Difference between revisions of "Use Postfix on Bastion-host"
From Scalix Wiki
(init) |
(+ master.cf) |
||
| Line 16: | Line 16: | ||
127.0.0.1/8 | 127.0.0.1/8 | ||
| − | + | in '''/etc/postfix/transport''' | |
domain.com inside-gateway.domain.com | domain.com inside-gateway.domain.com | ||
| + | |||
| + | in '''/etc/postfix/master.cf''' | ||
| + | #========================================================================== | ||
| + | # service type private unpriv chroot wakeup maxproc command + args | ||
| + | # (yes) (yes) (yes) (never) (50) | ||
| + | #========================================================================== | ||
| + | smtp inet n - - - - smtpd | ||
| + | pickup fifo n n - 60 1 pickup | ||
| + | cleanup unix - - - - 0 cleanup | ||
| + | qmgr fifo n - - 300 1 qmgr | ||
| + | #qmgr fifo n - - 300 1 nqmgr | ||
| + | rewrite unix - - - - - trivial-rewrite | ||
| + | bounce unix - - - - 0 bounce | ||
| + | defer unix - - - - 0 bounce | ||
| + | flush unix - - - 1000? 0 flush | ||
| + | smtp unix - - - - - smtp | ||
| + | showq unix n - - - - showq | ||
| + | error unix n - - - - error | ||
| + | #local unix - n n - - local | ||
Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server | Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server | ||
if somebody breaks the bastion (postfix or other services) he will need to break your scalix as well | if somebody breaks the bastion (postfix or other services) he will need to break your scalix as well | ||
Revision as of 20:13, 19 February 2008
If you want to use your scalix-server in your LAN and need an exposed server for incomming mail here's how to make it with Postfix. As the default scalix uses sendmail this gives you a better chance to survive a hacked bastion-host
- Install your bastion-host's OS
- Install postfix
- config your firewall-rules to allow
- incomming SMTP (TCP: Port 25) on external interface
- outgoing SMTP to host:scalix.inside (Use the IP of your internal scalix-gateway)
Forwarding to internal server
edit the /etc/postfix/main.cf to contain the following
myorigin = $mydomain mydestination = $mydomain transport_maps = hash:/etc/postfix/transport mynetworks = scalix.inside/32, 127.0.0.1/8
in /etc/postfix/transport
domain.com inside-gateway.domain.com
in /etc/postfix/master.cf
#========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) #========================================================================== smtp inet n - - - - smtpd pickup fifo n n - 60 1 pickup cleanup unix - - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce flush unix - - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix n - - - - error #local unix - n n - - local
Be aware - don't install the bastion's SSH-key (without password) as a trusted key on your internal server if somebody breaks the bastion (postfix or other services) he will need to break your scalix as well
