Use Postfix on Bastion-host

From Scalix Wiki
Jump to: navigation, search

If you want to use your scalix-server in your LAN and need an exposed server for incomming mail here's how to make it with Postfix. As the default scalix uses sendmail this gives you a better chance to survive a hacked bastion-host

  • Install your bastion-host's OS
  • Install postfix
  • config your firewall-rules to allow
    • incomming SMTP (TCP: Port 25) on external interface
    • outgoing SMTP to host:scalix.inside (Use the IP of your internal scalix-gateway)

Forwarding to internal server


myorigin = 
mydestination =
transport_maps = hash:/etc/postfix/transport 
local_recipient_maps =
local_transport = error:local mail delivery is disabled

virtual_alias_maps = hash:/etc/postfix/virtual
mynetworks = my-inside-net/24
#relay_domains = $transport_maps
relay_domains =
parent_domain_matches_subdomains = 
debug_peer_list smtpd_access_maps
smtpd_recipient_restrictions =
permit_mynetworks reject_unauth_destination

relay_recipient_maps = hash:/etc/postfix/relay_recipients
transport_maps = hash:/etc/postfix/transport

These lines will make sure your Spam Gateway does not add any of its own header domain info to the mail as it passes thru.

append_at_myorigin = no

/etc/postfix/transport    smtp:[]

Route mail for "" to the inside gateway machine. The [] forces Postfix to do no MX lookup. Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.


Comment out the local delivery agent

# service type private unpriv chroot wakeup maxproc command + args 
# (yes) (yes) (yes) (never) (50) 
smtp inet n - - - - smtpd 
pickup fifo n n - 60 1 pickup 
cleanup unix - - - - 0 cleanup 
qmgr fifo n - - 300 1 qmgr 
#qmgr fifo n - - 300 1 nqmgr 
rewrite unix - - - - - trivial-rewrite 
bounce unix - - - - 0 bounce 
defer unix - - - - 0 bounce 
flush unix - - - 1000? 0 flush 
smtp unix - - - - - smtp 
showq unix n - - - - showq 
error unix n - - - - error 
#local unix - n n - - local 



/etc/postfix/relay_recipients   x   x
. . .

Define the list of valid addresses in the "" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an " x" wild-card in the relay_recipients table. Execute the command "postmap /etc/postfix/relay_recipients" whenever you change the relay_recipients table.

Add ClamAV

install clamav and Amavisd-new configure freshclam (i.e. add to crontab) to update regulary add /etc/init/clamd to auto run (rtfm) Postfix will listen normally on port 25 for incoming mail. Upon reception it will forward it to Amavisd-new on port 10024. Amavisd-new will then filter the mail through different filters before passing the mail back to Postfix on port 10025 which in turn will forward the mail to the next mail server.


First we have to tell postfix to listen on port 10025 and we remove most of the restrictions as they have already been applied by the postfix instance listening on port 25. Also we ensure that it will only listen for local connections on port 10025. To accomplish this we have to add the following at the end

smtp-amavis     unix -        -       n     -       2  smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
#Equivalently when using lmtp:
#lmtp-amavis    unix -        -       n     -       2  lmtp
#   -o lmtp_data_done_timeout=1200
#   -o lmtp_send_xforward_command=yes inet n        -       n     -       -  smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=
 -o strict_rfc821_envelopes=yes
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000

#If you want to use proxy filtering instead
#smtp            inet n         -       n      -       8 smtpd
# -o smtpd_proxy_filter=
# -o smtpd_client_connection_count_limit=4
#If you don't want to scan outgoing mail use this
#   inet n         -       n       -      - smtpd
#-o content_filter=

The smtp-amavis line specifies that a maximum of two of these processes may run at any time. If you need a greater degree of concurrency tune this number to fit your needs. Remember that to match the number with $max_servers in amavisd.conf. Keep in mind that amavisd-new is quite memory-intensive and raising the amount of amavisd-new processes too high can easily lead to memory starvation and heavy swapping, which leads to drastically reduced performance.

If you, for any reason whatsoever, want to send mail from this box and don't want it scanned, add another postfix instance by uncommenting the last two lines and substitute with a proper IP.


Next we need the main postfix instance listening on port 25 to filter the mail through amavisd-new listening on port 10024.

biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 120000000

content_filter = smtp-amavis:[]:10024
#Equivalently when using lmtp:
#content_filter = lmtp-amavis:[]:10024


#(Insert the domains to be scanned)
$mydomain = '';     
#(Bind only to loopback interface)
$inet_socket_bind = '';
#(Forward to Postfix on port 10025)
$forward_method = 'smtp:';
$notify_method = $forward_method;       
#(Define the account to send virus alert emails)
$virus_admin = "virusalert\@$mydomain";
#(Always add spam headers)
$sa_tag_level_deflt  = -100; 
#(Add spam detected header aka X-Spam-Status: Yes)
$sa_tag2_level_deflt = 5; 
#(Trigger evasive action at this spam level)
$sa_kill_level_deflt = $sa_tag2_level_deflt;
#(Do not send delivery status notification to sender.  It does not affect 
# delivery of spam to recipient. To do that, use the kill_level)
$sa_dsn_cutoff_level = 10;
# Don't bounce messages left and right, quarantine instead
$final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)
$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_DISCARD;  # (defaults to D_BOUNCE)

and create a quarantine-directory

mkdir /var/amavis/virusmails
chown amavis:amavis /var/amavis/virusmails
chmod 750 /var/amavis/virusmails

Some more

In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The inbound Postfix instance has an SMTP server listening on the external firewall interface, and the outbound Postfix instance has an SMTP server listening on the internal interface. In such a configuration is it is tempting to configure $inet_interfaces in each instance with just the corresponding interface address.

Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server. If somebody breaks the bastion - he will need to break your scalix as well

If you want you bastion-host to receive incomming mails only and your scalix sending directly (or using external smart-host) change your firewall to deny outgoing mail exept scalix (be aware - accept should be before deny):

scalix-ip   -> smart-host-NAME   TCP   DestPort   25   ACCEPT (or every destination if not using smart-host)
internal-NET  using  DestPort  25  Deny (or even better - everything comming in over internal interface)

In case one of your internal hosts gets infected as a "mail-bomber" - that host won't be able to send ...


Postfix email firewall/gateway: [1]

Gentoo Mailfiltering gateway guide with a lot of more input [2]