Relay ALL email to PMG, even local email: possible?

Jul 23, 2019
10
0
6
Greetings,

My postfix SMTP server hosts several virtual domains.

Now I am trying to set up postfix to route ALL my email to Proxmox Mail Gateway.

Simply putting:

relayhost = [pmg-address]:26

in main.cf, almost does the trick: emails sent from a local domain to another local domain are successfully delivered. Unfortunately, they are not relayed to PMG.

Instead, I want PMG to get all email traffic; otherwise local to local email is not filtered (spam, virus) and not counted in statistics.

Of course I could add outbound anti-spam/virus filtering to the postfix server, but this is not what I want.
Setting up a postfix server without filters and protection of any kind, will lower the burden of managing several machines behind the same gateway, and simplifies the complexity of the setup in general.

Any advise?

Thanks in advance for any supporto you will offer.
 
While the use case sounds simple it is something which is probably not too easy to implement - put shortly - mailservers know for which domains they are responsible and deliver mail for them locally (it takes a different path through the smtp-server).

What could potentially work (haven't tested it and can only refer to the postfix docs): setup 2 postfix smtpd-instances (via master.cf)
* one that does not know anything about the local domains (there all your outbound mail should be directed) - this one relays the mail to pmg
* one that does know about the localdomains (on some high port) - this is what you enter in pmg's transport entry

keep in mind that everybody/everything that can reach the second smtpd instance can send mails to you without scanning (you could restrict that in postfix or via iptables on your mails-server)
see the postfix docs:
http://www.postfix.org/FILTER_README.html
http://www.postfix.org/SMTPD_PROXY_README.html
http://www.postfix.org/SMTPD_ACCESS_README.html

(also take a look at the /etc/postfix/master.cf as rendered by PMG - it uses a similar concept)

one further alternative might be to use postfix header_checks (described in the howto's above) - to forward mail to PMG for content_filtering if some header is not present in the mail - and have a rule inside PMG add that header (this of course can be circumvented by someone, if they simply add that header)

I hope this helps!
 
In the two cases above, Postfix could know nothing about local domains only in the submission instance (tcp/587, sasl authenticated), what do you think?

In master.cf of the SMTP server, I guess there should be something to override the local domains checks, stated in main.cf.

I've never done anything like that before… does it make sense to you?

TIA
 
Postfix could know nothing about local domains only in the submission instance (tcp/587, sasl authenticated), what do you think?
sounds like a good idea - however if you let the regular postfix on port 25 know about the local domains this means that if someone configured their
smtp-server to use port 25 instead of 587 they would bypass the PMG

I think I would rather configure a dedicated listener on a high-port where PMG sends the mails to - this way you could:
* firewall access the high-port to be only accessible from PMG's ip
* circumventing it would have to be with intention instead of forgetting to set port 587

I've never done anything like that before… does it make sense to you?
Me neither - but it sounds like it should be doable - best try it out and if you run into problems - post the logs from the postfix servers

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!