Recently we migrated to Office 365 and with this started the process of decomissing on premises Microsoft Exchange. Our network infrastructure still required an SMTP server for email alerts. To solve this I created a Postfix SMTP email forwarding server on Ubuntu 20.04.1. On the campus LAN I use a PA-220 firewall with a Internet connection and create a isolated server vlan behind the firewall to host this mail server. This allows for maximum security and control utilising Palo Alto App-ID and vulnerability protection. Any SMTP email messages going across the firewall destined for the ISPs mail server that are malicous will be blocked by the PA. I also dont have to use Office 365 for network management alerts. The incoming mail servers on the O365 service require external ip’s to be permitted and they are very sensitive to email protection such as SPF.
Here are the steps to create your own Postfix server:
1. Create an Ubuntu 20.04.1 VM and network it. Postfix is lightweight and scales easily. I went with 2vCPU and 4GB of memory. In this example the server has one vnic logically connected to the firewall/isp segment and one vnic connected to the campus LAN. The routing table is configured within Ubuntu to set the default gateway to be the vnic connected to the firewall and specific routes to the campus core via the LAN vnic.
2. Install the postfix binaries:
sudo apt update
sudo apt upgrade
sudo apt install mailutils
sudo apt install libsasl2-modules
3. Configure your postfix install. In this example we are setting postfix to forward to our secure upstream ISP SMTP mail server.
sudo nano /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = myserver.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, myserver.domain.com, malfurion, localhost.localdomain, localhost
relayhost = [mail.isp.server.com]:587
mynetworks = 127.0.0.0/8 192.168.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
We have configured the postfix instance to accept mail from the ‘mynetworks’ variable on port tcp/25 and forward it to the ‘relayhost’ variable which is the upstream ISPs secure SMTP server (on port 587). Because we are using secure smtp we need to set the sasl variables which is basically the username and password to use for each connection to the secure upstream mail server.
4. Configure the sasl password and set the correct permissions:
sudo nano /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo service postfix restart
sudo service postfix status
4. Test the postfix configuration:
echo "Test email fwd" | mail -s "Mail fwd from Postfix - your.servers.dns.name" -a "From: email@example.com" firstname.lastname@example.org
You can check the mail queue with the command ‘mailq’ or tail the log:
tail -f /var/log/mail.log