Postfix as a bastion SMTP gateway

Home: www.packetnexus.com


Postfix as bastion smtp mail gateway.

How to configure Postfix on a machine so that it relays mail for example.com to a mail server on the internal network.  A common problem with SMTP daemons today is they are not secure.  Postfix was built with security in mind.  So, it is very easy to install a box just to handle mail to and from the Internet, while you can use your own mail software on your internal server.  It will also accept mail from the internal host and deliver it to the Internet. This How-To refers to the most recent version of postfix. 

First thing to do is create a user named postfix.  We will need to set the shell for this user to false so it can't login.

useradd -c "postfix user account" -s /bin/false postfix

This user account will be used by postfix for all actions, except binding to port 25, for that it needs root.  One of the big security problems with sendmail is that everything runs as root, so any exploits give the attacker root access.  Postfix is several small programs that work together....and they don't run as root.

Next, get postfix from www.postfix.org

Untar it

tar -xvzf postfixXXXXX.tar.gz

Next, cd into the postfix directory and type make

Then run make install.

A script will automatically be run after the install and it will prompt you for some input, the defaults should be good.

Something that I found when I installed postfix over an existing sendmail install, was the main.cf was pointing to /etc/aliases for the aliases file.  It needs to be pointing to the /etc/postfix/aliases file.  Double check to make sure yours is correct.  Reality is, that it doesn't matter, I just prefer to have all the config files in the /etc/postfix directory.  You might want to delete or rename the unused aliases file.

Now, let's edit some files so our postfix install just acts as a gateway and forwards mail to our internal mail server.  Postfix can be used as an SMTP server right after install, if you had a POP3 server running you caould use it as your mail server.  I run Exchange internally so this install needs to just relay mail.

Postfix files exist in /etc/postfix

Make the following changes to route mail to an internal host and NOT to the local machine.  Don't include the comments in parentheses.

/etc/postfix/main.cf:
    mydestination =          (so no mail is routed to the localhost)
    relay_domains = example.com	 (so mail is relayed to your domain)
    transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
    my.domain   smtp:internalhost.example.com   (forwards user@domain)
    .my.domain  smtp:internalhost.example.com   (forwards user@firewall)

/etc/postfix/master.cf:
    Comment out the local delivery agent (so no mail is delivered locally)
    That line is the similar to the one below
	# local unix - n n - - local 

Execute the following command whenever you change the transport table. 
	postmap /etc/postfix/transport
Execute the following command after a configuration change. 
	postfix reload

That is it, now test it out.  I usually do the following to test things out.

tail -f /var/log/maillog  - this command will open the log file and actively update it so you can see what is happening.

Use an external mail account to send mail.  Watch for when the external server connects, you should see status=sent somewhere in the log.  If not, it is time to troubleshoot.

I have a few things below that may help with other configs.

Ok, so now you want this box to also relay other domains.  It is easy.  Postfix supports virtual domains. Make the following changes.

/etc/postfix/main.cf:
	virtual_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual
	example.com
	[email protected] [email protected]
	[email protected] [email protected]

In the virtual file, you can add as many email addresses as you like.

After making the above changes, run postfix reload.