Inbound and Outbound Spam/AntiVirus Mail Gateway

Because I had to change my antivirus and spamfilter strategy, I configured a postfix as a gateway from and to my mailserver (= Exchange 2013).

So what was the goal:

  • E-Mail gateway inbound (= SMTP Proxy)
  • E-Mail gateway outbound (= SMTP Proxy or SmartHost )
  • Spam-filtering
  • AntiVirus

That’s my setting now:

  • Debian stretch (kernel 4.8.0-1-amd64)
  • postfix (3.1.3-6)
  • amavisd-new (2.10.1-4)
  • ClamAV (0.99.2)
  • SpamAssassin (3.4.1-6)

Postfix

Installation

At first, we install the postfix per apt install postfix postfix-cdb. (CDB of “postfix-cdb” is a map-format for postfix, which I’m using for).

Common Configuration

With dpkg-reconfigure postfix, we’re able to do configure postfix as gateway and to disable the mailbox functions.

Disable local delivery

Because it’s just a mail gateway, we disabled any local transport functions[1] in the /etc/postfix/main.cf file.

mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =

In the /etc/postfix/master.cf file, we have to disable the local delivery with adding “#” as prefix:

#local     unix  –       n       n       –       –       local

Configure outbound mail relay[1]

We already added the networks which are allowed to send mails through this gateway in the /etc/postfix/main.cf file.

mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Configure Inbound mail relay[2]

Just a couple of mail-addresses should get relayed to the internal mailserver. Postfix has to deny the rest of it.

To ensure this, enable the configuration for the allowed domains and recipients in the /etc/postfix/main.cf file.

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Where to send mail for addresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

Now we have to create the necessary relay maps in /etc/postfix/relay_recipient_maps

# mail for the first of the domains we accept for
postmaster@example1.net x
user1@example1.net x
user2@example1.net x
user3@example1.net x
user4@example1.net x
user5@example1.net x
user6@example1.net x

# Accept mail for anyone at example2.net
@example2.net x

Map the file in postifx-format (cdb) per postmap /etc/postfix/relay_recipient_maps

For the transport lookup, we have to create /etc/postfix/transport_maps. I don’t need any sophisticated logic. If you need transport-mappings for different mailservers, you are able to fine-tune every recipient mailbox and/or domain to specific smtp-servers (see [2] for complex examples).

For this configuration, the following mappings are enough

# Mail to anyone at dieholzers.at is sent via SMTP to this host
example1.net smtp:192.168.1.10:25

# Mail to anyone at philipp.info is sent via SMTP to this host
example2.net smtp:192.168.1.10:25

Map the file in postfix-format per postmap /etc/postfix/transport_maps

Now we have a working postfix-configuration for inbound and outbound relaying – Congratulations ;-). Just restart postfix per service postfix restart and test it with the telnet-command:

telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.example1.net ESMTP Postfix (Debian/GNU)

Just to be sure, the /etc/postfix/main.cf should look similar to:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = smtp.example1.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydomain = example1.net
mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Seems OK
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

# Where to send mail for adresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

On the next page, we’re going to install and configure the spamfilter and the antivirus.

6 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

  1. Hello,
    Thank you for your tutorial, it is clear and simple.
    I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
    Hope that help
    mterrasson

    1. Hi,

      You’re right. I updated it for the second postfix-instance (amavis-instance).
      Thanks for your help

      kind regards,
      Philipp

      1. Dear Philipp,
        Thank you for your tutorial, it is clear and simple.
        Some Image in your tutorial does not show. Can you repair it.
        Thank you very much.

  2. You made a mistake here :
    This is not in the main.cf file but in master.cf who need to write this:

    smtp-amavis unix – – n – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

  3. Hi, thankyou for your tutorial.
    Is there some way to monitor/view the queues, sent mail, historical outbound addresses, etc in a management back-end of sorts? Some sort of granularity in knowing the volume of mail and from what addresses, etc. over time. Kind of like what CPanel has?
    Thanks

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.