Thursday, March 4, 2010

9. Postfix SmartHost and NullClient


SmartHost
    SmartHost forwards all the mails that are not destined to the same server. Ideally this feature is used to forward mails to the SmartHost Mail server which can masquerade and relay mails to outer world.
Mail Flow example:
Local Server -> SmartHost Server -> Outer World
    In Local server we defines the SmartHost server. So all the mails that are not destined to the Local server will be forwarded to SmartHost Server. Then SmartHost server forwards the msgs to the outer world.

Defining SmartHost
Initially check that what domains the postfix will accept the mails for.
# postconf |grep mydestination
    The output shows the list of the domains that postfix accepts mails for. After defining the SmartHost postfix will forward all the mails to the SmartHost server which are not destined to $mydestination.
# vim /etc/postfix/main.cf
relayhost = smarthost.server.com
    In this scenario postfix forwards all the mails that are not destined local to smarthost.server.com.
Note: In this case the postfix will perform DNS MX record query to the domain smarthost.server.com. Adding square brackets "[]" will skip the MX record query and delivers the msgs directly.
eg: relay_host = [mail1.smarthost.server.com]
# postconf |grep relayhost
# postfix reload
Verify the configuration and reload the postfix service
    Test the configuration by sending mails to outside using this Local Server.Examine the Logs in the Local server as well as in the SmartHost server.

NullClient
    NullClient forwards all the mails including locally generated to the defined server. NullClient never receives any mails.
Mail Flow Example:
internet -> Mail Server exposed Internet -> Internel Mail Server
    From any internet Box the Mail server Exposed to Internet will accept the mails and Using the NullCLient configuration all the mails will be forwarded to Internal Mail Server.

Configuring the NullClient
In the above mail flow diagram the configuration come at the Mail server exposed to Internet
# vim /etc/postfix/main.cf
mydestination =
local_transport = error:Local Mailing is Disabled
relayhost = smarthost.domain.com
mydestination = "nothing" This tells the postfix that we are not handling mails for any domains
local_transport = error:Local Mailing is Disabled  tells that postfix is not handling any of the local mails too.
relayhost tells postfix now to forward all the mails destined local or remote to the SmartHost server defined. Make sure that the SmartHost server has configured to receive the mails for.
Note:
It is "not mandatory" that in a Null Client configuration there should be a "relayhost". If we are not mentioning any smarthost Postfix will attempt to resolve the MX of the destination of the mail and sends the mail directly.
Update master.cf
# vim master.cf
# local     unix        n    n    -    -    local
Comment the above derivative to disable the "local" transport feature of Postfix (local mailing).
# postfix reload
    Reload the postfix configuration. Now the postfix server will act as Null Client and all the mails that generates will be forwarded to the smarthost defined. Test the configuration by sending the mail "from" and "to" to the NullClient host and check the logs.

Wednesday, March 3, 2010

8. Postfix Transport Table - SMTP Routing


    This feature allows to route messages to additional domains according to the Map defined. Here Postfix accepts the message and rather than consulting the DNS for MX record it routes the mail by checking the transport map. In sendmail this feature is called mailertable

Transport Map
The map format is as follows
Left Handside                    Right Hand Side
user@domain.com                 transport:nexthope       
domain.com                       transport:nexthope
host1.domain.com                 transport:nexthope
   In the above format the Right Hand side defines the list of the domains that Postfix accepts the messages and routes. In Left Hand Side defines the transport mechanism that used and the destination of the mails.

Setting up the Transport Mechanism to Route the messages:
Check the derivative that supports transport map
# postconf |grep transport_maps
    transport_maps is the derivative that enables the transport map. By default the derivative will be undefined. The types of transport that supported by the Postfix can be determined by examining the "/etc/postfix/master.cf" file. smtp, local, error etc are the types of the transport defined.
Create the transport map file
# vim /etc/postfix/transport
sales.domain.com           smtp:[internalhost1.domain.com]
tax.domain.com              smtp:[internalhost2.domain.com]
finance.domain.com       smtp:newdomain.com
    The Left hand side we have mentioned the "mails coming from domains" which has to be routed (sales.domain.com) and in the Right hand side we have mentioned the transported which has to be use (smtp) and the destination machine (internalhost1.domain.com).
Note: "While using the transport table, when mails subjected to route, to disable the MX lookup by postfix for the destination domains we have to add the recieving domains inside the square bracket ("[]"). This will tell Postfix to "not perform" the MX lookup of the destined domains.
# postmap /etc/postfix/transport
   Now we have generated the transport map file named transport.db
Enable the transport map feature in the postfix
# vim  /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
# postfix reload
    Now we have integrated the transport map with the postfix.

Testing the configuration
# postconf |grep transport_maps
    Check the maps are defined correctly.
Make sure that the MX record for all the domains that needs to route the mail to another server points to the Mail Routing Server. Now try sending mails destined to domains sales.domain.com, tax.domain.com, finance.domain.com. According to the map defined the Mail Routing server will route the mails to respective host. It is understood that the receiving host has configured to accept the mails from the Mail Router.

Tuesday, March 2, 2010

7. Postfix Relay Domains


      This is an another way of enabling relaying in postfix. By default Postfix will relay mails for the domains that specified in the "mydestination" derivatives (Postfix considers the mail that are originated locally). If we need to add more domains to be relayed through the same server we can user "relay_domains" as well as "mydestination" derivatives.
By default "relay_domains" will be configured with mydestination.
i.e,
relay_domains = $mydestination
By using "relay_domains" derivative postfix is configured to relay mail from domains defined.
For example:
# vim main.cf
relay_domains = $mydestination, new1domain.com, new2nd.domain.com
# smtpd_client_restrictions =
Comment out the above derivative.The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. By default, this restriction is applied when the client sends the RCPT TO command, the RCPT TO error in the log file points this error.
# postfix reload
# ps -ef |grep master
The above change will allow postfix to relay the mails from new1domain.com & new2nd.domain.com domains."smtpd_client_restrictions" makes the policy to reject the relay from other domains by default.
Note: All the subdomains will be relayed if a domain is specified in "relay_domains". For eg:- if newdomain.com is specified then postfix server will allow relaying all the subdomains like host1.newdomain.com, host2.newdomain.com etc.

Relay Domains with Maps
      Enabling the maps makes MTA to query the data from a database machanism. If a server is hosting many domains and practically entering each domain name in the configuration file is not possible, then we can use database maps for fast query and easier management.

Defining Rlay_domains Maps
# rpm -qa |grep db
Initially check for the Berkley DB packages are installed. These packages will be used by the postfix for database support.
# vim /etc/postfix/main.cf
relay_domains = $mydestination, hash:/etc/postfix/relaydomains
  Now postfix will refer the db file  "/etc/postfix/relaydomains.db" for relaying.
# vim /etc/postfix/relaydomains
domain1.com
domain2.com
domain3.com
domain4.com
domain5.com
# postmap /etc/postfix/relaydomains
"postmap" generates the db file with respect to /etc/postfix/relaydomains.
Note: The postmap utility will show error while running. It is because postmap expects the keys and values. The map file consist of keys and values separated with a white space. In our case we have only mentioned the keys. In a db map file Postmap expects the values for each key at right hand side. In this case the error is ignorable because this is the rare case that postfix will not read the "values" in the right hand side. Even if it shows the error the db file will be created.
# postfix reload
#ps -ef |grep master
  Now we will be able to relay mails from all the domains defined in the "relaydomains" file. After initializing Postfix a new entry to the file along with the postmap command is sufficient for postfix to relay to the newly added domain without restarting the service.

Monday, March 1, 2010

6. Postfix Basic Relay and SMTP-AUTH


Introduction
         Most important feature of the MTA's are the ability to control the relay. Most of the MTA's denies the relay from domains that are consider to be not local or hosts that are considered to be not in same subnet.

Postfix Relay
       Postfix will relay the domains that are "considered to be local by default". These are specified in the main.cf file, but in sendmail there is a local file that contains the list of domains for relay. "hostname -f" which gives the FQDN of the server, by default postfix will accept the mails destined to its domain because it considered to be local. By using the "mydestination" directive the postfix accepts the mails that coming for the domains defined there. "mynetworks" and "mynetworks_style" also controls the relaying initially. All other domains are considered to be "only relayed if the relay is specifically defined".
The Basic relay configuration is done in postfix by
  • mydestination
  • mynetworks
  • mynetworks_style
Following example configures postfix to relay only localhost. (Same method can be applied to configure any single hosts as well.) All other request for relay from other hosts will be rejected.

Configure the postfix to be used to relay only localhost
# vim /etc/postfix/main.cf
mynetworks = 127.0.0.1
mynetwork_style = host
     This means Postfix only relays mails from localhost.
# postfix reload
# postconf |grep mynetwork
    Now try sending msg from any of the hosts in the local network to out side. The relay through this server will be denied. Only the localhost will be able to relay the mails outside. Note: "The server will still be accepting mails avoid confusing the relay with this feature".

SMTP Authentication:
     SMTP auth is used to relay based on the user authentication, permitting roaming users.
We need the cyrus packages which will support the smtp authentication
Check the package availability by the following command. If not install all the cyrus packages
# rpm -qa |grep cyrus
Check the Postfix whether MTA supports the authentication
# telnet localhost 25
ehlo
(have to get the 250-auth reply from the server)
If the binary is not build with the SMPT-AUTH support have to compile and install the postfix with the smtp support. So go to postfix source directory compile and install the postfix
# cd postfix-2.7
# make makefiles CCARG="-DUSE_SASL_AUTH -I/usr/include/sasl" AUXLIBS="-L/usr/lib -lsasl2"
# postfix stop
# make install
    This will compile the binary package with smtp-auth, and the interactive menu appears for installation of the binaries.
After installation of the postfix binaries include the derivatives that supports the smtp-auth in main.cf file
# vim /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
#This enables the smtpd authentication
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# postfix reload
   "smtpd_recipient_restrictions" is a type of smtpd access policy which is used to reduce the amount of the junk messages and also used to tight the SMTP relay. By defining "smtpd_recipient_restrictions" we are instructing postfix to permit or deny relay to certain destination based on the specification in the policy. Here we have defined the "permit_mynetworks" to permit the relay for all the hosts defined in the mynetworks and "permit_sasl_authenticated" to permit the relay for all the users that have done SMTP authentication and rest all the requests will be rejected using the reject_unauth_destination policy
Confirm the SMTP_AUTH supported
# telnet localhost 25
ehlo localhost
(Check for the 250-AUTH reply)
# tail /var/log/maillog
     Check the log file for any errors
Now we have to configure the SASL to handle the SMTP authentication requests. Create the following file to invoke smtp authentication by SASL
# vim /usr/lib/sasl2/smtp.conf
pwcheck_method: saslauthd
mech_list: plain login
The mech_list is optional that defines the type of the authentication carried out.
# service saslauthd start
# service postfix restart
# ps -ef |grep saslauth
Check the service is running. Now got to the any MUA that supports the smtp authtentication and test the mail relay.