Postfix - antispam and relay package
-
you should have something like:
(internet)<–----->pfsense<------>intranet
---(postfix)so basically you came into the thread without reading the whole 45 pages with a problem. and you dont want to read the documentation because you dont know what to look for.
why dont you start by expaining nicely:
-what you want to do,
-which environment you have,
-which pf config/version, etc.
and what tests you have made. like telneting x port from the 'inside' and telneting the port from the 'outside' with a nice pastebin link so we all can read about it. also quoting logs is a plus to know what to look for.right now, we are having a conversation on when postfix package will be available upstream.
bye, -
mrbrax: To use postfix for incoming filtering+ store and forward, without using it for lan->wan email, simply configure all users to point their email systems send configuration to some random free port number on the WAN interface-l which you nat to your internal systems. Allow postfix on pfsense to operate normally, d-natting (port forwarding) 25 and maybe 465 to postfix on pfsense.
Also, kindly consider those offering their time to help you here are volunteers, many of whom have taken the time to understand the tools in order to be of service. PFsense has this package as a frontend on postfix as you know. You will pay yourself 10 minutes for every one you spend reading the postfix documentation, even though it doesn't seem like it when you're doing the reading. I hope once you also find success you'll return the favor to help others here.
-
you should have something like:
(internet)<–----->pfsense<------>intranet
---(postfix)so basically you came into the thread without reading the whole 45 pages with a problem. and you dont want to read the documentation because you dont know what to look for.
why dont you start by expaining nicely:
-what you want to do,
-which environment you have,
-which pf config/version, etc.
and what tests you have made. like telneting x port from the 'inside' and telneting the port from the 'outside' with a nice pastebin link so we all can read about it. also quoting logs is a plus to know what to look for.right now, we are having a conversation on when postfix package will be available upstream.
bye,forget it, this sounds too complicated anyway. we'll just continue dealing with putting spam manually in the bin
mrbrax: To use postfix for incoming filtering+ store and forward, without using it for lan->wan email, simply configure all users to point their email systems send configuration to some random free port number on the WAN interface-l which you nat to your internal systems. Allow postfix on pfsense to operate normally, d-natting (port forwarding) 25 and maybe 465 to postfix on pfsense.
Also, kindly consider those offering their time to help you here are volunteers, many of whom have taken the time to understand the tools in order to be of service. PFsense has this package as a frontend on postfix as you know. You will pay yourself 10 minutes for every one you spend reading the postfix documentation, even though it doesn't seem like it when you're doing the reading. I hope once you also find success you'll return the favor to help others here.
As said, i don't know what to look for - for the stuff i want to do, so reading the documentation is useless when i barely know what i want to do in the first place.
and changing the configuration for everyone? not happening. if it doesn't work on port 25/587 on one domain it's not worth looking into.What do you mean? consider volunteers?
-
mbrax: You mentioned you only want postfix to handle incoming mail from servers outside the network, yes? That means for all approved clients whether inside the network or not, and servers inside the network you have another answer (maybe inside the network, or outside). You also mentioned you can't control the server configurations on your clients, so setting up a custom smtp port for approved clients is out.
There is only then one good answer I can see.
1: Set up postfix on pfsense so that all traffic on all smtp ports is handled by it. Port forward all smtp ports on lan/wan to localhost, then set up postfix to bind to that interface.2: Configure postfix's capability to know which systems/clients are authorized to be exempt from security and to forward all email from them to the approved servers without change.
3: Use the fuil screening ability of postfix on everything else, sending approved messages to the internal servers.
For details on how to do that, read here: http://www.postfix.org/documentation.html, or, in the alternative, pay someone who has done this before to set it up for you.
-
mbrax: You mentioned you only want postfix to handle incoming mail from servers outside the network, yes? That means for all approved clients whether inside the network or not, and servers inside the network you have another answer (maybe inside the network, or outside). You also mentioned you can't control the server configurations on your clients, so setting up a custom smtp port for approved clients is out.
There is only then one good answer I can see.
1: Set up postfix on pfsense so that all traffic on all smtp ports is handled by it. Port forward all smtp ports on lan/wan to localhost, then set up postfix to bind to that interface.2: Configure postfix's capability to know which systems/clients are authorized to be exempt from security and to forward all email from them to the approved servers without change.
3: Use the fuil screening ability of postfix on everything else, sending approved messages to the internal servers.
For details on how to do that, read here: http://www.postfix.org/documentation.html, or, in the alternative, pay someone who has done this before to set it up for you.
Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still.
-
"Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still."
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else. -
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else.I still don't think we're on the same page here. Let's say that the postfix server is not able to get authentication information.
I'm only interested in parsing incoming mail from outside servers to check them for spam, nothing else (sending mail etc)i mean, thanks for helping but it's not really regarding my issue
-
mbrax, thats what for postfix is there for, scan for spam….
-
mbrax, thats what for postfix is there for, scan for spam….
yes, yes i know
but there's the part of a client using the server to send messages (which i don't want to use at all), and the part of a mail server sending mail to the users inside our mail server
if it's not possible to just literally forward the data to the internal one when it's about clients sending messages and logging in, it won't work with my plan
i don't think my idea comes across with words, so here's a work of art made in mspaint
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
Read it, can't see how it applies. I don't want postfix to handle clients sending mail. Only servers.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
don't i have to do that for every domain that sends mail to us then? that's impossible
i don't like ldap, it's unsecure. and adding ssl to it is way too cumbersome
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
- You whitelist the inhouse recipient domain.
- Really, the effort it takes to auth recipients is a fraction of the bandwidth the spam would take up to bogus@oursuers.com
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
and adding ssl to it is way too cumbersome
please, i'm on the verge of just leaving this place out of frustration, it's like you're missing half my posts.. i appreciate the effort but jeez
if it can't forward the raw data to the internal one just for external mail, i'm not doing it.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
Nope, that's not what i want. All incoming mail from all mail servers to local recipients should be checked and forwarded to our internal mail server (this i can do). Mail sent from a client to an external server via our internal server should not be handled by postfix.
From what i can understand from your answers, it's not at all regarding my setup.. thought i drew a pretty explanatory image there
Differentiating clients and servers is pretty easy due to servers not using authentication. Clients should use the internal mail server at all times for everything - but this is where i'm stuck.
-
mrbax, I do not fully understand what you want to set up. Please help me understand you.
A internal mailserver, lets say Exchange, is handling all the mailboxes and stuff. You set up a send connector to the pfsense postfix. This will handle outgoing emails.
From outside to inside you open up port 25 on the pfsense to the internal postfix. The postfix will then send all incoming mails, after checking spam, to the exchange.
(replace "Exchange" with whatever mailserver you like)
If you want, you can only set up "one direction". Only incoming mails and/or only outgoing mails.
Nothing special, nothing complicated. Pretty basic setup.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.