This post will explain how to configure a relay server to put on a DMZ
network for relay mail for two domains, and use two mail server on the
internal network.
This configuration will be useful to not publish
your SMTP server (Linux, Exchange, Lotus Domino or whatever you have)
directly on internet, and keep it in your internal network, and publish a
relay server for security purpose.
I’ve tested this configuration
for relaying mail to Microsoft Exchange, Postfix, QMail, Sendmail, Lotus
Domino, Merak and other less common mail server without any kind of
problems.
You could use Red Hat Enterprise Linux (RHEL) or CentOS
without change an line of the following configuration, but with small
adjustement you can use this how to to any linux distribution.
I’ve
used Postfix as mail server, because for me it’s the best, and
Amavisd-New, Clamd and SpamAssassin for checking Virus and Spam on
relaying mail.
This post assume you have two internal network
192.168.1.0/24 and 192.168.2.0/24 and you have a mail server for
yourdomain.com on the 192.168.1 network and another mail server for
yourdomain.net on 192.168.2 network.
In particular the yourdomain.com mail server have 192.168.1.4/24 and yourdomain.net mail server have 192.168.2.1/24.
This
post will also explain how to configure a simple SMTP authentication
based on sasl to authenticate external user directly on the relay server
and permit them to send mail to any ther domain using it.
Let’s start do something :
After
a standard Linux installation without any customization and a
registration with a demo license key (only if you use RHEL), you must
install the RPMFORGE packages from apt.sw.be to use some packages needed
in the following steps.
For doing so you must use the following command :
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
You
could see http://dag.wieers.com for details about the package and the
repository. If the installation gave you no problem, you can update your
YUM database repository packages by running :
yum update -y
Running the above command will cause the complete update of your system.
After
the upgrade, it will be better if you reboot your system, because it’s
possible that you’ve updated some packages which need a reboot to work
correctly.
After the reboot, you can proceed to install all the packages needed for our setup, by running the following command :
yum install -y postfix spamassassin clamav clamd clamav-db amavisd-new cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
By
default RHEL (and CentOS) use sendmail as default MTA, I’ve just said
that for me postfix it the best, so run alternatives to choose postfix
as the default MTA and after this operation you culd definetely remove
sendmail.
Configure your default MTA by running :
alternatives --config mta
and choose postfix (usually must type “2″).
Remove sendmail by running :
yum remove -y sendmail
Edit
the postfix transport file, to specify that mail for yourdomain.com
will be forwarded to 192.168.1.4, mail for yourdomain.net will be
forwarded to 192.168.2.1 and all other mail will be forwarded directly
to it’s final external destination.
/etc/postfix/transport
yourdomain.com smtp:192.168.1.4
.yourdomain.com smtp:192.168.1.4
yourdomain.net smtp:192.168.2.1
.yourdomain.net smtp:192.168.2.1
* :
After editing this file, you must run the following command to create a transport.db file, readale by postfix :
postmap /etc/postfix/transport
At
this point you must edit the main postfix configuration file to define
your domains, your networks, the smtp authentication and the trasnpost
file.
#/etc/postfix/main.cf
myhostname = relay.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24
inet_interfaces = all
relay_domains = yourdomain.com, youdomain.net
mydestination = $myhostname, localhost.$mydomain
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
message_size_limit = 0
mailbox_size_limit = 0
transport_maps = hash:/etc/postfix/transport
#AMAVIS-D NEW
content_filter=amavisfeed:[127.0.0.1]:10024
Now,
configure Postfix to use another port (10025/tcp) for incoming checked
smtp traffic editing the mastr.cf file and adding the following lines :
#/etc/postfix/master.cf
# AMAVISD-NEW
amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
-
Create one or more Linux user and assign it a password to have sasl
auth and use your relay server from any other external network as your
smtp server with smtp authentication. Create it without create a Home
Directory (-M option) and without a shell o the user can’t login to your
system using for example SSH (-s /bin/false option).
useradd -M -s /bin/false relayuser
passwd relayuser
Enable all services needed.
chkconfig postfix on
chkconfig saslauthd on
chkconfig amavisd on
chkconfig clamd on
chkconfig spamassassin on
Restart all services in the following order :
service spamd restart
service clamd restart
service amavisd restart
service saslauthd restart
service postfix restart
Reboot
your server to check if all services works correctly and try to send
some mail to yourdomain.com and yourdomain.net to see if mail tranport
works fine. For correct communication you have to open 25/tcp on your
firewall from your DMZ network in which you’ve put this newly configured
machine to both your internal network 192.168.1.0/24 and
192.168.2.0/24.
You must also configured your internal smtp server
(192.168.1.4 and 192.168.2.1) to accept mail delivery from this machine,
or from your internal network if you plan to use NAT from DMZ to
INTERNAL network.
You’ve done !
Hope this help
