|
|
|
|
| |
| Support |
| Knowlege Base |
| |
|
Search our Knowledge Base for technical articles. This database may contain information sourced from other sites.
You can enter up to 100 characters in your search term. We continue to add articles in this database as we encounter issues in our support work.
If you are directed to this page to start a support session click on the logo below. You will be prompted to install a file. Please follow the directions provided by support.
|
| |
| Configuring Message Router Using Postfix |
Configuring Message Router Using Postfix
by Hoang Q. Tran
The message router is generally configured to accept all mail for a domain or sub-domain, process that mail according to the specified policies, and to then forward the mail to an internal mail server for collection by the user.
The basic
Running Postfix in chroot jail
Reference
Network Diagram
[Internet]
|
|->FW->
|->DMZ
|->MAIL Router
|->FW->
|->Internal Network
|->Mail Server (Exchange, Domino etc)
Why build a message router?
There are many advantages of having a message router:
Acting as a message router, it takes on the responsibility of a router by directing messages between remote message server and the recipient message server.
Using UCE policies, the message router can intercept each e-mail, inspects it and bounce or simply forward to the message server for processing.
If the message router is hacked, crackers and friends will not have access to mailboxes.
Unauthorized smtp probes and other malicious attempts will happen on the message router. This will reduce the risk of message server from exposing to direct exploits activities.
Smartness of a message router:
The basic
Fight spam
Policies and Reports
Some data for this howto:
Domain name: example.com
Client network: 192.168.1.0/24
example.com backup MX host for: other.com
IP address of message server: 192.168.1.2
The basic
Edit /etc/postfix/main.cf and follow the below steps:
Define the our domain name:
myorigin = example.com
Accept incoming e-mails for example.com:
mydestination = example.com
Specify what recipients exist by setting empty value:
local_recipient_maps =
Postfix default to relay for clients on the same subnet. In the case of public DSL/cable network, it is not desired to relay for those clients. Therefore, explicitly identify the trusted clients IP address range. SMTP clients whose IP address belonging in these ranges will be permitted to relay e-mails.
mynetworks = 192.168.1.0/24, 127.0.0.0/8
Permit e-mails destine to: based on what we defined in $mynetworks and reject unauthorized destination:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Add my friend mail server other.com domain as trusted smtp client and allow it to relay e-mails through this mail server:
relay_domains = $mydestination, other.com
Since mail is routed to the message server, local delivery agent is unnecessary:
local_transport = error:local mail delivery is disabled on this machine
Use transport map to route e-mails to the message server on 192.168.1.2:
transport_maps = hash:/etc/postfix/transport
For relay transport, use smtp:
relay_transport = smtp
Add the message server in the transport map file using IP address instead of using hostname to avoid DNS lookup:
/etc/postfix/transport:
example.com smtp:[192.168.1.2]
Then generate the transport maps lookup table:
# postmap transport
Finally, disable the local delivery agent daemon by comment it out in /etc/postfix/master.cf:
# ============================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ============================================
# local unix - n n - - local
Start Postfix:
# postfix start
From this point on, all incoming e-mails will be forwarded by the message router to the message server.
Fight spam
Postfix has excellent features to fight spams from a to z. Using this nifty MTA, it makes the battle fun and rewarding. Just look at the logs and see bounce messages. Refer to Configuring Mail Gateway Using Postfix section ``3. Dealing with unsolicited commercial e-mail (UCE)'' for details on how to use Postfix anti-spam features.
Running Postfix in chroot jail
Postfix is quite secure but running in chroot can add the extra layer of protection. Edit /etc/postfix/master.cf and change the chroot (5th column) of every daemon except for local and pipe from n to y similarly to below.
# ============================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ============================================
smtp inet n - y - - smtpd
#628 inet n - n - - qmqpd
pickup fifo n n y 60 1 pickup
cleanup unix - - y - 0 cleanup
qmgr fifo n - y 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
flush unix - - y 1000? 0 flush
smtp unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
#local unix - n n - - local
virtual unix - n y - - virtual
lmtp unix - - y - - lmtp
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# The Cyrus deliver program has changed incompatibly.
#
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
Execute your unix flavour script in examples/chroot-setup to populate the helper files in /var/spool/postfix/etc.
Under NetBSD 1.6:
# cd /etc ; cp nsswitch.conf localtime services resolv.conf /var/spool/postfix/etc
Under FreeBSD 4.7:
# cd /etc ; cp host.conf localtime master.passwd passwd pwd.db spwd.db resolv.conf services /var/spool/postfix/etc
Finally, restart Postfix will have each daemon running in chroot jail:
# postfix reload
Reference
Running Postfix on a firewall
http://www.postfix.org/faq.html#firewall
Configuring Mail Gateway Using Postfix
http://www.muine.org/~hoang/postfix.html
Message Director Security
http://www.mirapoint.com/pdf/MD300_Whitepaper.pdf
Mail Gateway
http://www.borderware.com/newsite/products/mg/mailgateway.html
|
| Link |
http://www.muine.org/~hoang/postrouter.html
|
| File |
|
| |
|
|
|
|
|
