Relaying and Filtering Mail for Legacy Servers with NS8

Howto
, ,
1

Let’s see how to overcome an apparent NS8 Mail limitation to filter and relay messages to a backend mail server.

:information_source: This How-To requires some Linux shell knowledge.

Why use NS8 as a relay-only SMTP server

The NS8 Mail application provides anti-spam and anti-virus features that may not be present in your organisation’s mail server. NS8 Mail can be placed in front of it to improve security with an up-to-date and well-maintained mail filtering system.

Brief History

In NS7, it was possible to configure a relay-only mail domain. When NS7 received a message for that domain, it performed anti-spam and anti-virus checks, then relayed the message to another SMTP server—typically an internal MS Exchange server.

Since NS8 no longer plays the “gateway role” in general—sitting between a public and a private network, which is now the job of NethSecurity 8—the NS8 Mail application does not define domains of type “relay”. However, this apparent limitation exists only in the available UI options: it’s easy to configure NS8 Mail to relay messages, just like the nethserver-mail RPM did in NS7.

Solution

In the following example, imagine that the domain nethserver.org is handled by an old mail server located at LAN address 192.168.1.52. We want to configure NS8 to scan inbound messages for it. Three configuration steps are required.

  1. Configure Postfix to allow relaying of messages for the nethserver.org domain. This is not possible through the application UI, so open a root shell and run a command like this:

    runagent -m mail1 podman exec -i postfix ash -c 'cat > main.cf.d/relay.cf' <<<"$(echo relay_domains = nethserver.org)"
runagent -m mail1 systemctl --user reload postfix

    At a bare minimum, this step is the only one required to make the relay domain work. The next steps are refinements for our specific use case.

  2. Enable address verification for the domain nethserver.org. We do not want Postfix to accept messages for nethserver.org unless we are sure the recipient exists. Before accepting a message, Postfix will query the mail server at 192.168.1.52 with an address probe.

    Modify the main.cf.d/relay.cf file and add a line like this:

    smtpd_recipient_restrictions = reject_non_fqdn_recipient, check_recipient_access inline:{nethserver.org=reject_unverified_recipient}

    Then reload Postfix as explained in the previous step.

    If you prefer to use an editor, vi is available in the “postfix” container:

    runagent -m mail1 podman exec -ti postfix vi main.cf.d/relay.cf
runagent -m mail1 systemctl --user reload postfix

    Note: Postfix must be reloaded to apply the new configuration.

  3. Configure a recipient relay rule to route any message for the nethserver.org domain to the internal mail server. You can do this from the Mail “Relay” page.

    Add a recipient relay rule for nethserver.org
    Add a recipient relay rule for nethserver.org1590×904 29.9 KB

    This step is required because the internal mail host likely lacks a DNS MX record, which Postfix normally relies on to route messages over the Internet. A static mail relay rule ensures that messages for nethserver.org are always forwarded to IP address 192.168.1.52.

Conclusion

With the above solution, NS8 can handle messages for the relay-only domain nethserver.org, relaying them to the LAN host 192.168.1.52 after verifying that the recipient address exists.

References

3 Likes