You are on page 1of 5

POSTFIX EMAIL RELAY CONTROL

By Hamisi Malipula (hamisi.malipula@hotmail.com)

Dec, 2011

Contents
1. 2. 3. Introduction .................................................................................................................................... 3 Understanding Relaying ............................................................................................................... 3 Selective Relaying ........................................................................................................................ 4 3.1 3.2 Network Based Relaying ...................................................................................................... 4 User Based Relaying ............................................................................................................ 5

1. Introduction
Relaying in an email system is a huge problem. Linux and Postfix email system come with very strong built in relay control features. You can turn them on or off as you wish. The most important thing to remember is to know your requirements and be aware of what you are doing. This document explains how to control relaying in the customized email system running MailScanner (www.mailscanner.info) and dovecot.

2. Understanding Relaying
You have an email system that accepts clients emails from within your network and sends those emails to the outside world. Your server is also capable of receiving emails from the internet (outside world) and delivers them to the local mailboxes for your internal clients to come and pick them. It is all fine and life is good. One day you receive a nasty complaint from an outside organization that your server sent a damaging email to their organization. You react quickly and careful analysis (starting from logs) reveals that someone outside your network is using your email server to send emails outside without you knowing. The damage has been done. This is what we call open-relay scenario and your email server is an open relay host.

Postfix comes with default relay controls. The default rules deny anyone from sending emails outside the network. This brings in another serious problem. Your users, including your CEO and other executives will be unable to send emails to the outside. This is not what they want. Therefore you need to configure your server to do selective relaying: allowing only those hosts and users to relay via your server and denying everyone else.

Postfix uses configuration parameters to provide directives to the SMTP daemon how to deal with different conditions at different stages of the email processing. The diagram below shows different options available for relay control.

3. Selective Relaying
There are two options to allow relaying. The first option is based on the network host that is sending the message. If that host is allowed to relay through your server, regardless of the user who is sending the message, the server will allow the message to be relayed to the outside world. This is called network or client based relaying. The other option is to allow per user access to relay. This requires a user to be authenticated first before he/she can relay a message via your server, regardless of where they are, which network they use. The server must be setup to support either or both of these relaying options.

3.1

Network Based Relaying

First, the server must be configured to allow relaying controls. This is one time configuration. In /etc/postfix/main.cf smtpd_client_restrictions = check_client_access hash:/etc/postfix/maps/client_access, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/maps/client_access, permit_sasl_authenticated, reject_unauth_destination broken_sasl_auth_clients = yes

Now that you have enabled the server to do selective access to relaying, you can control which subnets/hosts can relay through your server.

In /etc/postfix/maps/client_access 196.41.38.250 10.0.0.0/24 192.168.1.0/28 OK OK REJECT #Customer 1 #Network 1 #Network 2

In this example, the first line says let the host 196.41.38.250 be allowed to relay (OK). The second line will allow the entire subnet 10.0.0.0/24 to relay while the third line will reject the subnet 192.168.1.0/28 to relay. Whatever is not defined in this line is not allowed to relay. This is a default behavior. Once you have made those changes, run the following commands: #postmap /etc/postfix/maps/client_access

#service MailScanner restart To make life easier, the process of configuration and restarting of the services has been simplified by a simple shell script and a link to the access file. The tools are located in the /mailtools directory. Contents of /mailtools:

[root@mail1 mailtools]# ls access-file reload-access The first file, file-access is the link to /etc/postfix/maps/client_access reload-access is a script that contains the commands to run postmap and reload the service.

To make changes, just vi the access-file and edit the contents and save the file. Now run the reload access tool as follows:./reload-access Thats it for network based relaying.

3.2

User Based Relaying

Individual users must authenticate to be able to relay through your server. The server must be configured to enable SMTP authentication. This is a onetime task: In /etc/postfix/main.cf smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes

Save the file and restart MailScanner. The steps to configure SMTP authrinctiation f

You might also like