Mail Relay versus port forwarding



  • So I'm looking to move my existing linux firewall/mail box behind a pfsense router, if only so I can physically relocate this rather large box, and replace with something smaller and quieter.

    I could just port-forward SMTP to the box behind the FW, or I could install the postfix mail-relay and have it pass the mail on, optionally adding some spam filtering.

    Has anyone installed DSPAM or anysort of grey listing software onto a pfsense unit ?

    Should I just do simple RBS lookups and save spamassassin and DSPAM for the real mail machine ?

    Do I gain anything from having some spam filtering/grey listing on the firewall meaning snort can potentially parse those logs ?

    I appreciate there may be some firmly held religious beliefs on how/wether a firewall should handle mail. I intend only to relay for a real mailserver behind the firewall.

    BA



  • The prefered inbound mail chain would be:  Pfsense nat on port 25 to - SPAM Filter - smtp to -  Mail Server . Each one on there own VM or Box.

    Addtional Pfblocker on Pfsense to exclude some Geo Areas. Pfsense should block all other ports to the spam filter.

    For the SPAM Filter you may check an appliance "EFA project" : https://efa-project.org/ .



  • I agree with pete35.  I used to run the postfix package on the firewall but there are some good reasons not to do that.

    Putting postfix in its own VM and port forwarding to to it has some additional advantages:

    • more flexible postfix configuration

    • allows me to run fail2ban against the postfix logs

    • fail2ban uses openbgpd to block offenders at the firewall

    The DNSBL and "PREGREET" detection capabilities of postfix prevent 99% of the spam ever reaching the mail server.



  • @biggsy:

    I agree with pete35.  I used to run the postfix package on the firewall but there are some good reasons not to do that.

    What are the good reasons out of interest ?

    BA


Log in to reply