Restricting who can use the server for relay
You currently accept any message for any destination with your
smtpd_relay_restrictions = permit_mynetworks
mynetworks = 0.0.0.0/0
If you have an IP address 192.0.2.10
and a network 198.51.100.0/24
that should only be allowed to use this email gateway for relay, you would use:
mynetworks = 192.0.2.10/32 198.51.100.0/24
You could also use SASL authentication for access control.
Relaying all mail for certain domains
Postfix has relay_domains
to control...
What destination domains (and subdomains thereof) this system will relay mail to. For details about how the relay_domains
value is used, see the description of the permit_auth_destination
and reject_unauth_destination
SMTP recipient restrictions.
Knowing this, you could use
smtpd_relay_restrictions =
permit_auth_destination,
permit_mynetworks,
permit_sasl_authenticated,
reject
or
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
with
relay_domains = example.com
relayhost = [example-com.mail.protection.outlook.com]
The mynetworks
(and/or SASL authentication) configured previously prevents others from using this gateway for all destinations, but the relay_domains
accepts any messages for the configured domains.
Restricting sender domain
The old Symantec Messaging Gateway additionally restrict access per sender domain. In Postfix, this could be restricted on two different levels.
Envelope sender
The domains used in SMTP MAIL FROM
(RFC 5321, 4.1.1.2) command can be restricted using check_sender_access
from smtpd_sender_restrictions
.
The restrictions from previous phases can be applied on later ones, so this can be applied within smtpd_relay_restrictions
or smtpd_recipient_restrictions
. Keeping in mind that...
As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions
, so that a permissive spam blocking policy under smtpd_recipient_restrictions
will no longer result in a permissive mail relay policy.
This would be added as, e.g.,
smtpd_relay_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
With /etc/postfix/sender_access
containing
/@example.com$/ OK
// REJECT Relay allowed only from our domain.
Header sender
The sender address that the mail user agent (MUA) shows to the user is not the envelope sender, but a header from Internet Message Format Originator Field From
(RFC 5322, 3.6.2). As an email header it could be restricted using header_checks
. The following configuration requires Postfix PCRE Support that comes with Debian package postfix-pcre
.
header_checks = pcre:/etc/postfix/header_checks
Where the file contains:
if /^From:/
!/^From: .*@example\.com/ REJECT Relay allowed only from our domain.
endif
Putting these together
Putting all the previous together it is possible to build a configuration that works similarly than the old setup with the Symantec Messaging Gateway. In main.cf
:
mynetworks = 192.0.2.10/32 198.51.100.0/24
relay_domains = example.com
relayhost = [example-com.mail.protection.outlook.com]
header_checks = pcre:/etc/postfix/header_checks
smtpd_relay_restrictions =
check_sender_access regexp:/etc/postfix/sender_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject
This allows all messages meeting the following criteria and rejects the rest:
- the envelope sender is
*@example.com
AND
- the
From
header has *@example.com
AND
- any of these:
- the recipient is
*@example.com
OR
- the client IP is either
192.0.2.10
OR
- the client IP is in network
198.51.100.0/24
The accepted messages are relayed to smart host example-com.mail.protection.outlook.com
.
Microsoft 365 considerations
By default, the example-com.mail.protection.outlook.com
only accepts mail (from the Internet) for example.com
. See Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers.
A connector from your own email server to Office 365
When this connector is set up, Microsoft 365 or Office 365 accepts messages from your organization's email server and send the messages to recipients on your behalf. This recipient could be a mailbox for your organization in Microsoft 365 or Office 365, or it could be a recipient on the internet. To complete this scenario, you'll also need to configure your email server to send email messages directly to Microsoft 365 or Office 365.
The Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365 has two options for authenticating your server:
- Choose either of the two options between
- By verifying that the subject name on the certificate that the sending server uses to authenticate with Office 365 matches the domain entered in the text box below (recommended) and
- By verifying that the IP address of the sending server matches one of the following IP addresses, which belong exclusively to your organization.
This connector enables example-com.mail.protection.outlook.com
to work as a smart host SMTP relay for your email gateway.