Postfix forwarder - quick start guide



    The postfix forwarder package is very powerful and a great addition to pfSense.  For my money1 and needs it is easily the most useful package.

    There have been a lot of questions about the package in this forum and a few requests for some sort of quick configuration overview.  I know I could have used one at the start.

    This is my attempt at a quick start guide.


    Postfix General Settings Section

    Enable postfix.
    Don't do this until you have finished the configuration and set up your NAT and firewall rules (at the end of this guide).

    Listen Protocol
    Stick with the default IPv4 unless you have a need.

    Listen on
    Choose "loopback".  This will be explained later.



    Domains to Forward Section

    Enter the domain name (not the host name) for which postfix will be handling email traffic.  Next to that enter the IP address of the back-end (real) mail server that postfix will pass the conection to when it is satisfied that the sender is not a spammer.  The back-end server is probably the mail server you are currently using.

    You can specify a number of domains that are handled by the same or different back-end mail servers. You can't have the same domain handled by multiple mail servers.



    Just my settings here. YMMV.

    Postfix Antispam Settings Section

    Header verification
    Select strong

    Helo hostname

    Zombie Blocker
    Enabled with enforce

    After greeting tests
    Select all (Ctrl click)

    Soft Bounce
    Choose the default of "Enabled only in postscreen"

    Anvil Daemon
    Choose "Enabled only when using postscreen" but read the note about relaying from your internal clients.

    SPF lookup
    I have this set to "Do not check SPF records".

    Third part(y) Antispam Settings Section

    Use third part(y) antispam
    Not checked in my configuration. The postfix package is doing a great job of keeping out the spammers anyway.


    To get started that's about all you need to configure in the postfix GUI.  Now set up your NAT.

    NAT and filter rule

    Create a NAT to forward connections with destination WAN address and a destination port 25, to a target IP of and a target port 25.  Have an associated firewall filter rule created automatically.

    SAVE and apply changes.

    Now disable the NAT and firewall rule you probably have for your current mail server. (Recommend thatyou don't delete until you have postfix working.)

    SAVE and apply changes.

    Back to the postfix GUI and enable postfix.


    Serving suggestion:

    When postfix receives a first connection from a "client" mail server it stores, among other things, the IP address of that mail server.  That first connection, based on the settings above, will be softly rejected ("Service currently unavailable" in the postfix logs).  Spambots rarely come back but real mail servers will try again later.  If they do, the IP address will be recognized and the connection accepted.  However, the IP address is only retained for one day by default.

    I have an entry in the custom options, on the General tab, that says "postscreen_cache_retention = 35d".  This keeps addresses for 35 days.  I use this because I want things like infrequent but friendly emailers (monthly newsletters or pfsense mailing list membership reminders) to be accepted first time, rather than soft rejected.

    Note 1.

    If the package benefits you as much as it does me, consider making a donation to the package developer so that he can continue to enhance and develop this and other great packages for pfSense.

    Please feel free to reply with comments, criticisms and additional information.


    Create an account on your Active Directory to fetch valid email addresses.
    Hostname your_dc.your_domain
    Domain dc=your,dc=domain
    Username cn=antispam_user,cn=Users
    Password ******* :D

    To install p5-perl-ldap you can follow these steps

    setenv PACKAGEROOT ""
    setenv PACKAGESITE ""
    pkg_add -r p5-perl-ldap


    If you do not have clients that relay emais through this server, deny any email that pretend to be you


    /^(From|Return-Path):.*@your_domain_here/REJECT forged sender $1: header: $2 [SN001]


    /your_domain_here/ REJECT [HELO01]


    @your_domain_here REJECT

  • /your_domain_here/ REJECT [HELO01]


    Would it be sensible to add this as well?

    / REJECT [HELO02]

Log in to reply