Setting up a Postfix Mail Forwarder


If you run a groupware email server on your LAN like Microsoft Exchange, Lotus Notes, or similar, setting up a secure mail forwarder is a good alternative to opening port 25 from the Internet directly to your LAN server. Typically with these servers, you don’t want to put them on a DMZ segment for performance reasons, but you have to let in email from the Internet. nike air max 90 pas cher Opening a port to these servers, and into your LAN, can be risky.

The combination of Postfix and FreeBSD makes for a secure, low maintenance solution that just might help you sleep better at night.

Example Infrastructure

The following diagram depicts a typical setup of this type. The mail forwarder sits in the DMZ, with the groupware mail server on the LAN. nike air force 1 The DNS MX records for your domain(s) point to the mail forwarder. You can set up two identical forwarders, one for a primary MX, and one for a secondary, for redundancy.

Firewall Configuration

The firewall allows TCP 25 (SMTP) inbound to the mail forwarder. The mail forwarder is allowed to talk only to port 25 on the LAN mail server. nike pour homme pas cher This way even if the forwarder were to be compromised, its only access to the LAN is port 25 on your mail server. The chances of compromising the mail forwarder and then compromising the LAN through only TCP 25 on the mail server are slim to none. I would configure the firewall so it cannot talk out to anything but TCP 25 on the mail server, and possibly a NTP server (on the Internet or LAN) to synchronize time. acheter chaussures nike Strictly limiting what outbound access the forwarder is allowed will make an attacker’s job more difficult, as they will usually attempt to download tools, a root kit, or similar onto a compromised system. asics basket You’ll need to permit outbound HTTP (TCP port 80), cvsup (TCP 5999), and DNS (UDP 53) during the initial setup and while performing updates, but should leave them closed during normal operation.

Hardware Requirements

In future articles, I plan to cover adding spam and virus filtering to this basic setup. nike internationalist If you want to simply forward mail without much processing like antivirus or spam protection, a very low power system will work fine. The lowest power system I have running a setup similar to this is a Pentium Pro 200 MHz with 128 MB RAM. It processes over 5,000 messages a day, and the load average stays around 0.05. basket nike Christian Louboutin Pas Cher It has a simple filtering setup, nothing nearly as taxing as any of the common spam filtering and virus scanning packages. nike air max pas cher new balance running The lowest powered setup of this nature I have is a Duron 800 MHz setup with FreeBSD, Postfix and SpamAssassin. nike air max pas cher Adidas Superstar ugg australia bottes It processes about 1500-2000 messages a day, with a typical load average of 0.02.

In short, unless you’re dealing with a huge mail volume, you don’t need a huge machine for this purpose. nike air max 90 homme Adidas Zx pas cher For most environments, an old Pentium II or III desktop will be more than sufficient, even if you add spam or virus scanning at a later time. You can configure two forwarders for redundancy if you’re worried about potential hardware failure on older equipment. Alternatively, you could use an embedded device like a Soekris 4801 with a small laptop hard drive.

Suggested Minimum Requirements

  1. Pentium processor
  2. 32 MB RAM
  3. 4 GB hard drive (at least 10 GB if you plan on maintaining many log files)

During installation, I would recommend making your /var partition larger than the typical 128-256 MB. The mail logs will be kept there, so if you want to maintain a long history of log files, you’ll want to make this 1 GB or more. It’s not easy to increase this later, so if you have at least a 6 GB hard drive, I would go ahead and make /var 1 GB. You won’t need much on /usr since this system should only be used for mail forwarding purposes.


  1. Functioning FreeBSD (4.x or 5.x) installation with network connectivity.
  2. Network configured similar to what is shown above.
  3. Freshly cvsup’ed copy of ports.


First we’ll install Postfix.

 # cd /usr/ports/mail/postfix # make install clean 

You’ll be prompted with a configuration options screen. bottes ugg pas cher timberland soldes hommes Hit Tab and Enter to accept the default (nothing selected). basket nike tn soldes Postfix will now compile and install.

At the end of the installation, you’ll be prompted for some configuration information.

 You need user "postfix" added to group "mail". ugg homme chausson ugg Would you like me to add it [y]? 

Hit Enter to accept the default (yes).

 Would you like to activate Postfix in /etc/mail/mailer.conf [n]? 

Hit y and Enter to replace Sendmail with Postfix.

Towards the end of the installation, you will be provided with some information on disabling Sendmail and setting Postfix to start at boot. We’ll put a symbolic link in /usr/local/etc/rc.d and disable Sendmail in rc.conf.

Edit /etc/rc.conf and change the sendmail_enable line to the following (if this line doesn’t exist, add it anywhere in the file)


Then create the symbolic link so Postfix starts at boot.

 # cd /usr/local/etc/rc.d # ln -s /usr/local/sbin/postfix 

You also want to disable some Sendmail-specific daily maintenance in /etc/periodic.conf. adidas stan smith femme This file may not exist on your system. nike kwazi soldes If not, just create it. Add the following four lines.

 daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" 

Installation is now complete. new balance mrl996 Time to configure Postfix.


Postfix configuration files live in /usr/local/etc/postfix/. Configuration

First we’ll edit You’ll need to change four lines

 myhostname = 

Under the commented out example myhostname lines, add a line like above, where is the name of your mail server.

 mydomain = 

Right underneath the example myhostname entries, you’ll find the example mydomain entry. adidas pas cher Add a line like above, where is your primary domain.

If you want to accept mail for more than one domain, you’ll need to go down further in the file where you see the example relay_domains entry and enter all the domains for which you wish to accept mail, including the primary domain.

 relay_domains = 

The default $mydestination means it will accept mail to mydomain, as defined above. bottes ugg So if you have only a single domain, you need not define the relay_domains line.

Going down further in the file, find the local_recipient_maps section. Add a line as follows.

 local_recipient_maps = 

This means there are no local recipients (everything is forwarded).

transport Configuration

Next open the file called transport. This file contains only comments in the default installation. Go down to the bottom of the file. adidas superstar femme You’ll need to enter something like the following, one line per domain. smtp:[] smtp:[] smtp:[] 

This means mail to any,, and addresses will be redirected to the SMTP server at, the LAN mail server. You can redirect to a different server IP address for each domain, if need be.

Save and exit that file. Now we have to use postmap to create a lookup table from the transport file. new balance homme nike air max 90 homme Adidas Zx pas cher Run the following command to accomplish this.

 # postmap /usr/local/etc/postfix/transport 

Now you’re ready to start up Postfix and test your configuration.

Testing the Configuration

First we’ll make sure there are no syntax errors in your configuration files.

 # postfix check 

If it comes back with nothing as shown, your configuration is syntactically correct. If it finds any problems, check that your configuration entries match the above. adidas en ligne Now we’ll start Postfix.

 # postfix start postfix/postfix-script: starting the Postfix mail system 

Now telnet to port 25 on your forwarder. You should be greeted with “220 ESMTP Postfix“. Manually send an email to someone at one of the domains we configured above.

 220 ESMTP Postfix helo 250 mail 250 Ok rcpt 250 Ok data 354 End data with . hello . nike air max 1 250 Ok: queued as 9B7A94F6454 

That will send a message containing “hello” to If everything is setup appropriately, that message will be forwarded to your LAN server and delivered to that user. timberland homme If that works, your setup should be ready for production.

To view the logs,

 # cat /var/log/maillog 

You’ll see entries like the following for each forwarded message.

 Jan 25 10:19:44 mail postfix/smtp[81162]: 72062EB: to=, relay=[], delay=0, status=sent (">250 2.6.0 <> Queued mail for delivery 


After following this guide, you have a solid, secure, reliable mail forwarder in place to protect your more fragile groupware LAN mail server and help keep your network more secure.

Speak Your Mind