1 Topic by fulkren

  • fulkren
  • Member
  • Offline
  • Registered: 2015-09-29
  • Posts: 10

Topic: Settings correct for using iRedMail as a relay for local subnet?

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Centos 7 x64 (3.10.0-229.14.1.el7.x86_64)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):  Apache
- Manage mail accounts with iRedAdmin-Pro?: No
- Related log if you're reporting an issue:
====

Hi All

We have several subnet local servers that I want to use iRedMail as a relay for.  The mail server needs to accept and forward messages bound to both itself and world wide destinations.  I've been able to do this by making the following changes based on my admittedly less than expert understanding of postfix but I'd like to know if this is the best way or if there's a better/recommended way to provide this service.  And most importantly if these changes will damage any critical functionality of iRedMail (or expose the server to unintended relaying).

Here's what I had to change to get relaying to work for my local network and my reasoning for each change.

1)  Add 10.232.1.0/24 (my local subnet) to mynetworks.  This is obvious; just adding my local subnet to the list.

2) Move permit_mynetworks to the beginning of the smtpd_sender_restrictions, smtpd_helo_restrictions, and smtpd_recipient_restrictions lists.
My understanding is that the various SMTPD restrictions check each entry in order until they hit an accept or deny.  If  permit_mynetworks comes after reject_unlisted_recipient or recipient_domain then the server won't relay email bound for other destinations.

3) Set the standalone smtpd_reject_unlisted_recipient and smtpd_reject_unlisted_sender entries to "no".
My understanding is that these standalone settings force the recipient and sender checks to happen after postfix is finished with the restriction lists above.  I had to set both to "no" so that the messages bound for other domains weren't rejected at this stage.

I've tested the above combination and it does work for my local subnet while still denying relay access to any systems not on the local subnet, but I'm not fully sure of the additional impact of these changes.  In particular, this may disable the iRedAPD service from checking messages from subnet hosts because the check_policy_service listing is now after permit_mynetworks.  Would moving those entries before permit_mynetworks and just leaving the reject_unknown_recipient and recipient_domain be a better way to arrange this?

Any advice is appreciated.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Settings correct for using iRedMail as a relay for local subnet?

fulkren wrote:

1)  Add 10.232.1.0/24 (my local subnet) to mynetworks.  This is obvious; just adding my local subnet to the list.

Correct. and this should be enough. Did you try it?

3 Reply by fulkren

  • fulkren
  • Member
  • Offline
  • Registered: 2015-09-29
  • Posts: 10

Re: Settings correct for using iRedMail as a relay for local subnet?

That's what I though initially as well, but the mail server refused to accept any mail not bound for a locally hosted destination even after adding the 10.232.1/24 subnet to mynetworks. 

I tried each of the settings I mentioned in the original post individually using a test server on the same subnet and it was only after I adjusted all of the listed options that the mail server started acting as a relay for the other localnet servers.

If there's a way to get it back to normal config with just the subnet on mynetworks then I'd love to do that.  If it's supposed to be enough to just add the local network to mynetworks then any thoughts on why it's not working.

I'll be happy to post my main and master cf files as soon as I get back into work tomorrow if that will help.

Thanks.

4 Reply by fulkren

  • fulkren
  • Member
  • Offline
  • Registered: 2015-09-29
  • Posts: 10

Re: Settings correct for using iRedMail as a relay for local subnet?

Well, I went back and wiped out my test servers and re-created a default iRedMail install to test with.  When I set mydomain to the test area's local subnet in the new test server it started relaying fine for other hosts on that subnet. 

Copying the test server's main.cf to a clone of the prod server also worked so I put the new main.cf on production last night and everything seems to be working fine now.

I have no idea why the original main.cf required the changes I made to it but I must have messed something up.  It's working fine now with just the local subnet added to mynetworks.

This issue can be closed.

Thanks