Postfix Configuration for a Web Server Relay on a Private Network
Postfix is a Mail Transfer Agent distributed under the IBM Public License Version 1.0. The Postfix website can be found at; www.postfix.com. The focus of this howto, is the setup and configuration for Postfix on a private 192.168.1.0/26 network that is communicating to a public network through a Firewall. The postfix installation on this private network exists solely for the relaying of email from a web server on the same subnet.
The Network Topography
There are two networks, a Public network, which is the Internet and the private network which is placed behind a firewall. The public IP is for the purposes of this howto, the IP 63.63.63.34 and the private network is a Class C 192.1668.1.0/26 network. Interfacing between these two networks is a dual-homed Linux Firewall with one interface on the public network and the other on the private network. There are two other machines on the private network, a Web Server and the Email Server. The Firewall port forwards from its public interface for port 80 TCP requests to the Web Server and Port 25 TCP requests to the Email Server.
Request Flow For Email Server
The set up described above is for a simple case of the Web Server initiating email and having the Email Server send that email on to the correct recipient. The Email Server is running Postfix which will be doing the relaying for the web server. The system is send based, there is only one user other than postmaster, this is the user that bounced emails will return to that have been originated by the Web server's email program.
The Domain's DNS and MX Record
The domain's DNS records need to be correctly set up for email to route out to the correct MTA on the Internet. For the purposes of this howto, the domain example.com and the domain IP 63.63.63.34 are being used. Substitute your domain name and public IP in the examples. For email to work, the domain, example.com will need to have a DNS MX record. To check if the domain has an MX record or not, from the bash prompt type,
host -a example.com
or for Windows machines type;
nslookup
set type=all
example.com
If there is an MX record in the DNS already, then there will be an output like,
example.com 3600 IN MX 10 mail.example.com
If there is no MX record, then contact the ISP to have an MX record entered for the domain. With an MX record other MTAs through DNS lookups are able to find your MTA in the case of bounced emails and the like. As this system is not for users, the only email that needs to be accepted is returned email. There will be no users using the MTA on the private network for POP3 or IMAP services.
The Firewall
The firewall is a dual home-machine with the public interface, eth0 having an IP of 63.63.63.34 and the private interface, eth1 having an IP of 192.168.1.1. The private interface will require to be able to pass on any packets it receives that aren't for itself, to the public interface. The public interface needs to be able to route any packets that aren't for itself to the gateway for the public interface. The routing tables, using route -n, are of the form,
Destination Gateway Genmask Flags Met Ref Use IFace
63.63.63.32 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1
127.0.0.1 0.0.0.0. 255.0.0.0 U 0 0 0 lo
0.0.0.0 63.63.63.33 0.0.0.0 UG 0 0 0 eth0
The /etc/rc.d/rc.firewall script allows the legitimate traffic from the public network on Port 80 and Port 25, port forwarding them to the appropriate machines on the private network. Port 80 TCP traffic is forwarded to the Web Server and Port 25 traffic is forwarded to the Email Server.
The Web Server
The web server has the private network IP of 192.168.1.2 and is running an application that generates email to users of the website based upon certain criteria and conditions. This application sends email to the private networks MTA, the web server does not receive mail. All mail from the web server is in one direction only, which is out to the public network. The routing tables for the web server are;
Destination Gateway Genmask Flags Met Ref Use IFace
192.168.1.2 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.1 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The Email Server
The email server has the private IP of 192.168.1.3 and is running the Postfix MTA. The Email Server is set up to route any packets not for it's own interface to the Firewalls private interface which is the private networks gateway. This will then pass those packets to the firewalls public interface which will then use the gateway for that subnet to route those packets out to the internet. The routing tables for the Email Server are;
Destination Gateway Genmask Flags Met Ref Use IFace
192.168.1.3 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.1 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
Of importance to the Email Server as it is communicating with the outside world, is to have the DNS name resolving setup correctly. This is done in /etc/resolv.conf in which the entries were added,
nameserver 198.6.1.162
nameserver 192.6.1.210
Any DNS server is applicable, those two are UUNet DNS servers. If you are running Postfix in a chroot jail, which is the default installation, then this file will need to be copied to the chroot jail;
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
Configuring Postfix
The routing configuration describes in the sections on the firewall and email server, will route any packet that is directed from the email server to the gateway, out to the public network. Subsequently the Postfix installation only has to work as a relay for the web server.
The Postfix main configuration file is found at;
/etc/postfix/main.cf
Due to the simple nature of the email setup, few of the parameters available need to be modified.
myhostname
The myhostname parameter specifies the fully qualified domain name of the mail host machine. This will be the FQDN in the MX record.
myhostname = mail.example.com
mydomain
The mydomain parameter is the local internet name.
mydomain = example.com
myorigin
The myorigin specifies where the local mail is coming from.
myorigin = $mydomain
inet_interfaces
inet_interfaces specifies the network interfaces postfix listen to for mail. For this installation the Email Server needs to listen on it's eth0 interface of 192.168.1.3;
inet_interfaces = 192.168.1.3
mydestination
This the parameter which sets the domains that postfix will be the final destination for.
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks
The mynetworks parameter allows for trusted networks to be included explicitly. For this the localmachine and private network are included.
mynetworks = 192.168.1.0/26 127.0.0.0/8
After configuring postfix with these settings stop and start the postfix service;
service postfix stop
service postfix start
This will restart postfix with the new configuration. From this point, postfix is ready to relay email generated by the Web Server to the public network.
cam
![]](images/rt_edge3.gif){kind=small}
![[XML]](images/rssblue.gif){kind=small}
![[P]](images/print3.gif){kind=small}
