docker
/
docker-mailserver
mirror of https://github.com/tomav/docker-mailserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity
docker-mailserver/docs/content/examples/use-cases/external-relay-only-mailser...

6.4 KiB
Raw Blame History

title hide
Use Cases | Use an external mailserver as inbound and outbound relay
toc

Introduction

Sometimes it's useful to have a public "relay-only" mailserver, that forwards all inbound mail to a private DMS instance and forwards all outbound mail to a receiving mailserver. There are a few reasons for this setup:

  • I don't want to have my private mail lying around on a VPS.
  • I want to be able to quickly move from one VPS to another without having to carry all my mail around.
  • etc.

The following guide assumes you have a public server with a static IP on a hosting provider of your choice. This server will not have any local mailboxes. And that you have a private server eg at home, or somewhere else. This server will host DMS. Furthermore this example assumes a VPN connection between both servers to make things easier. How to set that up is out of scope, there are a lot of guides online.

DNS setup

We will briefly go through the DNS part of the setup. It's similar to the general recommended setup for all mailservers. Let's assume our public server has a public reachable IP address of 123.123.123.123 and the hostname mail.example.com. Set your A, MX and PTR records like you would for DMS.

$ORIGIN example.com
@     IN  A      123.123.123.123
mail  IN  A      123.123.123.123

; mail server for example.com
@     IN  MX  10 mail.example.com.

And the associated PTR record. SPF records should also be setup as you normally would for mail.example.com.

Public host postfix setup

Now we need to install postfix on your public host. The functionality that is needed for this setup is not yet implemented in DMS, so a vanilla postfix will probably be easier to work with, especially since we only use this server as inbound and outbound relay. It's necessary to adjust some settings. We will assume that the VPN is setup on 192.168.2.0/24, with the public instance using 192.168.2.2 and the private instance using 192.168.2.3. Let's start with the main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

myorigin = example.com
mydestination = localhost
local_recipient_maps =
local_transport = error:local mail delivery is disabled

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/postfix/certificates/mail.example.com.crt
smtpd_tls_key_file=/etc/postfix/certificates/mail.example.com.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination, hash:/etc/postfix/relay
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
maillog_file = /var/log/postfix.log

Let's highlight some of the important parts. Remove any mentions of mail.example.com from mydestination, in fact you can just set localhost or nothing at all here. We want all the mail to be relayed. For good measure also disable local_recipient_maps. I'll skip over the TLS parts. You should use a proper certificate for mail.example.com. You can also harden your host as you want. Important are transport_maps = hash:/etc/postfix/transport and relay_domains = $mydestination, hash:/etc/postfix/relay which I will show in a second. Furthermore mynetworks should contain your VPN network.

!!! warning Open relay Please be aware that setting mynetworks to a public CIDR will leave you with an open relay. Only set it to the CIDR of your VPN beyond the localhost ranges.

Let's look at /etc/postfix/transport:

example.com relay:[192.168.2.3]:25

the transport file specifies which relay each domain is using. If you have multiple domains, you can add them there, too. If you use a smarthost add * relay:[X.X.X.X]:port to the bottom, eg * relay:[relay1.org]:587, which will relay everything outbound via this relay host. /etc/postfix/relay looks like this:

example.com   OK
*             OK

This file specifies which domains should be relayed. We want example.com to be relayed inbound and everything else relayed outbound. Run postmap /etc/postfix/transport and postmap /etc/postfix/relay to have the files be useable by postfix. With that the public server is done.

private DMS instance

You can setup your DMS instance as you normally would. Just be careful to not give it a hostname of mail.example.com. Instead use internal-mail.example.com or something similar. DKIM can be setup as usual since it considers checks whether the message body has been tampered with, which our public relay doesn't do. Set DKIM up for mail.example.com. Next we need to configure our outbound relay from our private instance, so that all mail gets send out via our public instance (or from there towards a smarthost). The setup is similar to the default relay setup. postfix-relaymap.cf looks like:

@example.com  [192.168.2.2]:25

meaning all mail example.com gets relayed via the public instance through our VPN. You can also set postfix-sasl-password.cf like

@example.com user:secret

the username and password don't matter, since we use mynetworks. But you can configure a proper sasl account with credentials for added protection or instead of a VPN. Furthermore we need to create postfix-main.cf with

mynetworks = 192.168.2.0/24

so that the relay towards our private instance from the public instance via the VPN works. You can also use sasl of course. And with that everything is done.

IMAP/POP3

Imap and pop3 need to point towards your private instance, since that is where the mailboxes live, which means you need to have a way for your MUA to connect to it.