Currently I have a relay mail server on MDaemon Messaging Server v12.5. I wish to migrate it to Nethserver7. Right I’m stuck trying to find how can I set it to deliver any message to my internal mail server (Which I will also migrate once I’m done with this one).
Also since this server has both an internal and a public IP, right now it’s acting as a gateway, meaning that anyone from my internal network can access to Internet if they put this server internal IP as they gateway.
My first concern is to get done with the relay setup since MDaemon 12.5 uses an old SSL and some mailserver has refuse to receive my users mails.
Got it, now I have another issue, my internal mail server is an old MDaemon 9.0. I configured it to send any outbound mail to my Nethserver7 relay mail server, yet mails get bounced. This is the output:
The attached message had PERMANENT fatal delivery errors!
After one or more unsuccessful delivery attempts the attached message has
been removed from the mail queue on this server. The number and frequency
of delivery attempts are determined by local configuration parameters.
YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!
LoL, I just found that and your notification pops out. Thanks anyway, you’re a lifesaver. Now comes the hard part I have a very lone list of security policies that I have to implement. But I will leave that for tomorrow.
One more thing, before I head home. The other part of this post:
As prove of this, I’m posting right now using this server as gateway, bypassing proxy. How can I prevent that. I only want this server to be used for mail, not web browsing.
@mrmarkuz sorry for not explaining myself correctly. What I meant to was that I don’t want to surf the web on this server. By setting this server as my local gateway I could for example have access to porn sites and the like. I don’t want that. This server is only intended to mail and only that.
As you said, in Firewall rules -> Configure -> General -> Traffic to Internet (red interface) was set to Allowed. I don’t know how that happend, but as usual, thanks for helping me out.
I want to thanks @mrmarkuz for his support, thanks to him my company’s relay mail server is up and running. Right now I’m dealing with mandatory security policy implementations in my country (Cuba). Most of this policies are recommended for any mail server, so, after I’m done with the implementation, I’m planning to do a how-to for the community. For the time been, I will be putting in here each of this 16 policies (Translated from Spanish to English).
Here are the security policies. Those on bold are policies which I haven’t manage to implement. If someone knows a way please share. I will then try it and edit this post to reflect the solution.
Policy #1 - I/O port 25, 443 and 587 access control:
Use of the above ports must be controlled and should only be open on a mail server. Also, use of port 25 should be avoided if possible. This policy can be implemented on Nethserver by going to [Network Services] and editing [postfix (SMTP)]
Policy #2 - Anti-relay rules implementation:
Anti-relay rules ensures that our server doesn’t end up as a mail spammer. Nethserver Email module accomplish this by going to [Email] → [SMTP Access] and setting [Allow relay from IP addresses] to our internal mail server IP.
Policy #3 - Reverse DNS:
Some receiving mail servers may use this as an indication of a possible spam source in a scoring system. In my case I asked my ISP to setup a reverse record (PTR) that matches the hostname of my mail server
Policy #4 - Audit logging policy:
Nethserver logs can be accessed via web UI on [Log viewer]
Policy #5 - Maximum number of recipients in a SMTP transaction:
Maximum number of recipients in a SMTP transaction must at least be lower than 100.
As @mrmarkuz suggested we create a custom template and restart the service:
Policy #6 - Max size per message:
The name is self-explanatory. We can so this by going to [Email] → [Messages] and set [Queue message max size]. If the web UI doesn’t give us the value we need we can also do it by CLI like this: config setprop postfix MessageSizeMax 2000000 && signal-event nethserver-mail-common-save
Policy #7 - SPF record definition:
As the name suggest, you must have a SPF record on a public DNS server.
Policy #8 - SPF record check on incoming mail:
Our server must also do a SPF record check on incoming mails and actions must be established for mails which don’t have SPF record. So far Nethserver web UI doesn’t seems to have way to setup this policy. However if we want our server to only accept incoming mails from host having SPF records on a public SPF we can do it like this:
Moreover, Nethserver Email2 has SPF record check, though it’s still in Beta.
Policy #9 - Unknown recipients control:
As the name implies, our internal mail server must have a rejection control enabled. I’m also planing to migrate my internal mail server to Nethserver7, right now I’m leaving this as homework.
Policy #10 - SMTP flow control:
Our server must have a way to control the maximum number of connections that an SMTP client may make in the time interval. This policy is a way to stop email flooding attacks. I haven’t find a way to do it over the web UI.
Policy #11 - NTP
Self-explanatory. Go to [Date and time] and set a NTP server. Nethserver provides [pool.ntp.org] by default
Policy #12 - Secured mail
Self-explanatory. In Nethserver all protocols for mail access (HTTP, SMTP, POP and IMAP) are secured (SSL/TLS) by default. Great work guys !!!
Policy #13 - Anti-virus
Self-explanatory. Enabled by default, check it on [Email] → [Filter] → [Anti-virus]
Policy #14 - Mail Authentication:
Self-explanatory. This policy applies to internal mail server. You can bind your Nethserver mail server to an AD or LDAP service. I will write the details in due time.
Policy #15 - Periodic Password Renewal:
Self-explanatory. This policy applies to internal mail server. Again, I will write the details in due time.
Policy #16 - Anti-Spam:
Self-explanatory. Enabled by default, check it on [Email] → [Filter] → [Anti-spam]
LoL, I mistranslated Queue Message Max Size as the total sum of all messages on the queue must be less than …
The minimum size you can set on the web UI is 10MB. If I wanted to set it to 2MB or 15 MB, I would have to do it on CLI. Please tell me if this is the proper way to do it.
Thanks again @mrmarkuz, I already updated the policies. After I’m done migrating my Windows AD, I will start working on my migrating my internal mail server into a Nethserver KVM.