Adsense 1

Wednesday, April 01, 2009

Selectively relay emails using postfix

Several machines in my internal network run automated jobs and send out emails. All emails were getting delivered without problems and one fine day my public IP got listed in RBLs and the mail servers, using those RBLs, stopped accepting mails from mine.

I have now set my main network router to restrict outgoing port 25 so that my public ip doesn't get black listed again. This means Internal machines cannot send mails to any of the domains outside my network. I needed a mechanism to route all my emails through my external mail server which has a proper mx record. My external email server, that is outside my network, allows users to relay emails only after successful auth on port 465 (SSL).  I configured postfix for this.

Note that since Postfix does not deliver mails via port 465 i used stunnel for smtps connection between my Postfix box, acting as smtps client here, and the external mail server.

Let us first start with installing postfix. We will also see how to route emails from sendmail through postfix.

Note: In the below config example.com is the local domain of postfix box and example1.com is the external domain.

# yum install postfix

We will first configure stunnel to forward all connections to the external mail server.
 # vi /etc/stunnel/stunnel.conf
client = yes
[rev-smtps]
accept = 127.0.0.1:2525
connect = <externalmailserver>:465
The above configuration makes stunnel to listen on localhost's port 2525 and forward everything from that port to mail server's 465. Certificates are accepted automatically.

Let us start stunnel.

# stunnel /etc/stunnel/stunnel.conf (You can put this line in /etc/rc.local so that the service starts automatically after the machine is reboots).

Now try connecting to the port '2525' with
# telnet localhost 2525

You will see the greeting from the remote SMTP server. Now we will configure postfix to authenticate with the remote email server and route all such connections through stunnel. 
 # vi /etc/postfix/main.cf
smtp_sasl_auth_enable = yes  # Enables auth through ssl
smtp_sasl_security_options=
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd # specifies the password file
transport_maps = hash:/etc/postfix/transport # this will tell postfix to selectively forward or relay emails.
relay_domains = $mydestination, example1.com # list of all domains the server will accept to deliver email for.
inet_interfaces = $myhostname, localhost # Interfaces in which postfix listens on
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, example.com # Local delivery domains
home_mailbox = Mailbox
Save the file.

We can configure different email servers for each domain with postfix's transport file. 
# vi /etc/postfix/transport
example1.com smtp:127.0.0.1:2525
any-other-domain.com smtp:127.0.0.1:2525 # You can mention any other domains here if your external email allows relaying mails.
Above config will forward all mails destined to example1.com and any-other-domain.com through the stunnel server which will inturn connect us to the external email server. 
# vi /etc/postfix/sasl_passwd
[127.0.0.1]:2525 username@example1.com:password
Note that you can give only one username:password combination for one email server (127.0.0.1:2525 in this case).

Save this file.

Create maps so that postfix reads the new configuration. 
# postmap /etc/postfix/sasl_passwd
# postmap /etc/postfix/transport

In all my Internal servers i have sendmail. Now i have to tell sendmail to route emails through the postfix box. I did this:
# vi /etc/mail/mailtertable
example.com smtp:[x.x.x.x]    # substitute the ip address of your postfix server instead of x.x.x.x
example1.com smtp:[x.x.x.x]    # substitute the ip address of your postfix server instead of x.x.x.x
any-other-domain.com smtp:[x.x.x.x]    # substitute the ip address of your postfix server instead of x.x.x.x
You will also have to add mx entries for example.com in your DNS.

With the above config, this is what would happen:
1. Any mail sent from internal servers (incl the postfix server itself) to user@example.com will be delivered to postfix's corresponding user mailbox.
2. Any mail sent from internal servers (incl the postfix server itself) to user@example1.com (or any-other-domain.com) will be forwarded to the external mail server's 465 port after authenticating as user@exampe1.com user.
3. Any mail from poxfix box to user@localhost or user@hostname-of-the-postfix-box will be delivered locally.

Note that any mail sent to other domains through this postfix server will be rejected.
Posted by at
Labels: , , , , ,

2 comments:

  1. Suja PV2/15/2013 4:05 PM

    Dear Sir,

    I need a help from you.
    My postfix server sits in DMZ zone of firewall.
    Based on the recipient domain it has to route the mail either to internet or to vpn. We have to resolve the domains also in the similar way.
    How can I do it Sir?

    Thanks and Regards,

    Suja PV

    ReplyDelete
  2. Saravana Kumar3/25/2013 10:19 PM

    Not clear on what you are trying to do. If you are having a two different domains for users in Internet vs users in VPN, then you can do this by setting up local DNS for VPN users and simply configure routing as explained above for different domains.

    However, for individual recipients within the same domain you will have to configure the rule for each user based on where the user is located ie., Internet or VPN. Also you may have to manage DNS & MX records accordingly.

    --
    SK

    ReplyDelete

Subscribe to: Post Comments (Atom)