0

we are moving from an old symantec messaging gateway to a debian/postfix machine.

rules in symantec are these:

-from local domain to the same, accept from all then relay all to outlook.com server.

-from local to non-local domain, accept only from specific ip addresses then relay all outlook.com 365 server.

the part "relay all to outlook.com" is done but i can't understand how filter by ip for the second rule.

here my actual main.cf:

inet_protocols = ipv4
myorigin = /etc/mailname
alias_maps = hash:/etc/aliases
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
myhostname = xxx.yyy.it
mynetworks = 0.0.0.0/0
mailbox_size_limit = 0
recipient_delimiter = +
mynetworks_style = subnet

relayhost = zzz.mail.protection.outlook.com]
mydestination =

thanks

Improve this question
1
  • I don't think this is possible using the standard config. But straightforward if you split the relay only and local delivery across different hosts. I would strongly encourage you to use SASL authentication as a mechanism for validating clients rather than an arbitrary list of IP addresses.
    – symcbean
    Dec 2 at 1:18

1 Answer 1

Reset to default
1

Restricting who can use the server for relay

You currently accept any message for any destination with your

smtpd_relay_restrictions = permit_mynetworks
mynetworks = 0.0.0.0/0

If you have an IP address 192.0.2.10 and a network 198.51.100.0/24 that should only be allowed to use this email gateway for relay, you would use:

mynetworks = 192.0.2.10/32 198.51.100.0/24

You could also use SASL authentication for access control.

Relaying all mail for certain domains

Postfix has relay_domains to control...

What destination domains (and subdomains thereof) this system will relay mail to. For details about how the relay_domains value is used, see the description of the permit_auth_destination and reject_unauth_destination SMTP recipient restrictions.

Knowing this, you could use

smtpd_relay_restrictions = 
    permit_auth_destination, 
    permit_mynetworks, 
    permit_sasl_authenticated,
    reject

or

smtpd_relay_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated,
    reject_unauth_destination

with

relay_domains = example.com
relayhost = [example-com.mail.protection.outlook.com]

The mynetworks (and/or SASL authentication) configured previously prevents others from using this gateway for all destinations, but the relay_domains accepts any messages for the configured domains.

Restricting sender domain

The old Symantec Messaging Gateway additionally restrict access per sender domain. In Postfix, this could be restricted on two different levels.

Envelope sender

The domains used in SMTP MAIL FROM (RFC 5321, 4.1.1.2) command can be restricted using check_sender_access from smtpd_sender_restrictions.

The restrictions from previous phases can be applied on later ones, so this can be applied within smtpd_relay_restrictions or smtpd_recipient_restrictions. Keeping in mind that...

As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.

This would be added as, e.g.,

smtpd_relay_restrictions = 
    check_sender_access regexp:/etc/postfix/sender_access

With /etc/postfix/sender_access containing

/@example.com$/  OK
//               REJECT  Relay allowed only from our domain.

Header sender

The sender address that the mail user agent (MUA) shows to the user is not the envelope sender, but a header from Internet Message Format Originator Field From (RFC 5322, 3.6.2). As an email header it could be restricted using header_checks. The following configuration requires Postfix PCRE Support that comes with Debian package postfix-pcre.

header_checks = pcre:/etc/postfix/header_checks

Where the file contains:

if /^From:/
!/^From: .*@example\.com/ REJECT Relay allowed only from our domain.
endif

Putting these together

Putting all the previous together it is possible to build a configuration that works similarly than the old setup with the Symantec Messaging Gateway. In main.cf:

mynetworks = 192.0.2.10/32 198.51.100.0/24
relay_domains = example.com
relayhost = [example-com.mail.protection.outlook.com]
header_checks = pcre:/etc/postfix/header_checks
smtpd_relay_restrictions = 
    check_sender_access regexp:/etc/postfix/sender_access,
    permit_mynetworks, 
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject

This allows all messages meeting the following criteria and rejects the rest:

  • the envelope sender is *@example.com AND
  • the From header has *@example.com AND
  • any of these:
    • the recipient is *@example.com OR
    • the client IP is either 192.0.2.10 OR
    • the client IP is in network 198.51.100.0/24

The accepted messages are relayed to smart host example-com.mail.protection.outlook.com.

Microsoft 365 considerations

By default, the example-com.mail.protection.outlook.com only accepts mail (from the Internet) for example.com. See Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers.

A connector from your own email server to Office 365

When this connector is set up, Microsoft 365 or Office 365 accepts messages from your organization's email server and send the messages to recipients on your behalf. This recipient could be a mailbox for your organization in Microsoft 365 or Office 365, or it could be a recipient on the internet. To complete this scenario, you'll also need to configure your email server to send email messages directly to Microsoft 365 or Office 365.

The Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365 has two options for authenticating your server:

  1. Choose either of the two options between
    • By verifying that the subject name on the certificate that the sending server uses to authenticate with Office 365 matches the domain entered in the text box below (recommended) and
    • By verifying that the IP address of the sending server matches one of the following IP addresses, which belong exclusively to your organization.

This connector enables example-com.mail.protection.outlook.com to work as a smart host SMTP relay for your email gateway.

Improve this answer
5
  • we would like to maintain the old config so: from our to our domain all can use the relay. from our to external domain only some ip can use the relay.
    – Walter
    2 days ago
  • This limits the access based on the recipient domain: all relay to your domain is allowed per relay_domains and restricted to the limited IP addresses by reject_unauth_destination. If you want to further limit the sender domains, it is just one addition for the envelope sender and maybe another for the From header.
    – Esa Jokinen
    2 days ago
  • i don't think this is ok. we want that all sender ip addresses can write to relay and these all can write from our to our domain, but only a group of these ip can use the relay to write to external domain.
    – Walter
    2 days ago
  • And that is what this does.
    – Esa Jokinen
    2 days ago
  • I've updated my answer with the sender address restrictions & a full example putting all these pieces together.
    – Esa Jokinen
    2 days ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .