Relaying from External Sources

[dthompson]

Back with another problem. I'm trying to setup another test and am having issues making this work.

I have the following:

External Mail Server: 1.1.1.1(WAN LOCATION OUTSIDE OF PMG SERVER LOCATION)
PMG Server : 2.2.2.2
Mail Server: 192.168.11.250


WIth the external mail server, I can send an email to any domains hosted on the server at 192.168.11.250 (internal network, same subnet as the PMG server)
However, from the external mail server, if I try and send an email to someone external, say at @yahoo.com it gives me a relay access denied.
I'm trying to figure out what I need to in order to resolve this issue.
I'm seeing this error in the logs when I try to send:

Feb 27 11:56:54 swarmx1 postfix/smtpd[986432]: Anonymous TLS connection established from unknown[1.1.1.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 Feb 27 11:56:54 swarmx1 postfix/smtpd[986432]: NOQUEUE: reject: RCPT from unknown[1.1.1.1]: 554 5.7.1 <someone@yahoo.com>: Relay access denied; from=<myguy@mailhive.cloud> to=<someone@yahoo.com> proto=ESMTP helo=<axigen.mailhive.cloud> Feb 27 11:56:54 swarmx1 postfix/smtpd[986432]: disconnect from unknown[1.1.1.1] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 noop=1 quit=1 commands=7/8

On the mail server that I'm testing I have it relay all mail through via the smart host. I've tried it with both port 25 / 26 as well as the with and without auth using the "root" user on the PMG server with the same results.

I'm not sure what I'm missing here. Its something to do with relay but I'm confused as to why the existing ones work but the external site is failing.

Any help / pointers would be appreciated.

 

[dthompson]

Update: I think I've figured it out. I added the smart host on the mail server to use port 26, the internal post and now it working after I restated the mail server.

With that being said, what are the caveats with having port 26 open to the world?

I don't think its something that would be wanted and really only having port 25 open is ideal.

 

[pietroaretino]

Found this thread I am also needing to get this configured.

Example network I think both @dthompson and I are trying to get done.

I was running into the same issue with you @dthompson, I could send and receive from Mailserver to External Mail Server, but sending to other domains from "External Mail Server" was not working. (I'll refer to external mail server as 'ext. mailserver' going forward)

Here is the configuration I think is needed to get this to work, anyone and everyone feel free to chime in or tell me if I am wrong, missed something, etc:

Mail Gateway Configuration

• Add ext. mailserver domain to "Relay Domains" in Configuration->Mail Proxy->Relay Domains
• Add ext. mailserver domain to "Transports".
  • Relay Domain = ext. mailserver domain
  • Host = ext. mailserver IPv4 address (or fqdn?)
  • Protocol = smtp
  • Port = 25
  • Use MX = ?
• Add ext. mailserver IPv4 address to "Trusted Networks" under "Networks"
• Create "TLS Destination Policy" for ext. mailserver domain
• Configure DKIM signing under "DKIM" for ext. mailserver domain
• Do I need to enable "smarthost" under "Relaying" in this format?

DNS Configuration

• Edit your ext. mailserver domain DNS zone
• Add MX record pointing to your Mail Gateway
• Add SPF record to permi your Mail Gateway to send/receive
• Add TXT record with DKIM which was generated on Mail Gateway
• Modify/Add your SRV and DMARC records if necessary

Ext. Mailserver Configuration (Postfix)

• Find your main.cf configuration file for your ext. mailserver postfix server.
• Make a backup of main.cf
• Open and edit main.cf
• Add:

  relayhost=ipv4.address.of.mailgateway:26

  this assumes you are using the default ports configured under Configuration->Mail Proxy->Ports. Otherwise change port 26 to whatever port you have configured for your internal SMTP port on your Mail Gateway.
• Do I have to add anything related to "smarthost" in Postfix? I feel like I'm definitely missing something in this config.

Firewall Configuration
I'm unsure here, but this is what I'm thinking:

• Add a NAT rule, on Firewall1, to port-forward inbound traffic from your ext. mailserver Public IPv4 address (only) on port 26 to your Mail Gateway.
• Add a rule on Firewall2 to only accept mail on port 25 from your Mail Gateway i.e. your Public IPv4 of your Mail Gateway.

ext. mailserver --->26--->Firewall2--->Internet--->Firewall1--->NAT port 26-->Mail Gateway

ext. mailserver <---25<---Firewall2<---Internet<---Firewall1<---25<---Mail Gateway

Hope this helps someone, let me know if anyone gets this to work.

 

[pietroaretino]

Update: I think I've figured it out. I added the smart host on the mail server to use port 26, the internal post and now it working after I restated the mail server.

With that being said, what are the caveats with having port 26 open to the world?

I don't think its something that would be wanted and really only having port 25 open is ideal.

You definitely shouldn't have it open to the world. Ensure your NAT/Port-Forwarding rule is configured so that it only permits traffic on port 26 from your external mail server. If any other address tries to send mail or traffic to port 26, your firewall should drop those packets/traffic.

 

[flames]

You definitely shouldn't have it open to the world. Ensure your NAT/Port-Forwarding rule is configured so that it only permits traffic on port 26 from your external mail server. If any other address tries to send mail or traffic to port 26, your firewall should drop those packets/traffic.

Sorry digging this thread out, have a similiar situation. Is the postfix mynetworks (main.cf) + smtpd_recipient_restrictions=permit_mynetworks (master.cf) not sufficient to open port 26 from outside? Thanks in advance.