Because I had to change my antivirus and spamfilter strategy, I configured a postfix as a gateway from and to my mailserver (= Exchange 2013).
So what was the goal:
- E-Mail gateway inbound (= SMTP Proxy)
- E-Mail gateway outbound (= SMTP Proxy or SmartHost )
- Spam-filtering
- AntiVirus
That’s my setting now:
- Debian stretch (kernel 4.8.0-1-amd64)
- postfix (3.1.3-6)
- amavisd-new (2.10.1-4)
- ClamAV (0.99.2)
- SpamAssassin (3.4.1-6)
Postfix
Installation
At first, we install the postfix per apt install postfix postfix-cdb. (CDB of “postfix-cdb” is a map-format for postfix, which I’m using for).
Common Configuration
With dpkg-reconfigure postfix, we’re able to do configure postfix as gateway and to disable the mailbox functions.
Disable local delivery
Because it’s just a mail gateway, we disabled any local transport functions[1] in the /etc/postfix/main.cf file.
mydestination = local_recipient_maps = local_transport = error:local mail delivery is disabled relayhost =
In the /etc/postfix/master.cf file, we have to disable the local delivery with adding “#” as prefix:
#local unix – n n – – local
Configure outbound mail relay[1]
We already added the networks which are allowed to send mails through this gateway in the /etc/postfix/main.cf file.
mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Configure Inbound mail relay[2]
Just a couple of mail-addresses should get relayed to the internal mailserver. Postfix has to deny the rest of it.
To ensure this, enable the configuration for the allowed domains and recipients in the /etc/postfix/main.cf file.
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps # this line contains the list of domains to relay for relay_domains = example1.net, example2.net # list of addresses/domains to accept mail for relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps # Where to send mail for addresses/domains transport_maps = cdb:/etc/postfix/transport_maps
Now we have to create the necessary relay maps in /etc/postfix/relay_recipient_maps
# mail for the first of the domains we accept for postmaster@example1.net x user1@example1.net x user2@example1.net x user3@example1.net x user4@example1.net x user5@example1.net x user6@example1.net x # Accept mail for anyone at example2.net @example2.net x
Map the file in postifx-format (cdb) per postmap /etc/postfix/relay_recipient_maps
For the transport lookup, we have to create /etc/postfix/transport_maps. I don’t need any sophisticated logic. If you need transport-mappings for different mailservers, you are able to fine-tune every recipient mailbox and/or domain to specific smtp-servers (see [2] for complex examples).
For this configuration, the following mappings are enough
# Mail to anyone at dieholzers.at is sent via SMTP to this host example1.net smtp:192.168.1.10:25 # Mail to anyone at philipp.info is sent via SMTP to this host example2.net smtp:192.168.1.10:25
Map the file in postfix-format per postmap /etc/postfix/transport_maps
Now we have a working postfix-configuration for inbound and outbound relaying – Congratulations ;-). Just restart postfix per service postfix restart and test it with the telnet-command:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 smtp.example1.net ESMTP Postfix (Debian/GNU)
Just to be sure, the /etc/postfix/main.cf should look similar to:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = smtp.example1.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydomain = example1.net mydestination = local_recipient_maps = local_transport = error:local mail delivery is disabled relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps # this line contains the list of domains to relay for relay_domains = example1.net, example2.net # list of addresses/domains to accept mail for relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps # Seems OK smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination # Where to send mail for adresses/domains transport_maps = cdb:/etc/postfix/transport_maps
On the next page, we’re going to install and configure the spamfilter and the antivirus.
Hello,
Thank you for your tutorial, it is clear and simple.
I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
Hope that help
mterrasson
Hi,
You’re right. I updated it for the second postfix-instance (amavis-instance).
Thanks for your help
kind regards,
Philipp
You made a mistake here :
This is not in the main.cf file but in master.cf who need to write this:
smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
You’re right. I changed it to “master.cf”
Hi, thankyou for your tutorial.
Is there some way to monitor/view the queues, sent mail, historical outbound addresses, etc in a management back-end of sorts? Some sort of granularity in knowing the volume of mail and from what addresses, etc. over time. Kind of like what CPanel has?
Thanks