{"id":904,"date":"2020-10-22T14:18:39","date_gmt":"2020-10-22T06:18:39","guid":{"rendered":"https:\/\/www.insecurewire.com\/?p=904"},"modified":"2020-10-22T14:18:39","modified_gmt":"2020-10-22T06:18:39","slug":"setting-up-a-linux-based-postfix-smtp-forwarder","status":"publish","type":"post","link":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/","title":{"rendered":"Setting up a Linux based Postfix SMTP forwarder"},"content":{"rendered":"<p>Recently we migrated to Office 365 and with this started the process of decomissing on premises Microsoft Exchange. Our network infrastructure still required an SMTP server for email alerts. To solve this I created a Postfix SMTP email forwarding server on Ubuntu 20.04.1. On the campus LAN I use a PA-220 firewall with a Internet connection and create a isolated server vlan behind the firewall to host this mail server. This allows for maximum security and control utilising Palo Alto App-ID and vulnerability protection. Any SMTP email messages going across the firewall destined for the ISPs mail server that are malicous will be blocked by the PA. I also dont have to use Office 365 for network management alerts. The incoming mail servers on the O365 service require external ip&#8217;s to be permitted and they are very sensitive to email protection such as SPF. <\/p>\n<p>Here are the steps to create your own Postfix server:<\/p>\n<p>1. Create an Ubuntu 20.04.1 VM and network it. Postfix is lightweight and scales easily. I went with 2vCPU and 4GB of memory. In this example the server has one vnic logically connected to the firewall\/isp segment and one vnic connected to the campus LAN. The routing table is configured within Ubuntu to set the default gateway to be the vnic connected to the firewall and specific routes to the campus core via the LAN vnic.<br \/>\n2. Install the postfix binaries:<br \/>\n<code>sudo apt update<br \/>\nsudo apt upgrade<br \/>\nsudo apt install mailutils<br \/>\nsudo apt install libsasl2-modules<\/code><br \/>\n3. Configure your postfix install. In this example we are setting postfix to forward to our secure upstream ISP SMTP mail server.<br \/>\nsudo nano \/etc\/postfix\/main.cf<br \/>\n<code>smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination<br \/>\nmyhostname = myserver.domain.com<br \/>\nalias_maps = hash:\/etc\/aliases<br \/>\nalias_database = hash:\/etc\/aliases<br \/>\nmyorigin = \/etc\/mailname<br \/>\nmydestination = $myhostname, myserver.domain.com, malfurion, localhost.localdomain, localhost<br \/>\nrelayhost = [mail.isp.server.com]:587<br \/>\nmynetworks = 127.0.0.0\/8 192.168.0.0\/16<br \/>\nmailbox_size_limit = 0<br \/>\nrecipient_delimiter = +<br \/>\ninet_interfaces = all<br \/>\ninet_protocols = all<br \/>\n# enable SASL authentication<br \/>\nsmtp_sasl_auth_enable = yes<br \/>\n# disallow methods that allow anonymous authentication.<br \/>\nsmtp_sasl_security_options = noanonymous<br \/>\n# where to find sasl_passwd<br \/>\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd<\/code><\/p>\n<p>We have configured the postfix instance to accept mail from the &#8216;mynetworks&#8217; variable on port tcp\/25 and forward it to the &#8216;relayhost&#8217; variable which is the upstream ISPs secure SMTP server (on port 587). Because we are using secure smtp we need to set the sasl variables which is basically the username and password to use for each connection to the secure upstream mail server.<\/p>\n<p>4. Configure the sasl password and set the correct permissions:<br \/>\nsudo nano \/etc\/postfix\/sasl_passwd<br \/>\n<code>[mail.isp.server.com]:587 username@domain.com:password<\/code><br \/>\nsudo postmap \/etc\/postfix\/sasl_passwd<br \/>\nsudo chown root:root \/etc\/postfix\/sasl_passwd \/etc\/postfix\/sasl_passwd.db<br \/>\nsudo chmod 0600 \/etc\/postfix\/sasl_passwd \/etc\/postfix\/sasl_passwd.db<br \/>\nsudo service postfix restart<br \/>\nsudo service postfix status<\/p>\n<p>4. Test the postfix configuration:<br \/>\n<code>echo \"Test email fwd\" | mail -s \"Mail fwd from Postfix - your.servers.dns.name\" -a \"From: mailfwd@domain.com\" externalperson@domain2.com<\/code><br \/>\nYou can check the mail queue with the command &#8216;mailq&#8217; or tail the log:<br \/>\n<code>tail -f \/var\/log\/mail.log<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently we migrated to Office 365 and with this started the process of decomissing on premises Microsoft Exchange. Our network infrastructure still required an SMTP&#8230;<\/p>\n","protected":false},"author":2,"featured_media":906,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,33],"tags":[],"class_list":["post-904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-mail"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Setting up a Linux based Postfix SMTP forwarder - Insecure Wire<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting up a Linux based Postfix SMTP forwarder - Insecure Wire\" \/>\n<meta property=\"og:description\" content=\"Recently we migrated to Office 365 and with this started the process of decomissing on premises Microsoft Exchange. Our network infrastructure still required an SMTP...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\" \/>\n<meta property=\"og:site_name\" content=\"Insecure Wire\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-22T06:18:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"268\" \/>\n\t<meta property=\"og:image:height\" content=\"188\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"nikonau\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/insecurewire\" \/>\n<meta name=\"twitter:site\" content=\"@insecurewire\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nikonau\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\"},\"author\":{\"name\":\"nikonau\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\"},\"headline\":\"Setting up a Linux based Postfix SMTP forwarder\",\"datePublished\":\"2020-10-22T06:18:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\"},\"wordCount\":401,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg\",\"articleSection\":[\"Linux\",\"Mail\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\",\"url\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\",\"name\":\"Setting up a Linux based Postfix SMTP forwarder - Insecure Wire\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg\",\"datePublished\":\"2020-10-22T06:18:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg\",\"width\":268,\"height\":188,\"caption\":\"Postfix\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.insecurewi.re\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Setting up a Linux based Postfix SMTP forwarder\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.insecurewi.re\/#website\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"name\":\"Insecure Wire\",\"description\":\"A Network Engineer\u2019s Perspective.\",\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.insecurewi.re\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.insecurewi.re\/#organization\",\"name\":\"Insecure Wire\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"width\":32,\"height\":32,\"caption\":\"Insecure Wire\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/insecurewire\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\",\"name\":\"nikonau\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"caption\":\"nikonau\"},\"sameAs\":[\"https:\/\/x.com\/https:\/\/twitter.com\/insecurewire\"],\"url\":\"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Setting up a Linux based Postfix SMTP forwarder - Insecure Wire","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/","og_locale":"en_US","og_type":"article","og_title":"Setting up a Linux based Postfix SMTP forwarder - Insecure Wire","og_description":"Recently we migrated to Office 365 and with this started the process of decomissing on premises Microsoft Exchange. Our network infrastructure still required an SMTP...","og_url":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/","og_site_name":"Insecure Wire","article_published_time":"2020-10-22T06:18:39+00:00","og_image":[{"width":268,"height":188,"url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg","type":"image\/jpeg"}],"author":"nikonau","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/insecurewire","twitter_site":"@insecurewire","twitter_misc":{"Written by":"nikonau","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#article","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/"},"author":{"name":"nikonau","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d"},"headline":"Setting up a Linux based Postfix SMTP forwarder","datePublished":"2020-10-22T06:18:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/"},"wordCount":401,"commentCount":0,"publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg","articleSection":["Linux","Mail"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/","url":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/","name":"Setting up a Linux based Postfix SMTP forwarder - Insecure Wire","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg","datePublished":"2020-10-22T06:18:39+00:00","breadcrumb":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#primaryimage","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2020\/10\/download.jpeg","width":268,"height":188,"caption":"Postfix"},{"@type":"BreadcrumbList","@id":"https:\/\/www.insecurewi.re\/index.php\/2020\/10\/22\/setting-up-a-linux-based-postfix-smtp-forwarder\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.insecurewi.re\/"},{"@type":"ListItem","position":2,"name":"Setting up a Linux based Postfix SMTP forwarder"}]},{"@type":"WebSite","@id":"https:\/\/www.insecurewi.re\/#website","url":"https:\/\/www.insecurewi.re\/","name":"Insecure Wire","description":"A Network Engineer\u2019s Perspective.","publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.insecurewi.re\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.insecurewi.re\/#organization","name":"Insecure Wire","url":"https:\/\/www.insecurewi.re\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","width":32,"height":32,"caption":"Insecure Wire"},"image":{"@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/insecurewire"]},{"@type":"Person","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d","name":"nikonau","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","caption":"nikonau"},"sameAs":["https:\/\/x.com\/https:\/\/twitter.com\/insecurewire"],"url":"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/"}]}},"_links":{"self":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/comments?post=904"}],"version-history":[{"count":0,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/904\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media\/906"}],"wp:attachment":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media?parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/categories?post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/tags?post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}