Because I had to change my antivirus and spamfilter strategy, I configured a postfix as a gateway from and to my mailserver (= Exchange 2013).
So what was the goal:
- E-Mail gateway inbound (= SMTP Proxy)
- E-Mail gateway outbound (= SMTP Proxy or SmartHost )
- Spam-filtering
- AntiVirus
That’s my setting now:
- Debian stretch (kernel 4.8.0-1-amd64)
- postfix (3.1.3-6)
- amavisd-new (2.10.1-4)
- ClamAV (0.99.2)
- SpamAssassin (3.4.1-6)
Postfix
Installation
At first, we install the postfix per apt install postfix postfix-cdb. (CDB of “postfix-cdb” is a map-format for postfix, which I’m using for).
Common Configuration
With dpkg-reconfigure postfix, we’re able to do configure postfix as gateway and to disable the mailbox functions.
Disable local delivery
Because it’s just a mail gateway, we disabled any local transport functions[1] in the /etc/postfix/main.cf file.
|
1 2 3 4 |
mydestination = local_recipient_maps = local_transport = error:local mail delivery is disabled relayhost = |
In the /etc/postfix/master.cf file, we have to disable the local delivery with adding “#” as prefix:
|
1 |
#local unix – n n – – local |
Configure outbound mail relay[1]
We already added the networks which are allowed to send mails through this gateway in the /etc/postfix/main.cf file.
|
1 2 |
mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination |
Configure Inbound mail relay[2]
Just a couple of mail-addresses should get relayed to the internal mailserver. Postfix has to deny the rest of it.
To ensure this, enable the configuration for the allowed domains and recipients in the /etc/postfix/main.cf file.
|
1 2 3 4 5 6 7 8 9 10 |
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps # this line contains the list of domains to relay for relay_domains = example1.net, example2.net # list of addresses/domains to accept mail for relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps # Where to send mail for addresses/domains transport_maps = cdb:/etc/postfix/transport_maps |
Now we have to create the necessary relay maps in /etc/postfix/relay_recipient_maps
|
1 2 3 4 5 6 7 8 9 10 11 |
# mail for the first of the domains we accept for postmaster@example1.net x user1@example1.net x user2@example1.net x user3@example1.net x user4@example1.net x user5@example1.net x user6@example1.net x # Accept mail for anyone at example2.net @example2.net x |
Map the file in postifx-format (cdb) per postmap /etc/postfix/relay_recipient_maps
For the transport lookup, we have to create /etc/postfix/transport_maps. I don’t need any sophisticated logic. If you need transport-mappings for different mailservers, you are able to fine-tune every recipient mailbox and/or domain to specific smtp-servers (see [2] for complex examples).
For this configuration, the following mappings are enough
|
1 2 3 4 5 |
# Mail to anyone at dieholzers.at is sent via SMTP to this host example1.net smtp:192.168.1.10:25 # Mail to anyone at philipp.info is sent via SMTP to this host example2.net smtp:192.168.1.10:25 |
Map the file in postfix-format per postmap /etc/postfix/transport_maps
Now we have a working postfix-configuration for inbound and outbound relaying – Congratulations ;-). Just restart postfix per service postfix restart and test it with the telnet-command:
|
1 2 3 4 5 6 |
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 smtp.example1.net ESMTP Postfix (Debian/GNU) |
Just to be sure, the /etc/postfix/main.cf should look similar to:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = smtp.example1.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydomain = example1.net mydestination = local_recipient_maps = local_transport = error:local mail delivery is disabled relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps # this line contains the list of domains to relay for relay_domains = example1.net, example2.net # list of addresses/domains to accept mail for relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps # Seems OK smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination # Where to send mail for adresses/domains transport_maps = cdb:/etc/postfix/transport_maps |
On the next page, we’re going to install and configure the spamfilter and the antivirus.
Hello,
Thank you for your tutorial, it is clear and simple.
I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
Hope that help
mterrasson
Hi,
You’re right. I updated it for the second postfix-instance (amavis-instance).
Thanks for your help
kind regards,
Philipp