Setting up a relay mail server

email
mailserver
mail

(Juan Carlos Fernandez) #1

NethServer Version: 7.4.1708 (Final)
Module: Email

Currently I have a relay mail server on MDaemon Messaging Server v12.5. I wish to migrate it to Nethserver7. Right I’m stuck trying to find how can I set it to deliver any message to my internal mail server (Which I will also migrate once I’m done with this one).
Also since this server has both an internal and a public IP, right now it’s acting as a gateway, meaning that anyone from my internal network can access to Internet if they put this server internal IP as they gateway.

My first concern is to get done with the relay setup since MDaemon 12.5 uses an old SSL and some mailserver has refuse to receive my users mails.


(Markus Neuberger) #2

In Email/Domains settings you can set relay to another server per domain:

grafik

http://docs.nethserver.org/en/v7/mail.html#domains


(Juan Carlos Fernandez) #3

Got it, now I have another issue, my internal mail server is an old MDaemon 9.0. I configured it to send any outbound mail to my Nethserver7 relay mail server, yet mails get bounced. This is the output:

The attached message had PERMANENT fatal delivery errors!

After one or more unsuccessful delivery attempts the attached message has
been removed from the mail queue on this server. The number and frequency
of delivery attempts are determined by local configuration parameters.

YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!

Failed address: batman.890825@gmail.com

— Session Transcript —
Mon 2018-03-19 20:10:07: Parsing Message <xxxxxxxxxxxxxxxxxx\pd35000659231.msg>
Mon 2018-03-19 20:10:07: From: jfernandez@durerocaribe.cu
Mon 2018-03-19 20:10:07: To: batman.890825@gmail.com
Mon 2018-03-19 20:10:07: Subject: Test
Mon 2018-03-19 20:10:07: Message-ID: 69d531be-b95f-ea96-ab2f-3cc926210446@durerocaribe.cu
Mon 2018-03-19 20:10:07: Attempting to send message to gateway.
Mon 2018-03-19 20:10:07: Attempting SMTP connection to [172.20.255.25 : 25]
Mon 2018-03-19 20:10:07: Waiting for connection…
Mon 2018-03-19 20:10:07: Connection established (172.20.255.254 : 4599 -> 172.20.255.25 : 25)
Mon 2018-03-19 20:10:07: Waiting for protocol initiation…
Mon 2018-03-19 20:10:07: <-- 220 hermod.dcserver.local ESMTP Postfix
Mon 2018-03-19 20:10:07: --> EHLO zion.durerocaribe.cu
Mon 2018-03-19 20:10:07: <-- 250-hermod.dcserver.local
Mon 2018-03-19 20:10:07: <-- 250-PIPELINING
Mon 2018-03-19 20:10:07: <-- 250-SIZE 1000000000
Mon 2018-03-19 20:10:07: <-- 250-VRFY
Mon 2018-03-19 20:10:07: <-- 250-ETRN
Mon 2018-03-19 20:10:07: <-- 250-STARTTLS
Mon 2018-03-19 20:10:07: <-- 250-ENHANCEDSTATUSCODES
Mon 2018-03-19 20:10:07: <-- 250-8BITMIME
Mon 2018-03-19 20:10:07: <-- 250 DSN
Mon 2018-03-19 20:10:07: --> MAIL From:jfernandez@durerocaribe.cu SIZE=839
Mon 2018-03-19 20:10:07: <-- 250 2.1.0 Ok
Mon 2018-03-19 20:10:07: --> RCPT To:batman.890825@gmail.com
Mon 2018-03-19 20:10:07: <-- 554 5.7.1 batman.890825@gmail.com: Relay access denied
— End Transcript —
: Message contains [1] file attachments


(Juan Carlos Fernandez) #4

Reading the docs, it seems Nethserver doesn’t allow any mail activity trough port 25. How can I fix that?


(Markus Neuberger) #5

It’s not active per default but you may activate it via web UI (Email):

grafik

http://docs.nethserver.org/en/v7/mail.html#special-smtp-access-policies


(Juan Carlos Fernandez) #6

LoL, I just found that and your notification pops out. Thanks anyway, you’re a lifesaver. Now comes the hard part I have a very lone list of security policies that I have to implement. But I will leave that for tomorrow.

One more thing, before I head home. The other part of this post:

As prove of this, I’m posting right now using this server as gateway, bypassing proxy. How can I prevent that. I only want this server to be used for mail, not web browsing.


(Markus Neuberger) #7

You may setup a content filter to block webmail:

http://docs.nethserver.org/en/v7/content_filter.html#filters

Maybe setup firewall rules to block outgoing mail traffic from internal network.

http://docs.nethserver.org/en/v7/firewall.html#rules


(Juan Carlos Fernandez) #8

@mrmarkuz sorry for not explaining myself correctly. What I meant to was that I don’t want to surf the web on this server. By setting this server as my local gateway I could for example have access to porn sites and the like. I don’t want that. This server is only intended to mail and only that.


(Markus Neuberger) #9

You may configure the firewall to block everything:

http://docs.nethserver.org/en/v7/firewall.html#policy

But why does this mail server act as a gateway? You may just release the red role to disable “gateway mode”.

http://docs.nethserver.org/en/v7/firewall.html#firewall-and-gateway


(Juan Carlos Fernandez) #10

As you said, in Firewall rules -> Configure -> General -> Traffic to Internet (red interface) was set to Allowed. I don’t know how that happend, but as usual, thanks for helping me out.

As always, Nethserver rocks !!!


(Juan Carlos Fernandez) #11

I want to thanks @mrmarkuz for his support, thanks to him my company’s relay mail server is up and running. Right now I’m dealing with mandatory security policy implementations in my country (Cuba). Most of this policies are recommended for any mail server, so, after I’m done with the implementation, I’m planning to do a how-to for the community. For the time been, I will be putting in here each of this 16 policies (Translated from Spanish to English).


(Juan Carlos Fernandez) #12

Here are the security policies. Those on bold are policies which I haven’t manage to implement. If someone knows a way please share. I will then try it and edit this post to reflect the solution.

Policy #1 - I/O port 25, 443 and 587 access control:
Use of the above ports must be controlled and should only be open on a mail server. Also, use of port 25 should be avoided if possible. This policy can be implemented on Nethserver by going to [Network Services] and editing [postfix (SMTP)]

Policy #2 - Anti-relay rules implementation:
Anti-relay rules ensures that our server doesn’t end up as a mail spammer. Nethserver Email module accomplish this by going to [Email] -> [SMTP Access] and setting [Allow relay from IP addresses] to our internal mail server IP.

Policy #3 - Reverse DNS:
Some receiving mail servers may use this as an indication of a possible spam source in a scoring system. In my case I asked my ISP to setup a reverse record (PTR) that matches the hostname of my mail server

Policy #4 - Audit logging policy:
Nethserver logs can be accessed via web UI on [Log viewer]

Policy #5 - Maximum number of recipients in a SMTP transaction:
Maximum number of recipients in a SMTP transaction must at least be lower than 100.
As @mrmarkuz suggested we create a custom template and restart the service:

Policy #6 - Max size per message:
The name is self-explanatory. We can so this by going to [Email] -> [Messages] and set [Queue message max size]. If the web UI doesn’t give us the value we need we can also do it by CLI like this:
config setprop postfix MessageSizeMax 2000000 && signal-event nethserver-mail-common-save

Policy #7 - SPF record definition:
As the name suggest, you must have a SPF record on a public DNS server.

Policy #8 - SPF record check on incoming mail:
Our server must also do a SPF record check on incoming mails and actions must be established for mails which don’t have SPF record. So far Nethserver web UI doesn’t seems to have way to setup this policy. However if we want our server to only accept incoming mails from host having SPF records on a public SPF we can do it like this:

config setprop postfix SpfStatus enabled
signal-event nethserver-mail-filter-save

Moreover, Nethserver Email2 has SPF record check, though it’s still in Beta.

Policy #9 - Unknown recipients control:
As the name implies, our internal mail server must have a rejection control enabled. I’m also planing to migrate my internal mail server to Nethserver7, right now I’m leaving this as homework.

Policy #10 - SMTP flow control:
Our server must have a way to control the maximum number of connections that an SMTP client may make in the time interval. This policy is a way to stop email flooding attacks. I haven’t find a way to do it over the web UI.

Policy #11 - NTP
Self-explanatory. Go to [Date and time] and set a NTP server. Nethserver provides [pool.ntp.org] by default

Policy #12 - Secured mail
Self-explanatory. In Nethserver all protocols for mail access (HTTP, SMTP, POP and IMAP) are secured (SSL/TLS) by default. Great work guys !!!

Policy #13 - Anti-virus
Self-explanatory. Enabled by default, check it on [Email] -> [Filter] -> [Anti-virus]

Policy #14 - Mail Authentication:
Self-explanatory. This policy applies to internal mail server. You can bind your Nethserver mail server to an AD or LDAP service. I will write the details in due time.

Policy #15 - Periodic Password Renewal:
Self-explanatory. This policy applies to internal mail server. Again, I will write the details in due time.

Policy #16 - Anti-Spam:
Self-explanatory. Enabled by default, check it on [Email] -> [Filter] -> [Anti-spam]


(Markus Neuberger) #13

Defaults to 20000.

postconf | grep default_recipient_limit

http://www.postfix.org/TUNING_README.html#rcpts

Defaults to 20MB:

grafik

Command line:

postconf | grep message_size_limit

Email 2 with rspamd checks SPF record:

http://docs.nethserver.org/en/v7/mail2.html


(Juan Carlos Fernandez) #14

LoL, I mistranslated Queue Message Max Size as the total sum of all messages on the queue must be less than …

The minimum size you can set on the web UI is 10MB. If I wanted to set it to 2MB or 15 MB, I would have to do it on CLI. Please tell me if this is the proper way to do it.

config setprop postfix MessageSizeMax 2000000 && signal-event nethserver-mail-common-save

As for policy #5, I changed the value with this:

postconf default_recipient_limit=100

Do I have to fire up a signal-event?

And last thing, docs says Email2 is in Beta. So there is a possibility that if I used, I might find issues, am I right?


(Markus Neuberger) #15

Yes, that should do it.

I am afraid you have to use a custom template else your postfix config will be overwritten on reboot or update:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

Yes, that’s possible.


(Juan Carlos Fernandez) #16

And what about this parameter?

config show postfix | grep SpfStatus

I also found this

Although it was a request it for Nethserver6.5, maybe @davidep and @filippo_carletti can help.


(Markus Neuberger) #17

I assume it’s for using SPF in nethserver-mail. I am not sure if you still have to enable it for nethserver-mail2…


(Juan Carlos Fernandez) #18

Is there someone on development who can tell us a little more?

Also, how can I do a custom template? You mention that a moment ago.


(Markus Neuberger) #19

Create the custom template dir:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf

Edit the custom template, I use nano

nano /etc/e-smith/templates-custom/etc/postfix/main.cf/90recp_limit

Write the following in the custom template and save it:

default_recipient_limit = 100

Expand the template:

expand-template /etc/postfix/main.cf

Restart postfix:

systemctl restart postfix


(Juan Carlos Fernandez) #20

Thanks again @mrmarkuz, I already updated the policies. After I’m done migrating my Windows AD, I will start working on my migrating my internal mail server into a Nethserver KVM.