Postfix installation

[ROGA]

Hi,

I would like to install a Postfix-Server as a Mail-Gateway for my own home-network. I have a Firewall with DMZ and a internal LAN. The Postfix-Server should stay in the DMZ and Forward all Incoming Mails to the inernal Mail-Server in the LAN. Further more, the Postfix-Server should filter all Incoming Mails for viruses and spam. The Postfix-Server self does not have locally Mailboxes but he should lookup for Mailboxes via ldap on a Active-Directory Server, he only checks the Incoming mails and forward it to the internal Mail-Server in the LAN.

My Question:

I don't know exactly, how I schould begin. The configuration of Postfix makes me a Little bit confused I didn't find any example with Google, that matched my Points.

What I have done is following:

- Installed Gentoo on a virtual machine
- installed Postfix with use-flag for ldap and dovecot-sasl
- installed postfix as a systemd service
- configured lookup tables for ldap (this works halfwards, but not as expected)

Is there anybody, who can Point me to the Right directions? How and where do I have to begin?

Thank's for any help
_________________
regards,

Roland

[axl]

well, for filtering out content, you need to install amavisd-new (one of the choices - which I can safely recommend) with all the perks. clam, spamassassin. razor. hold on. i'll just query the world file and post some packages you should look at.

a version of syslog, obviously.
rar / zip. any other type of archiver application you want the spam/antivirus software to be able to read like: app-arch/rar or app-arch/zip. app-crypt/certbot for ssl certs. another discution. uhm... let me see. mail-filter/dcc, mail-filter/dspam, mail-filter/opendkim, mail-filter/postgrey, mail-filter/razor. mail-filter/spamassassin. I think that's about it. All of these work with mail-filter/amavisd-new, and mail-filter/amavisd-new works with mail-mta/postfix.

The connection between postfix and amavis is pretty simple.

content_filter=smtp-amavis:[192.168.23.254]:10024

That is pretty much it. in main.cf, ask amavis to filter it. and amavis does that.

the more complicated problem is delivery to an active whatever windows shit. I have mine set to cyrus-imap.

mailbox_transport = lmtp:192.168.23.254:2003 (this is cyrus-imap)

(opendkim)
smtpd_milters = inet:192.168.23.254:8891
non_smtpd_milters = inet:192.168.23.254:8891

(postgrey)
check_policy_service inet:192.168.23.254:10030

all of these lines are config options for main.cf for postfix. research them on google.


Again, sorry I can't help for final storage solution, which is "mailbox_transport".

[ROGA]

axl,

thank you very much for your advices.

I understand, for the content filtering I have to emerge amavis-new and spamassassin. But first, I will have to bring up a running postfix System that can receive all Mails for my own Domain and push it further to my internal Mail-Server (and yes, at the Moment it is a sh..t Windows-Server with hmailserver, but I would like to change this to postfix too)

So first, I would like to configure postfix in that way, that postfix looks for recipients via ldap and when those do not exist, postfix sould not accept the incoming smtp connection. At the other hand, If a recipient exist, postfix should accept the mail and forward it to the internal Mail-Server.

If this works, at the next step, I would like to intergrate content filtering with amavis-new and spamassassin.

But for my first goal, how do I have to configure postfix, so postfix is responsable to relay mails for my own domain. I don't want to have locally mailboxes on the postfix-server for my internal users. Postfix should mails queued, if it does not reached the finale destination to delevery mails.

In my main.cf I have set:

[nativemad]

Hi

I guess you will need $mydomain within the mydestinatin statement.
Then you'll need to configure smtpd_recipient_restrictions properly. I guess reject_unlisted_recipient is the one you need here, but I would google for examples of a secure config!
I also guess that you need to set the relay_domains and relay_host to send mails to the win server.
Alias_map shouldn't be necessary here.

HTH, cheers
_________________
Power to the people!

[ROGA]

Hi nativemad,

thank's for your advices.

With google's help I found a configuration example that meets more or less my needs. I found it here

/etc/postfix/main.cf looks now like this:

[alamahant]

Have you used the proper USE flags when emerging postfix and openldap?
Please have a look at this:
[url]
http://www.postfix.org/LDAP_README.html
[/url]
But kindly allow me the question if this is your home lan why would you need an ldap server to store the persons info?.
It would be much easier to configure 5-10 virtual mailboxes on you postfix server..

[nativemad]

I guess you are still using the already posted relay_recipients.cf.
There you showed with the postmap command, that your proxyAddress attribute in ldap holds multiple comma separated smtp:addresses.
The query filter on the other hand only looks for one address within the field without wildcards......try

[ROGA]

@alamahant

Yes, I think I have emerged Postfix with the proper USE Flags, so Postfix himself with ldap support does working.

Why I Need ldap is simple. At the Moment, I have a Windows Server with hmailserver as Mail-Server.This Server is configured, up and running and the users email-addresses still are stored in the Active-Directory. In a later time, I would like to Change this Server with a new Postfix Server, but not now. I first will build a Mail Gateway, that act only as a filter for all Incoming Mails and at last I also would like to learn more About Postfix.

But I give you right, at the end, it's easier to build a Postfix Mail-Server with 5 -10 virtual Mailboxes. That's my Goal as well
_________________
regards,

Roland

[ROGA]

@nativemad,

I tried your suggestion but without success.

I'm not a ldap guru and do not know much of such ldap queries. I've made some Tests and found out, that it does not make a difference if I use the Asterix (*) in the query_filter or not.

my relay_recipients.cf Looks like before but with your suggestions:

LDAP-Query:

[nativemad]

As it is one attribute, you can't filter out single values of it with a simple ldap filter afaik. These things should be done via result_format
I guess it should not matter which attribute you return, as long as it gives a result - an x as result would be enough, as you can see with the db-file instead of ldap. That would mean that the result_attribute is not that important at all!?

Add "debuglevel = 5" in your virtual_mailbox_maps.cf to generate some useful logs.

...If you want to get rid of the mailserver on win anyway, you could also use local delivery to dovecot that is much better documented than relaying and would be your goal anyway. Then use fetchmail to get the mails via pop3 from dovecot and feed it via smtp to the win-mail-server.
_________________
Power to the people!

[ROGA]

Hi nativemad,

[nativemad]

Ah sorry, my fault, I looked it up on my config and forgot that your file is named differently... Actually, you can set that debuglevel option on all your desired ldap map files!

Good catch with the proxyAddresses! That changes quite a bit!

It could also be that the ldap result needs to be the email address that got requested. That would be a bit different to the behaviour of the filedb and would also mean that the "result_attribute" only works in the examples with the "mail" attribute, as they always just have a single proxyAddress attribute - and only test for that one!
This would then mean that you of course need to filter the single proxyAddress attribute that matches, and without the smtp: prefix!

[ROGA]

Hi nativemad,

[C5ace]

ROGA:

I run my own mail server for internal and external mail users. My setup:

External mail server name : mail.c5ace.com
Internal domain: itw.lan
ISP's DNS server A and PTR records point mail.c5ace.com to 220.245.219.18 (static IP address of my ADSL modem/NAT router with build in port forwarding). DMZ is disabled.
Mail server local IP address: 192.168.0.103 (itw.lan).
The relevant mail ports are forwarded to 220.245.219.18.

The server itself is Debian 9 with ISPconfig (www.ispconfig.org) installed with mail, DNS and Webserver enabled. ISPconfig should also work on top of a Gentoo server.

Installation insructions for Debian and others: www.ispconfig.org/documentation.
www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
Take your time to read this.

Detailed configuration is available in their EUR 5.00 / 400 page user manual. www.ispconfig.org/documentation/user-manual/

My mail users can access their IMAP or POP3 mailbox and send mail from within the LAN and and anywhere in the world using their Linux or Windows mail clients or webmail.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes.

[ROGA]

Postfix now is working with amavis-new. But I have a strange behavior. I want that unknown smtp connections are rejected but it seems not to be working.

This is my main.cf :

[ROGA]

@C5ace,

Thank's for your advices.

ISPConfig could be a alternative for managing a postfix server with amavis-new etc. but I think, it's not really simple to install on a gentoo box. Gentoo isn't official supported and I couldn't find a howto for my needs. So, better I stay with my old school config files and learn a little bit more.

Thanks anyway
_________________
regards,

Roland

[C5ace]

My /etc/postfix/main.cf:

[freke]

[ROGA]

Hi freke,

thank's for your help!

I removed the spurious dots. They came from the midnight commander (mc). I found out, that they do not make troubles, because after the changes postfix still does not reject the unknown connections. I also commented out all the warn_if_reject_unknown_reverse_client_hostname in my main.cf buts still have no luck.

Am I correct in the assumption that Postfix must immediately terminate the connection with unknown hosts? As example what I see in my log, when I make a Telnet connection to postfix is:

Telenet session:

[freke]

Can't test on my server before after work (6 hours-ish) but found this:

https://serverfault.com/questions/583171/postfix-does-not-reject-wrong-client-and-helo-name

Do you have smtpd_delay_reject = yes (seems from the link to be the default), that seems to change behaviour

[ROGA]

Hi freke,

You're really great!!

Thats exactly the reason, why postfix does not reject hosts immediately as I expected. Now, it seems to work, but I saw, that postfix tells me, that he reject the host indeed, but the connection futher still persists. Is this behaviour ok or can we change it, so that postfix disconnect the session?
_________________
regards,

Roland

[freke]

It seems to keep the connection open till the client issue a quit (or maybe there's also an timeout?) - but for me appearently doesn't accept anything but 'quit', other commends gives access denied.

But I found this - https://serverfault.com/questions/645450/tell-postfix-to-close-connection-right-after-relay-access-denied

Seems like if you set

[ROGA]

Hi freke,

thank you very much! That's exactly what I want!

In your link that you posted was descibed:

[freke]

I know nothing about systemd-behaviour at all - is the .ctl-file the socket-file?

In my OpenRC-configuration with amavis-new and clamd, the socket-file is in /var/run/amavis/clamd.sock (set in /etc/clamd.conf)

[ROGA]

Hi freke,

thank you for you quick answer.