Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mail server/service - on the internet and behind pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MakOwner
      last edited by

      This may not even be the place to ask this, but I'm sure someone here is reading this and done this before me. 
      And I have been googling and playing with various options for this and I still don't have an answer that really satisfies me yet. 
      Hopefully someone here has either done this, or just has some suggestions. or even some pointers of where to ask.
      any suggestions are welcome, and what I'm outlining below is just my spitballing.
      If there is a better way, please tell me.

      I want to setup webmail/imap/pop3 service for  my domain. 
      I don't want the originating relay inside the network behind the pfSense.
      I do want the mail storage behind pfSense (possibly in a DMZ, but behind a firewall for sure.)

      I have a hosted virtual server outside my network/domain, and I have a static ipv4 address for my WAN interface of pfSense where my domain resolves.
      I'm thinking postfix/dovecot/roundcube and alll the goodies for anti-spam and what not installed on a server inside my network behind pfSense.
      That relays off the hosted provider within an IP range with a good reputation.

      I have two people inside the network on a regular basis that will need local mail clients and email on phones, but will also travel, and a third that will be fully remote on a slow connection for laptop and a phone.

      I'd set the whole thing on the externally hosted server, but I would really rather the mail sit idle in the network behind the pfSense.  I'm currently sitting on enough archived email to make it too costly to host outside.

      Anyone got any tips or suggestions?

      1 Reply Last reply Reply Quote 0
      • 0 Offline
        0tt0
        last edited by

        Some quick comments.

        You've got a fixed IP which is really not needed - many DNS providers today do dynamic updates - but is handy to have.
        You will naturally have a DMZ since you will have port 25 world wide open, you really cannot run a MX without it.

        You mention you have an external VPS, I assume it's Linux. I would install postfix on that VPS and use it as backup MX, you probably want to queue your own mail when you have maintenance windows and miss receiving or if you're on a weekation and the power drops and the server don't come back up. SMTP servers usually have retry algos and keep trying sending for up to some 96 hrs before returning errors but I think it's nice to have backup MX anyway - it makes sure the sender don't get any kind of warning or dealy info sent back (this may or may not be good that's up to you I guess).

        I would also use that VPS for outbound SMTP (to the world), since it's most likely non-residential and non-dynamic IP that will probably work fine. If you want you could set up VPN site-site to that VPS and tunnel outbound mail plain from your local mail systems in that tunnel and also receive rsyslogs from the server over the tunnel to a central syslog server.

        The mail system that the users use can be many things and it all depends on how many servers you want to have in the mail design - myself I have 3 locally in my personal network handling different aspects of the mail feed.

        I would strongly suggest you look into Zimbra as your main mail engine, webmail and collaboration system alike. Quite possibly the best I've ever seen and I have used a number of mal servers/system during the years.

        Other options may be Zarafa and possibly Axigen.

        Remote access to mail can be over OpenVPN (demand everyone including phone to first setup tunnel before accessing services) or a mix, perhaps you'd like to have https, pop and imap open to give users flexibility.

        I'd recommend using Snort to increase the likelyhood that you notice if there's a lot of malicious activity going on.
        I'd also recommend using some blocklists (you can do that in FW-rules instead of Snort) like ET IP lists, CINSscore and Talos.

        Be wary of DNS block lists (real time block lists) in the SMTP system, many give you issues of false positives, the only I use on and off today are Spamhaus and sometimes Spamcop. Rejecting SPF failures may also give you some issues but is a nice thought I think, unfortunately there's a lot of admin that do not keep accurate SPF records.

        Just a few various thoughts on the subjects.

        Regards,

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.