Wednesday, October 7, 2009

SMTP Gateway for Multiple Domain Email Gateway with Postfix

Contents


Scope / Purpose

This article walks through the setup for a email gateway for multiple domains, rejects unknown email addresses, and uses a script to query valid email addresses via Active Directory.



Overview

This article describes the rationale and the setup of an external email firewall/gateway server with Postfix, a secure, high performance, and easily configurable alternative SMTP server to Sendmail.

The most common reason for this is to improve security (this applies even if you're not running Exchange). Since the email gateway theoretically only exposes its SMTP port, and will not store any emails, so even in the (ideally unlikely) event that it is compromised, any sensitive or valuable data is held elsewhere. The worst that could happen is that the attacker obtains a list of vaild email addresses for your domain(s). It can also be used for offloading services from your main email server, tasks like rejecting and filtering spam, greylisting, scanning viruses, avoiding unnecessary bandwidth, etc.

There are "articles" on the Internet that make references to simplying using the "relayhost = internalsmtp.test.vn" directive. The problem with this setup is that since the external email gateway knows nothing about the internal addresses (even when configured to only accept email to @test.vn), that it has to accept and forward everything and depend on the internal host to handle rejecting and bouncing messages. This might be acceptable, except if/when your domain becomes the target of a flood of spam or viruses to invalid/generated email addresses. Especially since the source and reply-to addresses of these emails are typically spoofed, each message ends up being accepted at the email gateway, forwarded to your internal server, rejected and relayed back to your email gateway, queued by the email gateway for delivery, retried repeatedly until it exceeds the nominal timeout, then bounced back to the email admin account on your internal email server. Lather, rinse and repeat that for every single message and it should be clear why you should never just use the "relayhost" directive to do this.

The "correct(tm)" way to do this, is to set up the email gateway so that it has knowledge of valid email addresses. That way, any address that doesn't exist is immediately rejected before the email gateway even gets to accept the data. This is important enough to worth being redudant. Rejecting unknown addresses not only avoids the whole loop described above, but avoids tying up your bandwidth receiving whatever data that would have been sent.

References / Links

Basically, this article is a restatement of Postfix email firewall/gateway found on Postfix.org's online configuration examples


Configuration

This article will not cover the compiling or installation of Postfix as it's generally available or easily installed for most distributions.


/etc/postfix/main.cf

As the name implies, this is the main configuration file for Postfix. One main attribute with Postfix is that the defaults generally default to something sensible, so that for the most part, outside of the parameters that need to be customized to your setup, they can be completely omitted in main.cf.

Hint: The command below will show the configuration directives that have been altered from default.

 postconf -n

Since this is an email gateway only meant to forward email, disable local mail delivery by (Note: setting a configuration directive to empty disables it):

 mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled

Normally, emails that originate from a host will have a from address in the form of username@hostname.test.vn. However, since the email gateway cannot receive mail for local users (as disabled above), you need to set the originating domain to something sensible:

 myorigin = test.vn

mynetworks = define which networks are allowed to relay mail through this host. Although it's meant for internal networks to be able to relay mail without having to authenticate, it can be used (abused) to include external IP addresses or networks. However, the proper solution is to set up your Postfix installation to do SASL authentication:

 mynetworks =
127.0.0.0/8,
192.168.20.0/24

This section below prevents addresses such as usernexame@subdomain.test.vn to match. Explicitly define domains you wish to accept using relay_domains below.

 parent_domain_matches_subdomains =
debug_peer_list,
smtpd_access_maps

relay_domains = define domains for which the email gateway will accept emails.

 relay_domains =
test1.vn,
test2.vn,
subdomain.test.vn

smtpd_recipient_restrictions = controls what the Postfix server will accept during the RCPT TO command.

 smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination

transport_maps = holds the mappings between domains and the SMTP server where the mail gets forwarded. See /etc/postfix/transport for details.

 transport_maps = hash:/etc/postfix/transport

relay_recipient_maps = points to a file that lists all of the email addresses for which the email gateway will accept mail. See /etc/postfix/relay_recipients.

 relay_recipient_maps = hash:/etc/postfix/relay_recipients

show_user_unknown_table_name = controls whether Postfix returns "User unknown in relay recipient table" (default - useful for debugging only) or "User unknown" (when set to no). This configuration directive is only used in conjunction with relay_recipient_maps.

 show_user_unknown_table_name = no

ven though local mail delivery is disabled, the email gateway is still supposed to accept emails to postmaster and abuse. To do so, define a virtual alias map (we'll populate the values later). See /etc/postfix/virtual for details.

 virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/master.cf

This file basically defines services that Postfix will provide. To completely disable local mail delivery, edit /etc/postfix/master.cf and insert a # symbol in front of the local service definition:

 #local     unix  -       n       n       -       -       local

/etc/postfix/virtual

In a typical setup, /etc/aliases is used to forward mail to other account or external addresses. However, since local mail delivery is disabled, modifying /etc/aliases has no effect. This file holds the alias mappings between local addresses and actual email addresses. Note: this is only necessary because there is no local mail delivery, and that some "local" addresses ought to exist for technical correctness.

 postmaster      postmaster@test.vn
abuse abuse@test.vn
root guru@test.vn
Actually, you can use this file for more than local addresses. You can forward emails from ex-users to their new emails addresses, create simple distribution lists, or copy an email to another user, etc.
 virtualuser@test.vn     actualuser@test1.vn
distribution@test.vn user1@test.vn,user2@test.vn,user3@test.vn
ex_user@test2.vn forwarding_address@dom.ain
user@test.vn user@test.vn,spy@test.vn

/etc/postfix/transport

This file defines the relationship between domains and the server(s) where mail is forwarded.

 test1.vn              smtp:insidesmtp.test.vn
test2.vn smtp:insidesmtp.test.vn
subdomain.test.vn smtp:insidesmtp.test.vn

/etc/postfix/relay_recipients

This file folds a complete list of email address for which the email gateway will accept mail. Even though you have to enter the values as a pair (key & value), the second part (the value) doesn't actually matter as long as the email addresses are correct.

 user1@test1.vn OK
user2@test1.vn OK
user1@test2.vn OK
user2@test2.vn OK
user1@subdomain.test.vn OK
user2@subdomain.test.vn OK

Populating relay_recipients from Active Directory

Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

$VALID = "/etc/postfix/relay_recipients";
$dc1="dc1.test.vn";
$dc2="dc2.test.vn";
$hqbase="cn=Users,dc=test,dc=vn";
$user="cn=user,cn=Users,dc=test,dc=vn";
$passwd="password";
  • Note that if you have email distribution lists that need to be externally accesible, that you will also need the contents of:
$hqbase="ou=Exchange Distribution Lists,dc=test,dc=vn";

Hashing Databases

Postfix uses the db hash format by default. For this setup, we need to create the hashed db files by executing:

postmap hash:/etc/postfix/virtual
postmap hash:/etc/postfix/transport
postmap hash:/etc/postfix/relay_recipients

Note: remember to rerun the above commands every time the contents of those files change.


Restarting Postfix

The preferred way of getting Postfix to reload its configuration files is simply execute:

postfix reload
You can create script run every hours

#!/bin/sh

cd /etc/postfix ; ./getadsmtp.pl && postmap relay_recipients


If You have any problem script perl please send mail to:
conheotiensinh@yahoo.com.

2 comments: