Use Postfix on Bastion-host
If you want to use your scalix-server in your LAN and need an exposed server for incomming mail here's how to make it with Postfix. As the default scalix uses sendmail this gives you a better chance to survive a hacked bastion-host
- Install your bastion-host's OS
- Install postfix
- config your firewall-rules to allow
- incomming SMTP (TCP: Port 25) on external interface
- outgoing SMTP to host:scalix.inside (Use the IP of your internal scalix-gateway)
Forwarding to internal server
myorigin = example.com mydestination = example.com transport_maps = hash:/etc/postfix/transport local_recipient_maps = local_transport = error:local mail delivery is disabled virtual_alias_maps = hash:/etc/postfix/virtual mynetworks = 127.0.0.0/8 my-inside-net/24 #relay_domains = $transport_maps relay_domains = example.com parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination relay_recipient_maps = hash:/etc/postfix/relay_recipients transport_maps = hash:/etc/postfix/transport
These lines will make sure your Spam Gateway does not add any of its own header domain info to the mail as it passes thru.
append_at_myorigin = no
Route mail for "example.com" to the inside gateway machine. The  forces Postfix to do no MX lookup. Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.
Comment out the local delivery agent
#========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) #========================================================================== smtp inet n - - - - smtpd pickup fifo n n - 60 1 pickup cleanup unix - - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce flush unix - - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix n - - - - error #local unix - n n - - local
postmaster firstname.lastname@example.org abuse email@example.com
firstname.lastname@example.org x email@example.com x . . .
Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table. Execute the command "postmap /etc/postfix/relay_recipients" whenever you change the relay_recipients table.
install clamav and Amavisd-new configure freshclam (i.e. add to crontab) to update regulary add /etc/init/clamd to auto run (rtfm) Postfix will listen normally on port 25 for incoming mail. Upon reception it will forward it to Amavisd-new on port 10024. Amavisd-new will then filter the mail through different filters before passing the mail back to Postfix on port 10025 which in turn will forward the mail to the next mail server.
First we have to tell postfix to listen on port 10025 and we remove most of the restrictions as they have already been applied by the postfix instance listening on port 25. Also we ensure that it will only listen for local connections on port 10025. To accomplish this we have to add the following at the end
smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes #Equivalently when using lmtp: #lmtp-amavis unix - - n - 2 lmtp # -o lmtp_data_done_timeout=1200 # -o lmtp_send_xforward_command=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 #If you want to use proxy filtering instead #smtp inet n - n - 8 smtpd # -o smtpd_proxy_filter=127.0.0.1:10024 # -o smtpd_client_connection_count_limit=4 #If you don't want to scan outgoing mail use this #10.0.0.2:smtp inet n - n - - smtpd #-o content_filter=
The smtp-amavis line specifies that a maximum of two of these processes may run at any time. If you need a greater degree of concurrency tune this number to fit your needs. Remember that to match the number with $max_servers in amavisd.conf. Keep in mind that amavisd-new is quite memory-intensive and raising the amount of amavisd-new processes too high can easily lead to memory starvation and heavy swapping, which leads to drastically reduced performance.
If you, for any reason whatsoever, want to send mail from this box and don't want it scanned, add another postfix instance by uncommenting the last two lines and substitute with a proper IP.
Next we need the main postfix instance listening on port 25 to filter the mail through amavisd-new listening on port 10024.
biff = no empty_address_recipient = MAILER-DAEMON queue_minfree = 120000000 content_filter = smtp-amavis:[127.0.0.1]:10024 #Equivalently when using lmtp: #content_filter = lmtp-amavis:[127.0.0.1]:10024
#(Insert the domains to be scanned) $mydomain = 'example.com'; #(Bind only to loopback interface) $inet_socket_bind = '127.0.0.1'; #(Forward to Postfix on port 10025) $forward_method = 'smtp:127.0.0.1:10025'; $notify_method = $forward_method; #(Define the account to send virus alert emails) $virus_admin = "virusalert\@$mydomain"; #(Always add spam headers) $sa_tag_level_deflt = -100; #(Add spam detected header aka X-Spam-Status: Yes) $sa_tag2_level_deflt = 5; #(Trigger evasive action at this spam level) $sa_kill_level_deflt = $sa_tag2_level_deflt; #(Do not send delivery status notification to sender. It does not affect # delivery of spam to recipient. To do that, use the kill_level) $sa_dsn_cutoff_level = 10; # Don't bounce messages left and right, quarantine instead $final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD) $final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE) $final_spam_destiny = D_DISCARD; # (defaults to D_BOUNCE)
and create a quarantine-directory
mkdir /var/amavis/virusmails chown amavis:amavis /var/amavis/virusmails chmod 750 /var/amavis/virusmails
In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The inbound Postfix instance has an SMTP server listening on the external firewall interface, and the outbound Postfix instance has an SMTP server listening on the internal interface. In such a configuration is it is tempting to configure $inet_interfaces in each instance with just the corresponding interface address.
Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server. If somebody breaks the bastion - he will need to break your scalix as well
If you want you bastion-host to receive incomming mails only and your scalix sending directly (or using external smart-host) change your firewall to deny outgoing mail exept scalix (be aware - accept should be before deny):
scalix-ip -> smart-host-NAME TCP DestPort 25 ACCEPT (or every destination if not using smart-host) internal-NET using DestPort 25 Deny (or even better - everything comming in over internal interface)
In case one of your internal hosts gets infected as a "mail-bomber" - that host won't be able to send ...
Postfix email firewall/gateway: 
Gentoo Mailfiltering gateway guide with a lot of more input