Postfix Mail Gateway |
Server Training - Mail Server | |
Postfix Mail GatewayThe purpose of a Mail Gateway is to create a mail server that accepts mail for the internal mail server, thus protecting the internal mail server from outside attacks. Mail Gateways are typically on a separate network from the internal network. The gateway will show up in the DNS records as the final destination for mail even though it is transferred into the internal mail server. Related Postfix Training 8 Week Course for $499.95 ORDER NOW
One thing that the gateway can do for you is to do the spam filtering and virus filtering before it gets into your internal network. One important advantage to this set up is that you only need to manage filters on one mail server as it could do all the heavy work before relaying to your other mail server. The implementation of the gateway is fairly simple. The basic set up only takes a few lines of changes. The more advanced set up requires additional time but is probably a good idea as it will provide enhanced security for the gateway which will certainly be under greater attack. The other issue to be aware of is that the more requirements you have for the gateway in terms of scanning for spam and anti-virus will always require more RAM and CPU resources as well. However, this requirement will then lead to less required RAM and CPU resources on the internal mail server.
Step #1: Set Gateway Relay Permissions You must set your gateway so that it can relay mail for the internal mail server. This can be done by adding the internal mail server IP Address to the mynetworks setting. mynetworks = 127.0.0.1/8 192.168.7.68/24 It is important to limit the gateway to only the IP Addresses of the mail server and the localhost. This will disable the internal network users from using your gateway as a relay when they should really use the internal mail server. Step #2: Configure the Relay Domain on the Gateway The gateway must know for which domains it can receive mail from the Internet. Therefore the domain that is represented on the inside must be set up in the relay_domains parameter. relay_domains = example.com Step #3: Configure the Internal Mail Host on the Gateway The gateway needs to know where to send the mail once it receives it. In order to do this you should create a transport map that contains the information to where the mail is begin transferred. Create a map file called /etc/postfix/transport. This map should have a line that looks like this: example.com smtp:[mail.example.com] Several things are notable in this line. First, the smtp transfers mail using smtp to the internal mail server. This transport type, as the others, is defined in the master.cf. The brackets are necessary so that you do not create a loop. The brackets actually prevent a MX lookup. Remember that to create a map you must run the postmap command on it: postmap hash:/etc/postfix/transport Now also set the transport_maps parameter in the main.cf file. transport_maps = hash:/etc/postfix/transport Step #4: Configure Relay Recipients The final step in the basic configuration is to set up those recipients that will receive mail. The greatest advantage with this step is it will eliminate all spam and virus laden mail that is not sent to one of the users on the internal network. It is more work to set this list up but over time it will eliminate a great deal of network activity, server resources and trouble on the internal network. This list can be setup with the relay_recipient_maps parameter. Create a file called /etc/postfix/relay_recipients and in that file list each user with an OK on the right hand side. This e-mail address is being protected from spambots. You need JavaScript enabled to view it OK This e-mail address is being protected from spambots. You need JavaScript enabled to view it OK
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
OK Remember that maps must have a left hand side and a right hand side. Add this line to your main.cf file: relay_recipient_maps = hash:/etc/postfix/relay_recipients Build your map file with this command: postmap hash:/etc/postfix/relay_recipients Step #5: Enhance Gateway Security There are several significant ways to enhance the security of the Gateway. In most situations, you will not need to deliver mail locally to the Gateway so it is a good idea to stop all local delivery to protect the system. Set the Postfix gateway so it knows that it is not the final destination. mydestination = This will help Postfix understand that there is no local destination. Next, disable the local recipients. Again, by setting the local_recipient_maps to nothing will disable local recipients. local_recipient_maps = Mail servers are required to except mail for postmaster and abuse so these must be forwarded to the internal server. Create a map to use for virtual_alias_maps. You can call that map virtual and enter the information aliases one line at a time. postmaster This e-mail address is being protected from spambots. You need JavaScript enabled to view it abuse
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Save the file in /etc/postfix/virtual_alias_maps and create the hash with: postmap hash:/etc/postfix/virtual_alias_maps Now include a line in main.cf for the new map. virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps You may want to create an error message if any mail does get sent to the local users on the gateway. To do this add this line to the main.cf local_transport = error: local mail delivery not available
Of course, you want the local mail that is created for administrators or services to be sent somewhere. Therefore, if you change the myorigin parameter you will be able to send those emails to your domain,. myorigin = example.com This will transfer all of the system mail to your internal server. Now edit your master.cf and comment out the local delivery option. Save the file and restart Postfix. showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard #local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil
These settings will help lock down Postfix so that it is more secure and dependable.
Copyright CyberMontana Inc. and BeginLinux.com All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
|