and masquerading internal hosts
There is a difference between a simple relay (smarthost) and an Mail Submission Agent (MSA).
The former may listen on port
25/tcp (preferably with STARTTLS enforced)
while the latter only listens on
465/tcp (implicit SSL).
The following guide is for setting up a bare relay, not an SASL submission agent.
We want it to talk outbound towards other MXen on the public network.
And those eventually do check if we have a valid
This is why we absolutely need to have public
PTR records according our
You might want to secure your communication with internal-or-friendly hosts network against various kinds of MITM interceptions. For that purpose, you need a certificate that fits your IP or hostname, depending how the clients call you. Setup a valid certificate and eventually enforce inbound STARTTLS.
Further steps are required for validating remote MXen: carefully define your trust-store. However the world is not ready for your to enforce outbound STARTTLS just yet.
assuming this is a host with both a public and an internal interface, and you want to listen only internally
postconf -d | grep ^alias_maps mv -i /etc/postfix/main.cf /etc/postfix/main.cf.dist grep -vE '^#|^$' /etc/postfix/main.cf.dist > /etc/postfix/main.cf vi /etc/postfix/main.cf inet_interfaces = 127.0.0.1, 10.0.0.225 smtpd_banner = $myhostname ESMTP myorigin = IPREV-FQDN myhostname = IPREV-FQDN #mydestination mynetworks = 127.0.0.1/32, ...YOUR FRIENDS ON PUBLIC NETWORK... ...YOUR INTERNAL CIDR... #mynetworks_style = subnet alias_maps = hash:/etc/aliases #smtpd_tls_cert_file = /etc/ssl/self.crt #smtpd_tls_key_file = /etc/ssl/self.key smtpd_tls_cert_file = /etc/ssl/domain.tld.crt smtpd_tls_key_file = /etc/ssl/domain.tld.key
and thereafter, check that you are listening on the internal interface only
/etc/rc.d/rc.postfix restart # netbsd netstat -an -f inet # gnu/linux netstat -lntup
in case it’s not already enabled by default, listen on port
25/tcp w/ or w/o chroot
mv -i /etc/postfix/master.cf /etc/postfix/master.cf.dist grep -vE '^#|^$' /etc/postfix/master.cf.dist > /etc/postfix/master.cf vi /etc/postfix/master.cf smtp inet n - y - - smtpd #smtp inet n - n - - smtpd
This is about
Return-path esp. if your hosts have a short hostname without a domain.
This changes the scenario of simple relaying altogether. In this situation, you might have to actually receive mail bounces also, which makes you an actual MX (even w/o a dedicated DNS record), not just a relay. Hence you need not only to be IPREV, but not only
$myhostname needs to resolve on the public network. You also need to take care of
We need an origin and destination to make mail bounces end-up somewhere while avoiding loops.
vi /etc/postfix/main.cf myhostname = std30.os3.su mydomain = std30.os3.su myorigin = std30.os3.su mydestination = std30.os3.su
and do something like NAT for sender addresses
masquerade_domains = std30.os3.su sender_canonical_classes = envelope_sender, header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical.regexp #recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Dymanical for any internal host and domain
vi /etc/postfix/sender_canonical.regexp /.+/ firstname.lastname@example.org /.+@.+\.localdomain/ email@example.com
Received headers and data fields will still let you know which server originally sent the message, this is fixed elsewhere.
And note this has a mild security implication – any internal host, be it mallory, may use that relay and the return path will be yours.
Even in the case of masquerading, where we might receive mail bounces, we however don’t really want to host any messages locally. Check your mail aliases and apply
#ubuntu vi /etc/aliases #netbsd #vi /etc/mail/aliases newaliases
Ubuntu (deals with chroot on its own)
postfix check systemctl restart postfix
postfix check service postfix restart
mv /etc/postfix/transport /etc/postfix/transport.dist vi /etc/postfix/transport gmail.com relay:[xc.nethence.com]:25 postmap /etc/postfix/transport vi /etc/postfix/main.cf transport_maps = hash:/etc/postfix/transport postfix check postfix reload
Send messages from hosts on your LAN or from your MUA
date | mail -s `hostname` root
and meanwhile check the logs on all the hosts on the way - source, relay, and eventually destination
tail -F /var/log/maillog #tail -F /var/log/mail.log
warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
alias_maps includes nis…
Bind Postfix Mail Server To Localhost or Specific IP Address Only https://www.cyberciti.biz/faq/postfix-receive-mail-on-specific-network-interfaces/
Postfix Address Rewriting –> Address masquerading http://www.postfix.org/ADDRESS_REWRITING_README.html
Postfix masquerading or changing outgoing SMTP email or mail address https://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html
canonical - format of Postfix canonical table http://www.porcupine.org/postfix/doc/canonical.5.html
Rewriting Addresses https://www.oreilly.com/library/view/postfix-the-definitive/0596002122/ch04s07.html
How to masquerade domains in Postfix https://access.redhat.com/solutions/21331
Forcing the from address when postfix relays over smtp https://serverfault.com/questions/147921/forcing-the-from-address-when-postfix-relays-over-smtp
Blog: How to rewrite outgoing address in Postfix http://semi-legitimate.com/blog/item/how-to-rewrite-outgoing-address-in-postfix
Address rewriting when mail is received https://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/ADDRESS_REWRITING_README_003.html
How To Install and Configure Postfix as a Send-Only SMTP Server on Debian 9 https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-debian-9
regexp_table - format of Postfix regular expression tables http://www.postfix.org/regexp_table.5.html
postfix smtp_generic_maps with regular expression https://serverfault.com/questions/930819/postfix-smtp-generic-maps-with-regular-expression
postfix sender address rewriting https://www.unix.com/unix-for-advanced-and-expert-users/118692-postfix-sender-address-rewriting.html
Use Postfix Transport Map and Relayhost Map For Flexible Email Delivery https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery