Postfix is a secure Mail Transfer Agent

• ?TableOfContents(2)

SPF and dual-homed multiple external ip addresses

In Brief

If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this.

• /etc/postfix/master.cf

  • clone the smtp (not smtpd) service. Set the first one to use <spf published ip address> Rename the second to smtpinternal and use <internal ip address>

 smtp      unix  -       -       -       -       -       smtp
        -o smtp_bind_address=<spf published ip address>
 smtpinternal      unix  -       -       -       -       -       smtp
        -o smtp_bind_address=<internal ip address>

• /etc/postfix/main.cf

  • Use transport_maps for routing

 transport_maps = hash:/etc/postfix/transport

• /etc/postfix/transport

  • Map a transport for your internal domain.

 .internal smtpinternal:

Just postmap /etc/postfix/transport, invoke-rc.d postfix stop and invoke-rc.d postfix start and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address.

Optional:

• /etc/postfix/main.cf

  • Use the inet_interfaces setting to only listen on the ip addresses you want to.

     inet_interfaces = 127.0.0.1, <internal ip>, <spf published external ip>

Explanation

I have some systems that are networked on an internal private ip address subnet (192.168.0.0/16). For a few reasons I email reports and such to <user>@mail.internal where user is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I'd prefer they didn't for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record.

Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn't impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses.

So to recap my system has:

• eth1 <public ip with spf published>

• eth1:1 <public ip for extra port-based services>

• eth0 <private ip on>

By using the settings in /etc/postfix/master.cf, /etc/postfix/main.cf and /etc/postfix/transport as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again.

Howto limit spams

Some tips

Insert this in your /etc/postfix/main.cf:

smtpd_recipient_restrictions = reject_invalid_hostname,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        permit

smtpd_helo_restrictions = reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname

Using SORBS

Insert this in your /etc/postfix/main.cf:

smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net

See more: http://www.us.sorbs.net/mailsystems/postfix2.shtml

External links

• [http://fr.wikipedia.org/wiki/Anti_spam Global concept] (in french)

• [http://pwet.fr/blog/anti_spam_avec_postfix antispam with postfix] (in french)

See also: ["PostfixAndSASL"]

• CategoryNetwork