Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Postfix Howto

By cam in cam's Diary
Fri Nov 01, 2002 at 06:08:46 PM EST
Tags: (all tags)

As mentioned in a previous Diary Entry, I received community help through this site setting up a Postfix installation. Here is the small howto of how I did it. There are flowcharts and some diagrams which will go on the final version which I will publish on the web.


Postfix Configuration for a Web Server Relay on a Private Network

Postfix is a Mail Transfer Agent distributed under the IBM Public License Version 1.0. The Postfix website can be found at; www.postfix.com. The focus of this howto, is the setup and configuration for Postfix on a private 192.168.1.0/26 network that is communicating to a public network through a Firewall. The postfix installation on this private network exists solely for the relaying of email from a web server on the same subnet.

The Network Topography

There are two networks, a Public network, which is the Internet and the private network which is placed behind a firewall. The public IP is for the purposes of this howto, the IP 63.63.63.34 and the private network is a Class C 192.1668.1.0/26 network. Interfacing between these two networks is a dual-homed Linux Firewall with one interface on the public network and the other on the private network. There are two other machines on the private network, a Web Server and the Email Server. The Firewall port forwards from its public interface for port 80 TCP requests to the Web Server and Port 25 TCP requests to the Email Server.

Request Flow For Email Server

The set up described above is for a simple case of the Web Server initiating email and having the Email Server send that email on to the correct recipient. The Email Server is running Postfix which will be doing the relaying for the web server. The system is send based, there is only one user other than postmaster, this is the user that bounced emails will return to that have been originated by the Web server's email program.

The Domain's DNS and MX Record

The domain's DNS records need to be correctly set up for email to route out to the correct MTA on the Internet. For the purposes of this howto, the domain example.com and the domain IP 63.63.63.34 are being used. Substitute your domain name and public IP in the examples. For email to work, the domain, example.com will need to have a DNS MX record. To check if the domain has an MX record or not, from the bash prompt type,

host -a example.com

or for Windows machines type;

nslookup
set type=all
example.com

If there is an MX record in the DNS already, then there will be an output like,

example.com 3600 IN MX 10 mail.example.com

If there is no MX record, then contact the ISP to have an MX record entered for the domain. With an MX record other MTAs through DNS lookups are able to find your MTA in the case of bounced emails and the like. As this system is not for users, the only email that needs to be accepted is returned email. There will be no users using the MTA on the private network for POP3 or IMAP services.

The Firewall

The firewall is a dual home-machine with the public interface, eth0 having an IP of 63.63.63.34 and the private interface, eth1 having an IP of 192.168.1.1. The private interface will require to be able to pass on any packets it receives that aren't for itself, to the public interface. The public interface needs to be able to route any packets that aren't for itself to the gateway for the public interface. The routing tables, using route -n, are of the form,

Destination Gateway Genmask Flags Met Ref Use IFace
63.63.63.32 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1
127.0.0.1 0.0.0.0. 255.0.0.0 U 0 0 0 lo
0.0.0.0 63.63.63.33 0.0.0.0 UG 0 0 0 eth0

The /etc/rc.d/rc.firewall script allows the legitimate traffic from the public network on Port 80 and Port 25, port forwarding them to the appropriate machines on the private network. Port 80 TCP traffic is forwarded to the Web Server and Port 25 traffic is forwarded to the Email Server.

The Web Server

The web server has the private network IP of 192.168.1.2 and is running an application that generates email to users of the website based upon certain criteria and conditions. This application sends email to the private networks MTA, the web server does not receive mail. All mail from the web server is in one direction only, which is out to the public network. The routing tables for the web server are;

Destination Gateway Genmask Flags Met Ref Use IFace
192.168.1.2 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.1 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

The Email Server

The email server has the private IP of 192.168.1.3 and is running the Postfix MTA. The Email Server is set up to route any packets not for it's own interface to the Firewalls private interface which is the private networks gateway. This will then pass those packets to the firewalls public interface which will then use the gateway for that subnet to route those packets out to the internet. The routing tables for the Email Server are;

Destination Gateway Genmask Flags Met Ref Use IFace
192.168.1.3 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.1 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Of importance to the Email Server as it is communicating with the outside world, is to have the DNS name resolving setup correctly. This is done in /etc/resolv.conf in which the entries were added,

nameserver 198.6.1.162
nameserver 192.6.1.210

Any DNS server is applicable, those two are UUNet DNS servers. If you are running Postfix in a chroot jail, which is the default installation, then this file will need to be copied to the chroot jail;

cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf

Configuring Postfix

The routing configuration describes in the sections on the firewall and email server, will route any packet that is directed from the email server to the gateway, out to the public network. Subsequently the Postfix installation only has to work as a relay for the web server.

The Postfix main configuration file is found at;

/etc/postfix/main.cf

Due to the simple nature of the email setup, few of the parameters available need to be modified.

myhostname

The myhostname parameter specifies the fully qualified domain name of the mail host machine. This will be the FQDN in the MX record.

myhostname = mail.example.com

mydomain

The mydomain parameter is the local internet name.

mydomain = example.com

myorigin

The myorigin specifies where the local mail is coming from.

myorigin = $mydomain

inet_interfaces

inet_interfaces specifies the network interfaces postfix listen to for mail. For this installation the Email Server needs to listen on it's eth0 interface of 192.168.1.3;

inet_interfaces = 192.168.1.3

mydestination

This the parameter which sets the domains that postfix will be the final destination for.

mydestination = $myhostname, localhost.$mydomain, $mydomain

mynetworks

The mynetworks parameter allows for trusted networks to be included explicitly. For this the localmachine and private network are included.

mynetworks = 192.168.1.0/26 127.0.0.0/8

After configuring postfix with these settings stop and start the postfix service;

service postfix stop
service postfix start

This will restart postfix with the new configuration. From this point, postfix is ready to relay email generated by the Web Server to the public network.

cam

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Diary Entry
o www.postfi x.com
o cam's Diary


Display: Sort:
Postfix Howto | 1 comment (1 topical, editorial, 0 hidden)
Good to know (none / 0) (#1)
by Anonymous 7324 on Fri Nov 01, 2002 at 09:29:33 PM EST

from beginning to end. :) Thanks!

Postfix Howto | 1 comment (1 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!