Setting up Postfix outbound relay(s)

and maquerading internal hosts

Introduction

Note the difference between a relay and an MSA. We’re considering that the first one can still listen on port 25/tcp (with STARTTLS enforced) while the latter would only listen on 465/tcp (SSL-only). The following guide is for setting up a relay, not an SASL submission agent.

Requirements

We need it to be able to talk outbound on the public network to other MXes. And those eventually do check if we have a valid IPREV. You absolutely need to make sure that you’ve got a public A and PTR according to $myhostname.

Installation

See Install Postfix for many details, otherwise on Ubuntu, it’s as simple as

apt install postfix bsd-mailx

Setup

mv -i /etc/postfix/main.cf /etc/postfix/main.cf.dist
grep -vE '^#|^$' /etc/postfix/main.cf.dist > /etc/postfix/main.cf
vi /etc/postfix/main.cf

myhostname myorigin and mydestination are already defined alright

smtpd_banner = $myhostname ESMTP

mynetworks = 127.0.0.1/32,
    ...YOUR FRIENDS ON PUBLIC NETWORK...
    ...OR YOUR INTERNAL CIDR...

in case this is a host with both public and internal interfaces, and you want to listen only internally

#not CIDR but rather binding to an interface
inet_interfaces = 127.0.0.1, x.x.x.x
#mynetworks_style = subnet

and thereafter, check that you are listening on the internal interface only

#lignux
netstat -lntup

#netbsd
netstat -an -f inet

in case it’s not already enabled by default, listen on port 25/tcp w/ or w/o chroot

mv -i /etc/postfix/master.cf /etc/postfix/master.cf.dist
    grep -vE '^#|^$' /etc/postfix/master.cf.dist > /etc/postfix/master.cf
vi /etc/postfix/master.cf

smtp      inet  n       -       y       -       -       smtpd 
#smtp      inet  n       -       n       -       -       smtpd 

STARTTLS

as a client

More hardening is welcome for validating remote MXen – eventually enforce outbound STARTTLS SMTP. You’re good already with your self-signed certificate as for client side.

If that’s enough for you and don’t have the snakeoil certificate available, here’s a one-liner to generate a self-signed one

cd /etc/ssl/
#cd /etc/openssl/
openssl req -x509 -newkey rsa:2048 -out selfsign.crt -keyout selfsign.key -nodes -sha256 -days 9999

vi /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/ssl/selfsign.crt
smtpd_tls_key_file = /etc/ssl/selfsign.key

as a server

You might want to secure your internal network against SMTP/STARTTLS interception also. Eventually enforce inbound STARTTLS also, and setup a valid certificate for that matter.

MASQUERADE INTERNAL LAN

This changes the scenario of simple relaying altogether. In this situation, you might have to actually receive mail bounces also, which makes you an actual MX (even w/o a dedicated DNS record), not just a relay. Hence you need not only to be IPREV, but not only $myhostname needs to resolve on the public network. You also need to take care of $myorigin and mydestination.

We need an origin and destination to make mail bounces end-up somewhere while avoiding loops.

vi /etc/postfix/main.cf

smtpd_banner = relay for internal hosts
myhostname = std30.os3.su
mydomain = std30.os3.su
myorigin = std30.os3.su
mydestination = std30.os3.su

and do something like NAT for Sender addresses (Return-path)

masquerade_domains = std30.os3.su
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical.regexp
#recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

Dymanical for any internal host and domain (Received headers and data fields will still let you know which server originally sent the message)

vi /etc/postfix/sender_canonical.regexp

/.+/                    root@std30.os3.su
/.+@.+\.localdomain/    root@std30.os3.su

Note this has a mild security implication - any internal host, be it mallory, may use that relay and the return path will be yours.

MAIL ALIASES

Even in the case of masquerading, where we might receive mail bounces, we however don’t really want to host any messages locally. Check your mail aliases and apply

    #ubuntu
    vi /etc/aliases

    #netbsd
    #vi /etc/mail/aliases

    newaliases

READY TO GO

Ubuntu (deals with chroot on its own)

postfix check
systemctl restart postfix

anywhere else

postfix check
service postfix restart

POOL OF RELAYS

mv /etc/postfix/transport /etc/postfix/transport.dist
vi /etc/postfix/transport

gmail.com       relay:[xc.nethence.com]:25

postmap /etc/postfix/transport
vi /etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

postfix check
postfix reload

ACCEPTANCE

Send messages from hosts on your LAN or from your MUA

date | mail -s `hostname` root

and meanwhile check the logs on all the hosts on the way - source, relay, and eventually destination

tail -F /var/log/maillog
#tail -F /var/log/mail.log

RESOURCES

Bind Postfix Mail Server To Localhost or Specific IP Address Only https://www.cyberciti.biz/faq/postfix-receive-mail-on-specific-network-interfaces/

Postfix Address Rewriting –> Address masquerading http://www.postfix.org/ADDRESS_REWRITING_README.html

Postfix masquerading or changing outgoing SMTP email or mail address https://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

canonical - format of Postfix canonical table http://www.porcupine.org/postfix/doc/canonical.5.html

Rewriting Addresses https://www.oreilly.com/library/view/postfix-the-definitive/0596002122/ch04s07.html

How to masquerade domains in Postfix https://access.redhat.com/solutions/21331

Forcing the from address when postfix relays over smtp https://serverfault.com/questions/147921/forcing-the-from-address-when-postfix-relays-over-smtp

Blog: How to rewrite outgoing address in Postfix http://semi-legitimate.com/blog/item/how-to-rewrite-outgoing-address-in-postfix

Address rewriting when mail is received https://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/ADDRESS_REWRITING_README_003.html

How To Install and Configure Postfix as a Send-Only SMTP Server on Debian 9 https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-debian-9

regexp

regexp_table - format of Postfix regular expression tables http://www.postfix.org/regexp_table.5.html

postfix smtp_generic_maps with regular expression https://serverfault.com/questions/930819/postfix-smtp-generic-maps-with-regular-expression

postfix sender address rewriting https://www.unix.com/unix-for-advanced-and-expert-users/118692-postfix-sender-address-rewriting.html

relayhost pools

Use Postfix Transport Map and Relayhost Map For Flexible Email Delivery https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery

Trash

w/ generic maps –or–

vi /etc/postfix/main.cf

smtp_generic_maps = hash:/etc/postfix/generic

vi /etc/postfix/generic

root@HOST.localdomain root@os3.su

postmap /etc/postfix/generic
ls -lF /etc/postfix/generic.db

w/ canonical maps –or–

vi /etc/postfix/main.cf

canonical_maps = hash:/etc/postfix/canonical

vi /etc/postfix/canonical

@HOST.localdomain root@os3.su

postmap /etc/postfix/canonical
ls -lF /etc/postfix/canonical.db

HOME | GUIDES | BENCHMARKS | html