Inbound and Outbound Spam/AntiVirus Mail Gateway

Because I had to change my antivirus and spamfilter strategy, I configured a postfix as a gateway from and to my mailserver (= Exchange 2013).

So what was the goal:

  • E-Mail gateway inbound (= SMTP Proxy)
  • E-Mail gateway outbound (= SMTP Proxy or SmartHost )
  • Spam-filtering
  • AntiVirus

That’s my setting now:

  • Debian stretch (kernel 4.8.0-1-amd64)
  • postfix (3.1.3-6)
  • amavisd-new (2.10.1-4)
  • ClamAV (0.99.2)
  • SpamAssassin (3.4.1-6)

Postfix

Installation

At first, we install the postfix per apt install postfix postfix-cdb. (CDB of “postfix-cdb” is a map-format for postfix, which I’m using for).

Common Configuration

With dpkg-reconfigure postfix, we’re able to do configure postfix as gateway and to disable the mailbox functions.

Disable local delivery

Because it’s just a mail gateway, we disabled any local transport functions[1] in the /etc/postfix/main.cf file.

mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =

In the /etc/postfix/master.cf file, we have to disable the local delivery with adding “#” as prefix:

#local     unix  –       n       n       –       –       local

Configure outbound mail relay[1]

We already added the networks which are allowed to send mails through this gateway in the /etc/postfix/main.cf file.

mynetworks = 127.0.0.1/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Configure Inbound mail relay[2]

Just a couple of mail-addresses should get relayed to the internal mailserver. Postfix has to deny the rest of it.

To ensure this, enable the configuration for the allowed domains and recipients in the /etc/postfix/main.cf file.

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Where to send mail for addresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

Now we have to create the necessary relay maps in /etc/postfix/relay_recipient_maps

# mail for the first of the domains we accept for
postmaster@example1.net x
user1@example1.net x
user2@example1.net x
user3@example1.net x
user4@example1.net x
user5@example1.net x
user6@example1.net x

# Accept mail for anyone at example2.net
@example2.net x

Map the file in postifx-format (cdb) per postmap /etc/postfix/relay_recipient_maps

For the transport lookup, we have to create /etc/postfix/transport_maps. I don’t need any sophisticated logic. If you need transport-mappings for different mailservers, you are able to fine-tune every recipient mailbox and/or domain to specific smtp-servers (see [2] for complex examples).

For this configuration, the following mappings are enough

# Mail to anyone at dieholzers.at is sent via SMTP to this host
example1.net smtp:192.168.1.10:25

# Mail to anyone at philipp.info is sent via SMTP to this host
example2.net smtp:192.168.1.10:25

Map the file in postfix-format per postmap /etc/postfix/transport_maps

Now we have a working postfix-configuration for inbound and outbound relaying – Congratulations ;-). Just restart postfix per service postfix restart and test it with the telnet-command:

telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.example1.net ESMTP Postfix (Debian/GNU)

Just to be sure, the /etc/postfix/main.cf should look similar to:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = smtp.example1.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydomain = example1.net
mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.178.0/24 192.168.1.30
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

# this line contains the list of domains to relay for
relay_domains = example1.net, example2.net

# list of addresses/domains to accept mail for
relay_recipient_maps = cdb:/etc/postfix/relay_recipient_maps

# Seems OK
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

# Where to send mail for adresses/domains
transport_maps = cdb:/etc/postfix/transport_maps

On the next page, we’re going to install and configure the spamfilter and the antivirus.

4 thoughts on “Inbound and Outbound Spam/AntiVirus Mail Gateway”

  1. Hello,
    Thank you for your tutorial, it is clear and simple.
    I installed this on Debian 8.7 and I had to setup the instances in /etc/postfix/master.cf and not in main.cf .
    Hope that help
    mterrasson

    1. Hi,

      You’re right. I updated it for the second postfix-instance (amavis-instance).
      Thanks for your help

      kind regards,
      Philipp

  2. You made a mistake here :
    This is not in the main.cf file but in master.cf who need to write this:

    smtp-amavis unix – – n – 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.