Use Postfix on Bastion-host
From Scalix Wiki
If you want to use your scalix-server in your LAN and need an exposed server for incomming mail here's how to make it with Postfix. As the default scalix uses sendmail this gives you a better chance to survive a hacked bastion-host
- Install your bastion-host's OS
- Install postfix
- config your firewall-rules to allow
- incomming SMTP (TCP: Port 25) on external interface
- outgoing SMTP to host:scalix.inside (Use the IP of your internal scalix-gateway)
Forwarding to internal server
edit the /etc/postfix/main.cf to contain the following
myorigin = $mydomain mydestination = $mydomain transport_maps = hash:/etc/postfix/transport mynetworks = scalix.inside/32, 127.0.0.1/8
in /etc/postfix/transport
domain.com inside-gateway.domain.com
in /etc/postfix/master.cf
#========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) #========================================================================== smtp inet n - - - - smtpd pickup fifo n n - 60 1 pickup cleanup unix - - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce flush unix - - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix n - - - - error #local unix - n n - - local
Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server if somebody breaks the bastion (postfix or other services) he will need to break your scalix as well