserver. Postfix has to deny the rest of it.

To ensure this, enable the configuration for the allowed domains and recipients in the /etc/postfix/main.cf file.

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Where to send mail for addresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for

relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for

relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Where to send mail for addresses/domains

transport_maps = cdb:/etc/postfix/transport_maps

Now we have to create the necessary relay maps in /etc/postfix/relay_recipient_maps

# mail for the first of the domains we accept for
postmaster@example1.net x
user1@example1.net x
user2@example1.net x
user3@example1.net x
user4@example1.net x
user5@example1.net x
user6@example1.net x

# Accept mail for anyone at example2.net
@example2.net x

# mail for the first of the domains we accept for

postmaster@example1.net x

user1@example1.net x

user2@example1.net x

user3@example1.net x

user4@example1.net x

user5@example1.net x

user6@example1.net x

# Accept mail for anyone at example2.net

@example2.net x

Map the file in postifx-format (cdb) per postmap /etc/postfix/relay_recipient_maps

For the transport lookup, we have to create /etc/postfix/transport_maps. I don’t need any sophisticated logic. If you need transport-mappings for different mailservers, you are able to fine-tune every recipient mailbox and/or domain to specific smtp-servers (see [2] for complex examples).

For this configuration, the following mappings are enough

# Mail to anyone at dieholzers.at is sent via SMTP to this host
example1.net smtp:192.168.1.10:25

# Mail to anyone at philipp.info is sent via SMTP to this host
example2.net smtp:192.168.1.10:25

# Mail to anyone at dieholzers.at is sent via SMTP to this host

example1.net smtp:192.168.1.10:25

# Mail to anyone at philipp.info is sent via SMTP to this host

example2.net smtp:192.168.1.10:25

Map the file in postfix-format per postmap /etc/postfix/transport_maps

Now we have a working postfix-configuration for inbound and outbound relaying – Congratulations ;-). Just restart postfix per service postfix restart and test it with the telnet-command:

telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.example1.net ESMTP Postfix (Debian/GNU)

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 smtp.example1.net ESMTP Postfix (Debian/GNU)

Just to be sure, the /etc/postfix/main.cf should look similar to:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = smtp.example1.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydomain = example1.net
mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Seems OK
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

# Where to send mail for adresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first

# line of that file to be used as the name. The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

# appending .domain is the MUA's job.

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = no

# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = smtp.example1.net

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydomain = example1.net

mydestination =

local_recipient_maps =

local_transport = error:local mail delivery is disabled

relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for

relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for

relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Seems OK

smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

# Where to send mail for adresses/domains

transport_maps = cdb:/etc/postfix/transport_maps

On the next page, we’re going to install and configure the spamfilter and the antivirus.

Pages: 123

4 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

mterrasson says:

25.02.2017 at 01:23

Hello,
Thank you for your tutorial, it is clear and simple.
I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
Hope that help
mterrasson

1. philipp says:
  
  26.02.2017 at 23:28
  
  Hi,
  
  You’re right. I updated it for the second postfix-instance (amavis-instance).
  Thanks for your help
  
  kind regards,
  Philipp
  
Rafaël Harvey says:

10.07.2017 at 18:58

You made a mistake here :
This is not in the main.cf file but in master.cf who need to write this:

smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes

1. philipp says:
  
  22.02.2018 at 13:27
  
  You’re right. I changed it to “master.cf”