Postfix - antispam and relay package
-
mbrax, thats what for postfix is there for, scan for spam….
yes, yes i know
but there's the part of a client using the server to send messages (which i don't want to use at all), and the part of a mail server sending mail to the users inside our mail server
if it's not possible to just literally forward the data to the internal one when it's about clients sending messages and logging in, it won't work with my plan
i don't think my idea comes across with words, so here's a work of art made in mspaint
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
-
Did you happen to read the paragraph in the link I gave you that starts: " turn off unknown local recipient rejects"? Seems to fit what you've been asking for.
Read it, can't see how it applies. I don't want postfix to handle clients sending mail. Only servers.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
-
So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked.
Even so, I'd explore the reason you can't get the list of auth recipients/domain a little more closely.
don't i have to do that for every domain that sends mail to us then? that's impossible
i don't like ldap, it's unsecure. and adding ssl to it is way too cumbersome
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
- You whitelist the inhouse recipient domain.
- Really, the effort it takes to auth recipients is a fraction of the bandwidth the spam would take up to bogus@oursuers.com
-
- LDAP over TLS is as secure as anything can be, especially if you implement the server checking the client cert.
and adding ssl to it is way too cumbersome
please, i'm on the verge of just leaving this place out of frustration, it's like you're missing half my posts.. i appreciate the effort but jeez
if it can't forward the raw data to the internal one just for external mail, i'm not doing it.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
-
Well then, go with the upstream remark 'So, whitelist example.com, turn off unknown local recipient checks. All the example.com traffic gets forwarded without spam checks, ourdomain.com gets checked. '
Good luck to you.
Nope, that's not what i want. All incoming mail from all mail servers to local recipients should be checked and forwarded to our internal mail server (this i can do). Mail sent from a client to an external server via our internal server should not be handled by postfix.
From what i can understand from your answers, it's not at all regarding my setup.. thought i drew a pretty explanatory image there
Differentiating clients and servers is pretty easy due to servers not using authentication. Clients should use the internal mail server at all times for everything - but this is where i'm stuck.
-
mrbax, I do not fully understand what you want to set up. Please help me understand you.
A internal mailserver, lets say Exchange, is handling all the mailboxes and stuff. You set up a send connector to the pfsense postfix. This will handle outgoing emails.
From outside to inside you open up port 25 on the pfsense to the internal postfix. The postfix will then send all incoming mails, after checking spam, to the exchange.
(replace "Exchange" with whatever mailserver you like)
If you want, you can only set up "one direction". Only incoming mails and/or only outgoing mails.
Nothing special, nothing complicated. Pretty basic setup.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
-
Good luck to you.
-
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
Mrbrax is right I think: A client sending a mail does not have to pass postfix on the pfsense box at all. And we have the same set-up for our mobile clients.
As the client needs to authenticate, you want to use secure SMTP, so the client will not send/connect to the standard SMTP port 25 of mail.ourdomain.com (which is captured by the postfix on the pfsense box), but instead use port 465 or 587 (SMTP submission). So a simple NAT rule to port forward 465 and 587 to the internal mail server does the job.
So you get:
incoming port 25 (SMTP traffix from other servers): forward/NAT to the postfix on the pfsense box;
incoming port 465/587 (SMTP traffix from clients): forward/NAT to internal mail server. -
Just set up your internal mail servers to not use postfix as an outgoing relay.
no, that's not the problem, the problem comes when a client wants to send mail, not a server. i. just. want. it. to. redirect. the. authentication. to. the. internal. server. and. have. it. handle. the. sending.
Mrbrax is right I think: A client sending a mail does not have to pass postfix on the pfsense box at all. And we have the same set-up for our mobile clients.
As the client needs to authenticate, you want to use secure SMTP, so the client will not send/connect to the standard SMTP port 25 of mail.ourdomain.com (which is captured by the postfix on the pfsense box), but instead use port 465 or 587 (SMTP submission). So a simple NAT rule to port forward 465 and 587 to the internal mail server does the job.
So you get:
incoming port 25 (SMTP traffix from other servers): forward/NAT to the postfix on the pfsense box;
incoming port 465/587 (SMTP traffix from clients): forward/NAT to internal mail server.THANK YOU.
But doesn't some servers send mail to 587? Or is that only for clients?
Because when before 587 didn't exist that had to be the case -
Guys. Postfix is for sending mails from server to server. This has nothing to do with your client set up. Period.
If you want clients to send mails via MAPI, OWA, Anywhere, ActiveSync, SMTP, SMTPS, PHP Module or whatever you like, you need to set up your mailserver correctly.So, for SMTPS, it would be a port forward port 587&465 to your internal mailserver.
But, again, this has nothing to do with postfix. Don't mix up topics.
If you have no clue how these services need to be seperated don't set up a postfix yourself.
-
Guys. Postfix is for sending mails from server to server. This has nothing to do with your client set up. Period.
If you want clients to send mails via MAPI, OWA, Anywhere, ActiveSync, SMTP, SMTPS, PHP Module or whatever you like, you need to set up your mailserver correctly.So, for SMTPS, it would be a port forward port 587&465 to your internal mailserver.
But, again, this has nothing to do with postfix. Don't mix up topics.
If you have no clue how these services need to be seperated don't set up a postfix yourself.
Exactly, so that's why i want to forward client mail sending to the internal one instead.
Just wanted to make sure servers don't use 587 -
I dont understand folks that get into a thread to complain about how bad 'x' product is, and at the end its their own lack of knowledge regarding systems/protocols/ and how things work that makes them fail.
from the begining several users asked about hows mbrax config, right? I remember asking for details etc, and got his denial on share info, so why are we answering this guy? isnt it MUCH MORE SIMPLIER to answer a TECHNICAL question with the background+environment information? I mean… we dont even know which pf version this guy is running....swimming in the dark here...
-
I dont understand folks that get into a thread to complain about how bad 'x' product is, and at the end its their own lack of knowledge regarding systems/protocols/ and how things work that makes them fail.
from the begining several users asked about hows mbrax config, right? I remember asking for details etc, and got his denial on share info, so why are we answering this guy? isnt it MUCH MORE SIMPLIER to answer a TECHNICAL question with the background+environment information? I mean… we dont even know which pf version this guy is running....swimming in the dark here...
haha sorry, i'm not very used to asking questions as i can usually find information myself
if anyone still wants info for some reason, it's pfsense 2.2.6-release, no postfix package installed on it (now that i heard about the port forwarding thing i'll use one of our servers), and i still don't know what more info to give :Pi do have issues in general understanding and communicating to people, but at least you guys haven't given up as with many other sites - so that i am grateful for
i'd totally pay for pfsense gold but we use it at work and i'm not in charge of finance/buying stuff -
Well i can't get it to work anyway, it times out when i change the 25 port forward to the postfix server, but i can telnet it no problem.
Thanks for the help still. Not really pfSense related anymore.
edit
yep it's not possible to have a postfix relay server behind pfsense, it times out. been trying for 6 hours. should i file a bug report maybe?
edit
finally managed to get it to work, let's put this to rest. internal postfix server nic did not have a valid gateway, ~15 hours of searching/trying got me "sudo route add -net default gw 192.168.1.1 dev eth1" and it just started working
some config alterations after that and we now have a working spam filter - no thanks to exchange!thanks to everyone that tried to help however, much appreciated!
