using postfix as a front end server in an exchange environment

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

using postfix as a front end server in an exchange environment

Comtois, Andre

Hi everyone,

 

First off, my apologies if this topic has been address before.  I’ve been searching in google for days now and had mixed results in finding answers to my questions.

 

To put it simply, I have installed postfix on a system running ubuntu 9.04.  I would like to configure it as a front-end server for my exchange environment.

The server would reside in the DMZ of my network.

The server would accept emails from the internet and relay messages destined for valid recipients to the exchange server on my intranet.

At this point I’m comfortable updating the recipient tables manually.

 

I’m having mixed results getting this to work.  My postfix server accepts emails and relays them to the exchange server just fine, however it also seems to have no issues relaying emails to gmail.com as well, so I’m not sure how to restrict it to only accepting messages destined for my domain.

 

Any help, pointers or suggestions would be greatly appreciated.

 

Thanks in advance.

Reply | Threaded
Open this post in threaded view
|

Re: using postfix as a front end server in an exchange environment

mouss-4
Comtois, Andre a écrit :

> Hi everyone,
>
>  
>
> First off, my apologies if this topic has been address before.  I’ve
> been searching in google for days now and had mixed results in finding
> answers to my questions.
>
>  
>
> To put it simply, I have installed postfix on a system running ubuntu
> 9.04.  I would like to configure it as a front-end server for my
> exchange environment.
>
> The server would reside in the DMZ of my network.
>
> The server would accept emails from the internet and relay messages
> destined for valid recipients to the exchange server on my intranet.
>
> At this point I’m comfortable updating the recipient tables manually.
>
>  
>
> I’m having mixed results getting this to work.  My postfix server
> accepts emails and relays them to the exchange server just fine, however
> it also seems to have no issues relaying emails to gmail.com as well, so
> I’m not sure how to restrict it to only accepting messages destined for
> my domain.
>
>  

As recommended in the list welcome message, follow the directions in the
DEBUG README. In particular:
- show output of 'postconf -n'
- show relevant logs (logs of mail accepted then relayed to gmail)

in the default setup, postfix only relays mail if
- client is in mynetworks, or
- domain is in mydestination, relay_domains, virtual_alias_domains,
virtual_mailbox_domains

this is what the default
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
does.


Reply | Threaded
Open this post in threaded view
|

Re: using postfix as a front end server in an exchange environment

Victor Duchovni
In reply to this post by Comtois, Andre
On Fri, May 08, 2009 at 12:20:26PM -0400, Comtois, Andre wrote:

>
> I'm having mixed results getting this to work.  My postfix server
> accepts emails and relays them to the exchange server just fine, however
> it also seems to have no issues relaying emails to gmail.com as well, so
> I'm not sure how to restrict it to only accepting messages destined for
> my domain.


    http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
    http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to

If your receiving system in the DMZ is behind a NAT device that translates
source addresses from the Internet to a fixed DMZ source IP address,
be SURE TO EXCLUDE that address from "mynetworks". Be sure to not NAT
internal clients (your Exchange servers), or NAT them to a different IP.

Of course, you really should NOT NAT source addresses at all, with source
IPs masked you can't use RBL lists, and your logs are much less useful.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: using postfix as a front end server in an exchange environment

Chas-6
> On Fri, May 08, 2009 at 12:20:26PM -0400, Comtois, Andre wrote:
>
>>
>> I'm having mixed results getting this to work.  My postfix server
>> accepts emails and relays them to the exchange server just fine, however
>> it also seems to have no issues relaying emails to gmail.com as well, so
>> I'm not sure how to restrict it to only accepting messages destined for
>> my domain.
>
>
>     http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
>     http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to
>
> If your receiving system in the DMZ is behind a NAT device that translates
> source addresses from the Internet to a fixed DMZ source IP address,
> be SURE TO EXCLUDE that address from "mynetworks".

Viktor, could you please be a bit more specific on this one? Are you
saying to exclude the NATed IP or the Internet IP?

> Be sure to not NAT internal clients (your Exchange servers), or NAT them
> to a different IP.

This one is not clear to me either. I'm trying to setup 2 servers behind a
Pix firewall, Postfix server before Exchange, both NAT'ed on the same
subnet but both represented by 'real' external IP's on the ineternet. Will
this not work properly?

Tia,
Chas.

>
> Of course, you really should NOT NAT source addresses at all, with source
> IPs masked you can't use RBL lists, and your logs are much less useful.
>
> --
> Viktor.
>

Reply | Threaded
Open this post in threaded view
|

Re: using postfix as a front end server in an exchange environment

Victor Duchovni
On Sat, May 09, 2009 at 11:08:46AM -0400, Chas wrote:

> > On Fri, May 08, 2009 at 12:20:26PM -0400, Comtois, Andre wrote:
> >
> >>
> >> I'm having mixed results getting this to work.  My postfix server
> >> accepts emails and relays them to the exchange server just fine, however
> >> it also seems to have no issues relaying emails to gmail.com as well, so
> >> I'm not sure how to restrict it to only accepting messages destined for
> >> my domain.
> >
> >
> >     http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
> >     http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to
> >
> > If your receiving system in the DMZ is behind a NAT device that translates
> > source addresses from the Internet to a fixed DMZ source IP address,
> > be SURE TO EXCLUDE that address from "mynetworks".
>
> Viktor, could you please be a bit more specific on this one? Are you
> saying to exclude the NATed IP or the Internet IP?

Don't NAT the SOURCE IP addresses of clients that connect TO your
server.  Your server's own address can be subjected to NAT, but see the
documentation for the "proxy_interfaces" parameter.

> > Be sure to not NAT internal clients (your Exchange servers), or NAT them
> > to a different IP.
>
> This one is not clear to me either. I'm trying to setup 2 servers behind a
> Pix firewall, Postfix server before Exchange, both NAT'ed on the same
> subnet but both represented by 'real' external IP's on the ineternet. Will
> this not work properly?

It will work provided you don't SOURCE NAT.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.