Postfix - antispam and relay package
-
mbrax: You mentioned you only want postfix to handle incoming mail from servers outside the network, yes? That means for all approved clients whether inside the network or not, and servers inside the network you have another answer (maybe inside the network, or outside). You also mentioned you can't control the server configurations on your clients, so setting up a custom smtp port for approved clients is out.
There is only then one good answer I can see.
1: Set up postfix on pfsense so that all traffic on all smtp ports is handled by it. Port forward all smtp ports on lan/wan to localhost, then set up postfix to bind to that interface.2: Configure postfix's capability to know which systems/clients are authorized to be exempt from security and to forward all email from them to the approved servers without change.
3: Use the fuil screening ability of postfix on everything else, sending approved messages to the internal servers.
For details on how to do that, read here: http://www.postfix.org/documentation.html, or, in the alternative, pay someone who has done this before to set it up for you.
Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still.
-
"Yes, the problem lies in that postfix can't authenticate users due to it not having access to the database. That's why i was wondering if it can just forward it to the internal one and have it handle everything instead.
And again, documentation won't help at all here still."
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else. -
Kindly notice that indeed it does. Read here:
http://www.postfix.org/LOCAL_RECIPIENT_README.htmlThere you will see long experience strongly advises against turning off recipient validation, though it shows how to do that.
When postfix offers validation by ldap, sql, web lookup, text file, SASL, etc. there is a way to do this properly.
Surely you could write a little script on either pfsense cron on on the system that actually does know the recipient list to peel off a copy then rsync it to pfsense if nothing else.I still don't think we're on the same page here. Let's say that the postfix server is not able to get authentication information.
I'm only interested in parsing incoming mail from outside servers to check them for spam, nothing else (sending mail etc)i mean, thanks for helping but it's not really regarding my issue
-
mbrax, thats what for postfix is there for, scan for spam….
-
mbrax, thats what for postfix is there for, scan for spam….
yes, yes i know
but there's the part of a client using the server to send messages (which i don't want to use at all), and the part of a mail server sending mail to the users inside our mail server
if it's not possible to just literally forward the data to the internal one when it's about clients sending messages and logging in, it won't work with my plan
i don't think my idea comes across with words, so here's a work of art made in mspaint
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
Read it, can't see how it applies. I don't want postfix to handle clients sending mail. Only servers.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
don't i have to do that for every domain that sends mail to us then? that's impossible
i don't like ldap, it's unsecure. and adding ssl to it is way too cumbersome
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
- You whitelist the inhouse recipient domain.
- Really, the effort it takes to auth recipients is a fraction of the bandwidth the spam would take up to bogus@oursuers.com
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
and adding ssl to it is way too cumbersome
please, i'm on the verge of just leaving this place out of frustration, it's like you're missing half my posts.. i appreciate the effort but jeez
if it can't forward the raw data to the internal one just for external mail, i'm not doing it.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
Nope, that's not what i want. All incoming mail from all mail servers to local recipients should be checked and forwarded to our internal mail server (this i can do). Mail sent from a client to an external server via our internal server should not be handled by postfix.
From what i can understand from your answers, it's not at all regarding my setup.. thought i drew a pretty explanatory image there
Differentiating clients and servers is pretty easy due to servers not using authentication. Clients should use the internal mail server at all times for everything - but this is where i'm stuck.
-
mrbax, I do not fully understand what you want to set up. Please help me understand you.
A internal mailserver, lets say Exchange, is handling all the mailboxes and stuff. You set up a send connector to the pfsense postfix. This will handle outgoing emails.
From outside to inside you open up port 25 on the pfsense to the internal postfix. The postfix will then send all incoming mails, after checking spam, to the exchange.
(replace "Exchange" with whatever mailserver you like)
If you want, you can only set up "one direction". Only incoming mails and/or only outgoing mails.
Nothing special, nothing complicated. Pretty basic setup.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
-
Good luck to you.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
Mrbrax is right I think: A client sending a mail does not have to pass postfix on the pfsense box at all. And we have the same set-up for our mobile clients.
As the client needs to authenticate, you want to use secure SMTP, so the client will not send/connect to the standard SMTP port 25 of mail.ourdomain.com (which is captured by the postfix on the pfsense box), but instead use port 465 or 587 (SMTP submission). So a simple NAT rule to port forward 465 and 587 to the internal mail server does the job.
So you get:
incoming port 25 (SMTP traffix from other servers): forward/NAT to the postfix on the pfsense box;
incoming port 465/587 (SMTP traffix from clients): forward/NAT to internal mail server. -
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
Mrbrax is right I think: A client sending a mail does not have to pass postfix on the pfsense box at all. And we have the same set-up for our mobile clients.
As the client needs to authenticate, you want to use secure SMTP, so the client will not send/connect to the standard SMTP port 25 of mail.ourdomain.com (which is captured by the postfix on the pfsense box), but instead use port 465 or 587 (SMTP submission). So a simple NAT rule to port forward 465 and 587 to the internal mail server does the job.
So you get:
incoming port 25 (SMTP traffix from other servers): forward/NAT to the postfix on the pfsense box;
incoming port 465/587 (SMTP traffix from clients): forward/NAT to internal mail server.THANK YOU.
But doesn't some servers send mail to 587? Or is that only for clients?
Because when before 587 didn't exist that had to be the case -
Guys. Postfix is for sending mails from server to server. This has nothing to do with your client set up. Period.
If you want clients to send mails via MAPI, OWA, Anywhere, ActiveSync, SMTP, SMTPS, PHP Module or whatever you like, you need to set up your mailserver correctly.So, for SMTPS, it would be a port forward port 587&465 to your internal mailserver.
But, again, this has nothing to do with postfix. Don't mix up topics.
If you have no clue how these services need to be seperated don't set up a postfix yourself.
