Postfix Store and Foreward Howto With Anti-Spam Configuration

A Postfix store and foreward configuration is needed when setting up a secondary MTA. If your primary MTA is down, then all mails will be sent to the secondary "store and forward" postfix server. As the name implies, all emails will be recieved and stored locally until your primary MTA comes back online.

Motivation

The main reasons we want a store and forward server is:

  • Redundancy - Even though MTA's will keep retrying to send emails when the destination is unreachable, the sender is notified of this. With a "store and forward" postfix server we have a server that acts as a failover. It will happily recieve emails and store them, waiting for your primary MTA to be reachable.
  • Security - Using a store and forward, you can hide your internal mail system from the internet. Your store and forward instances can also be placed in high bandwidth datacenters which can handle spam traffic, while keeping your main MTA in your office , happily knowing that all emails arriving to it are valid.
  • Load Distribution - Your store and forward servers can be configured to filter emails, remove spam, run antivirus etc.. before accepting to forward an email.

DNS Configuration

Email for a domain is through the MX record. Let's take cisco.com for example. If I do "dig mx cisco.com" I get the following answer:

;; ANSWER SECTION:
cisco.com.		86400	IN	MX	30 aer-mx-01.cisco.com.
cisco.com.		86400	IN	MX	10 alln-mx-01.cisco.com.

This means cisco has three public MTA , these may or may not be store and forward, but all that we need to know is that according to the numbers on the 5th column, alln-mx-01.cisco.com is the first MTA to be tried, and if that is not accessible then try aer-mx-01.cisco.com.

So as an email admin, you have to create MX records for your domain in a similar manner.

Enough Talk and Let's Install/Configure Postfix Already!

In these example, I will be using the scenario where mail.jnvilo.com is my primary MTA and mail-store.jnvilo.com is the new postfix store and forward server that we are building. Thus we should have the DNS MX records as:

;; ANSWER SECTION:
jnvilo.com.		86400	IN	MX	10 mail.jnvilo.com.
jnvilo.com.		86400	IN	MX	20 mail-store.jnvilo,com.

Also, mail.jnvilo.com handles emails for maltacentral.com and rpmbrew.com .

1. Install the OS and the required packages.

I am going to be installing on a Centos 7.0 server. Install intructions are out of the scope but to ensure that you can repeat my steps, i did the following

* yum -y update #Always update the server

User your favourite editor [In my case vi] to edit /etc/selinux/config and disable SELINUX for now. You can enable it again once you know everything is working and setup your selinux rules to fix any denials.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

and change the line:

SELINUX=enforcing

to:

SELINUX=enforcing

Ensure you have in your hosts file , the IP of the server.

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.1   mail-store.jnvilo.com  mail-store

And also ensure that hostname is set properly.

[root@mail-store ~]$ hostname 
mail-store.jnvilo.com

Centos7 ships with firewalld which may have incoming port 25 closed. Make sure this is open.

2. Install the required packages.

yum -y install postfix 
systemctl enable postfix
systemctl restart postfix

3. PostFix Configuration as Store and Forward MTA

3.1 Configure mail-store - We assume that the main mail server is already up and running so here we configure our mail store and forward.

Open /etc/postfix/main.cf in your favorite editor [vi or emacs or nano or pico] and modify the following lines as follows:

relay_domains = jnvilo.com, cyberciti.com, $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients

3.2 Create the allowed recipients:

Create /etc/postfix/relay_recipients

admin@jnvilo.com    OK
user1@jnvilo.com     OK
foo@jnvilo.com         OK

save and close the file and make sure your DB is updated

postmap hash:/etc/postfix/relay_recipients

4. Anti SPAM

Edit /etc/postfix/main.cf and add the following lines:

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_hostname,
  reject_rbl_client zen.spamhaus.org
# helo required
smtpd_helo_required = yes
# disable vrfy command
disable_vrfy_command = yes
smtpd_data_restrictions =
            reject_unauth_pipelining,
            permit

Make sure to reload postfix to ensure changes are read.

service postfix reload