Postfix forwarder - quick start guide
-
POSTFIX FORWARDER QUICK START GUIDE
INTRODUCTION
The postfix forwarder package is very powerful and a great addition to pfSense. For my money1 and needs it is easily the most useful package.
There have been a lot of questions about the package in this forum and a few requests for some sort of quick configuration overview. I know I could have used one at the start.
This is my attempt at a quick start guide.
GENERAL TAB
Postfix General Settings Section
Enable postfix.
Don't do this until you have finished the configuration and set up your NAT and firewall rules (at the end of this guide).Listen Protocol
Stick with the default IPv4 unless you have a need.Listen on
Choose "loopback". This will be explained later.SAVE
DOMAINS TAB
Domains to Forward Section
Enter the domain name (not the host name) for which postfix will be handling email traffic. Next to that enter the IP address of the back-end (real) mail server that postfix will pass the conection to when it is satisfied that the sender is not a spammer. The back-end server is probably the mail server you are currently using.
You can specify a number of domains that are handled by the same or different back-end mail servers. You can't have the same domain handled by multiple mail servers.
SAVE
ANTISPAM TAB
Just my settings here. YMMV.
Postfix Antispam Settings Section
Header verification
Select strongHelo hostname
CheckedZombie Blocker
Enabled with enforceAfter greeting tests
Select all (Ctrl click)Soft Bounce
Choose the default of "Enabled only in postscreen"Anvil Daemon
Choose "Enabled only when using postscreen" but read the note about relaying from your internal clients.SPF lookup
I have this set to "Do not check SPF records".Third part(y) Antispam Settings Section
Use third part(y) antispam
Not checked in my configuration. The postfix package is doing a great job of keeping out the spammers anyway.SAVE
To get started that's about all you need to configure in the postfix GUI. Now set up your NAT.
NAT and filter rule
Create a NAT to forward connections with destination WAN address and a destination port 25, to a target IP of 127.0.0.1 and a target port 25. Have an associated firewall filter rule created automatically.
SAVE and apply changes.
Now disable the NAT and firewall rule you probably have for your current mail server. (Recommend thatyou don't delete until you have postfix working.)
SAVE and apply changes.
Back to the postfix GUI and enable postfix.
SAVE
Serving suggestion:
When postfix receives a first connection from a "client" mail server it stores, among other things, the IP address of that mail server. That first connection, based on the settings above, will be softly rejected ("Service currently unavailable" in the postfix logs). Spambots rarely come back but real mail servers will try again later. If they do, the IP address will be recognized and the connection accepted. However, the IP address is only retained for one day by default.
I have an entry in the custom main.cf options, on the General tab, that says "postscreen_cache_retention = 35d". This keeps addresses for 35 days. I use this because I want things like infrequent but friendly emailers (monthly newsletters or pfsense mailing list membership reminders) to be accepted first time, rather than soft rejected.
Note 1.
If the package benefits you as much as it does me, consider making a donation to the package developer so that he can continue to enhance and develop this and other great packages for pfSense.
Please feel free to reply with comments, criticisms and additional information.
-
RECIPIENTS TAB
Create an account on your Active Directory to fetch valid email addresses.
Hostname your_dc.your_domain
Domain dc=your,dc=domain
Username cn=antispam_user,cn=Users
Password ******* :DTo install p5-perl-ldap you can follow these steps
setenv PACKAGEROOT "http://ftp.freebsd.org" setenv PACKAGESITE "http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/" pkg_add -r p5-perl-ldap
ACCESS LIST TAB
If you do not have clients that relay emais through this server, deny any email that pretend to be you
Header
/^(From|Return-Path):.*@your_domain_here/REJECT forged sender $1: header: $2 [SN001]
Helo
/your_domain_here/ REJECT [HELO01]
sender
@your_domain_here REJECT
-
/your_domain_here/ REJECT [HELO01]
marcelloc,
Would it be sensible to add this as well?
/127.0.0.1/ REJECT [HELO02]