PostFix Forwarder Package



  • Hello all,

    I have the NetGate appliance with latest version of pfSense installed on it.
    How do I get the PostFix Forwarder package as it is not listed.

    My scenario is that I have pfSense on my Local network connected to my ISP, which blocks SMTP etc etc
    I have setup another pfSense appliance in the cloud and running site to site OpenVPN between them, and traffic works fine.

    I need to install a PostFix Forwarder package on my Cloud appliance so it can sit at front, do all mail relay, anti spam, anti virus.

    Any help on where I can get a fully working version of this package, which will work properly. I don't know why it has been removed from package list.


  • Rebel Alliance Developer Netgate

    The package is not supported and is dangerous to run on a firewall. Use a dedicated mail appliance to handle mail processing, don't use a firewall for that task.



  • Why would it be dangerous?

    Hmm.. , but that would imply setting up another cloud appliance for SMTP and that costs.

    OR I can setup routing on the pfSense to route packets to SMTP on my LAN and have outbound routing for that SMTP server to NAT it's traffic out through pfSense in cloud?


  • Rebel Alliance Developer Netgate

    It's dangerous because MTAs, especially ones with spam filtering capabilities, have a ton of moving parts and need constant upkeep for security issues. It massively increases the attack surface of a firewall and introduces several new potential attack vectors that could compromise the firewall. As opposed to only compromising the mail server.

    You could use pfSense to NAT/redirect traffic however you like if you already have a local SMTP box.



  • Thanks Jimp :)
    Yes, that does make sense. Ok.

    So can you redirect me to a thread or knowledgeable, or maybe you can help me right here with the following:

    How do I tell my local LAN SMTP service to to send all outbound traffic via the OpenVpn tunnel from my local pfSense such that it uses the pfSense in the cloud as gateway and takes its IP? I want to make sure the HELO and EHLO return the correct IP, and that my local SMTP can talk outbound via the cloud pfSense, as my ISP won't let me directly talk outbound on 25.



  • Why a "local LAN smtp service" ?
    I agree with what was said above : a mail server and all what is needed to receive (rather easy) and send (complicated) is a huge setup.
    So, a basic rule is : keep it simple, or, using other words : put postfix, amavis, spamassasin, dkim, dmarc, spf checking, pop and imap stuff on a dedicates server (a small VPS will do just fine). My mail clients are communicating with this "mail server" using ssl all over the place. No "port 25 issue" (most of the ISP's block port 25 these days) and IP versus reverse (MX) is fine.
    Security, fine tuning, log inspection, etc is a nearly daily job when running a mail server, so I advise you NOT to use a special setup.
    Mail servers, like web servers, you should run them for fun ones at home. Just ones. But really, you don't want to if you do not have the right equipment and Internet connection.



  • Thanks for that advise,

    But I do have the right equipment and bandwidth. That is not the problem. I don't feel like paying an ISP for business version with 70% more co$ts.

    So, if we can stick to my original question:

    How do I get my local SMTP service (PostFix on Debian) to make sure its outbound path is set to use OVPN tunnel.


  • Netgate

    Policy route it.



  • @Derelict:

    Policy route it.

    Ok, that seems like possible. How do I do this? When I add the Firewall rule, I don't see my OpenVpn outbound as one of the Gateways?
    Do I add that in GW interfaces?



  • Ok, I figured it out. Had to do some Network Address Translations, between both subnets.