If you run a groupware email server on your LAN like Microsoft Exchange, Lotus Notes, or similar, setting up a secure mail forwarder is a good alternative to opening port 25 from the Internet directly to your LAN server. Typically with these servers, you don’t want to put them on a DMZ segment for performance reasons, but you have to let in email from the Internet. Opening a port to these servers, and into your LAN, can be risky.
The combination of Postfix and FreeBSD makes for a secure, low maintenance solution that just might help you sleep better at night.
The following diagram depicts a typical setup of this type. The mail forwarder sits in the DMZ, with the groupware mail server on the LAN. The DNS MX records for your domain(s) point to the mail forwarder. You can set up two identical forwarders, one for a primary MX, and one for a secondary, for redundancy.
The firewall allows TCP 25 (SMTP) inbound to the mail forwarder. The mail forwarder is allowed to talk only to port 25 on the LAN mail server. This way even if the forwarder were to be compromised, its only access to the LAN is port 25 on your mail server. The chances of compromising the mail forwarder and then compromising the LAN through only TCP 25 on the mail server are slim to none. I would configure the firewall so it cannot talk out to anything but TCP 25 on the mail server, and possibly a NTP server (on the Internet or LAN) to synchronize time. Strictly limiting what outbound access the forwarder is allowed will make an attacker’s job more difficult, as they will usually attempt to download tools, a root kit, or similar onto a compromised system. You’ll need to permit outbound HTTP (TCP port 80), cvsup (TCP 5999), and DNS (UDP 53) during the initial setup and while performing updates, but should leave them closed during normal operation.
In future articles, I plan to cover adding spam and virus filtering to this basic setup. If you want to simply forward mail without much processing like antivirus or spam protection, a very low power system will work fine. The lowest power system I have running a setup similar to this is a Pentium Pro 200 MHz with 128 MB RAM. It processes over 5,000 messages a day, and the load average stays around 0.05. It has a simple filtering setup, nothing nearly as taxing as any of the common spam filtering and virus scanning packages. The lowest powered setup of this nature I have is a Duron 800 MHz setup with FreeBSD, Postfix and SpamAssassin. It processes about 1500-2000 messages a day, with a typical load average of 0.02.
In short, unless you’re dealing with a huge mail volume, you don’t need a huge machine for this purpose. For most environments, an old Pentium II or III desktop will be more than sufficient, even if you add spam or virus scanning at a later time. You can configure two forwarders for redundancy if you’re worried about potential hardware failure on older equipment. Alternatively, you could use an embedded device like a Soekris 4801 with a small laptop hard drive.
Suggested Minimum Requirements
- Pentium processor
- 32 MB RAM
- 4 GB hard drive (at least 10 GB if you plan on maintaining many log files)
During installation, I would recommend making your /var partition larger than the typical 128-256 MB. The mail logs will be kept there, so if you want to maintain a long history of log files, you’ll want to make this 1 GB or more. It’s not easy to increase this later, so if you have at least a 6 GB hard drive, I would go ahead and make /var 1 GB. You won’t need much on /usr since this system should only be used for mail forwarding purposes.
- Functioning FreeBSD (4.x or 5.x) installation with network connectivity.
- Network configured similar to what is shown above.
- Freshly cvsup’ed copy of ports.
First we’ll install Postfix.
# cd /usr/ports/mail/postfix # make install clean
You’ll be prompted with a configuration options screen. Hit Tab and Enter to accept the default (nothing selected). Postfix will now compile and install.
At the end of the installation, you’ll be prompted for some configuration information.
You need user "postfix" added to group "mail". Would you like me to add it [y]?
Hit Enter to accept the default (yes).
Would you like to activate Postfix in /etc/mail/mailer.conf [n]?
Hit y and Enter to replace Sendmail with Postfix.
Towards the end of the installation, you will be provided with some information on disabling Sendmail and setting Postfix to start at boot. We’ll put a symbolic link in /usr/local/etc/rc.d and disable Sendmail in rc.conf.
Edit /etc/rc.conf and change the sendmail_enable line to the following (if this line doesn’t exist, add it anywhere in the file)
Then create the symbolic link so Postfix starts at boot.
# cd /usr/local/etc/rc.d # ln -s /usr/local/sbin/postfix postfix.sh
You also want to disable some Sendmail-specific daily maintenance in /etc/periodic.conf. This file may not exist on your system. If not, just create it. Add the following four lines.
daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"
Installation is now complete. Time to configure Postfix.
Postfix configuration files live in /usr/local/etc/postfix/.
First we’ll edit main.cf. You’ll need to change four lines
myhostname = mail.example.com
Under the commented out example myhostname lines, add a line like above, where mail.example.com is the name of your mail server.
mydomain = example.com
Right underneath the example myhostname entries, you’ll find the example mydomain entry. Add a line like above, where example.com is your primary domain.
If you want to accept mail for more than one domain, you'll need to go down further in the file where you see the example relay_domains entry and enter all the domains for which you wish to accept mail, including the primary domain.
relay_domains = example.com example.org example.net
The default $mydestination means it will accept mail to mydomain, as defined above. So if you have only a single domain, you need not define the relay_domains line.
Going down further in the file, find the local_recipient_maps section. Add a line as follows.
This means there are no local recipients (everything is forwarded).
Next open the file called transport. This file contains only comments in the default installation. Go down to the bottom of the file. You'll need to enter something like the following, one line per domain.
example.com smtp:[10.0.0.2] example.net smtp:[10.0.0.2] example.org smtp:[10.0.0.2]
This means mail to any @example.com, @example.net, and @example.org addresses will be redirected to the SMTP server at 10.0.0.2, the LAN mail server. You can redirect to a different server IP address for each domain, if need be.
Save and exit that file. Now we have to use postmap to create a lookup table from the transport file. Run the following command to accomplish this.
# postmap /usr/local/etc/postfix/transport
Now you're ready to start up Postfix and test your configuration.
Testing the Configuration
First we'll make sure there are no syntax errors in your configuration files.
# postfix check
If it comes back with nothing as shown, your configuration is syntactically correct. If it finds any problems, check that your configuration entries match the above. Now we'll start Postfix.
# postfix start postfix/postfix-script: starting the Postfix mail system
Now telnet to port 25 on your forwarder. You should be greeted with "220 mail.example.com ESMTP Postfix". Manually send an email to someone at one of the domains we configured above.
220 mail.example.com ESMTP Postfix helo mailtest.example.com 250 mail.example.com mail from:email@example.com 250 Ok rcpt to:firstname.lastname@example.org 250 Ok data 354 End data with
. hello . 250 Ok: queued as 9B7A94F6454
That will send a message containing "hello" to email@example.com. If everything is setup appropriately, that message will be forwarded to your LAN server and delivered to that user. If that works, your setup should be ready for production.
To view the logs,
# cat /var/log/maillog
You'll see entries like the following for each forwarded message.
Jan 25 10:19:44 mail postfix/smtp: 72062EB: to=
, relay=10.0.0.2[10.0.0.2], delay=0, status=sent (250%202.6.0%20%3C20050125382.A382373DKDF@mail.remotedomain.com%3E%20Queued%20mail%20for%20delivery">250 2.6.0 <20050125382.A382373DKDF@mail.remotedomain.com> Queued mail for delivery
After following this guide, you have a solid, secure, reliable mail forwarder in place to protect your more fragile groupware LAN mail server and help keep your network more secure. Look for future articles on adding spam filtering and antivirus scanning capabilities to this basic configuration.