Building a Backup MX

Sometimes, you want a backup mail server. Something that will accept mail and hold it for delivery until your primary mail server is available again. This is the purpose of a backup MX (the MX refers to the type of DNS record that mail exchangers use).

Basic Postfix Config

Bits I added:

  • IPv6
  • max queue lifetime (you can adjust this to your own needs. If your mailserver may be off for a week or more, make sure you give yourself plenty of time in the queue or messages will be bounced).
  • Make sure mydestination does not include an entry for $domain
 1alias_maps = hash:/usr/local/etc/postfix/aliases
 2command_directory = /usr/local/sbin
 3compatibility_level = 3.6
 4daemon_directory = /usr/local/libexec/postfix
 5data_directory = /var/db/postfix
 6debug_peer_level = 2
 7debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
 8html_directory = /usr/local/share/doc/postfix
 9inet_protocols = ipv4, ipv6
10mail_owner = postfix
11mailq_path = /usr/local/bin/mailq
12manpage_directory = /usr/local/man
13maximal_queue_lifetime = 20d
14meta_directory = /usr/local/libexec/postfix
15mydestination = $myhostname, localhost.$mydomain, localhost
16myhostname = backup-mx.domain.tld
17mynetworks = 127.0.0.0/24
18mynetworks_style = host
19newaliases_path = /usr/local/bin/newaliases
20queue_directory = /var/spool/postfix
21readme_directory = /usr/local/share/doc/postfix
22sample_directory = /usr/local/etc/postfix
23sendmail_path = /usr/local/sbin/sendmail
24setgid_group = maildrop
25shlib_directory = /usr/local/lib/postfix
26unknown_local_recipient_reject_code = 550

TLS/SSL

I’m not covering the generation of keys, see a previous post in this series about generating all the SSL bits.

Enabling SSL/TLS for the main.cf

 1smtp_tls_loglevel = 1
 2smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 3smtp_tls_note_starttls_offer = yes
 4smtp_tls_protocols = !SSLv2, !SSLv3
 5smtp_tls_security_level = may
 6smtp_use_tls = yes
 7smtpd_tls_CAfile = $config_directory/tls/cacert.pem
 8smtpd_tls_auth_only = yes
 9smtpd_tls_cert_file = $config_directory/tls/server.crt
10smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
11smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
12smtpd_tls_eecdh_grade = strong
13smtpd_tls_key_file = $config_directory/tls/server.key
14smtpd_tls_loglevel = 1
15smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
16smtpd_tls_protocols = !SSLv2, !SSLv3
17smtpd_tls_received_header = yes
18smtpd_tls_security_level = may
19smtpd_tls_session_cache_timeout = 3600s
20smtpd_use_tls = yes
21tls_eecdh_strong_curve = prime256v1
22tls_eecdh_ultra_curve = secp384r1
23tls_random_source = dev:/dev/random

Not quite done here, we also need to adjust the master.cf

These bits need to be uncommented, and depending on the ordering in main.cf, you may need to move things around to keep the uncommented bits together.

1smtps     inet  n       -       n       -       -       smtpd
2  -o syslog_name=postfix/smtps
3  -o smtpd_tls_wrappermode=yes
4  -o milter_macro_daemon_name=ORIGINATING
1service postfix restart

You should now be able to do a sockstat -4l and see

1[louisk@backup-mx postfix 89 ]$ sockstat -4l
2USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
3root     master     9549  13 tcp4   *:25                  *:*
4root     master     9549  27 tcp4   *:465                 *:*
5root     sshd       1014  4  tcp4   *:22                  *:*
6root     syslogd    513   7  udp4   *:514                 *:*
7[louisk@backup-mx postfix 90 ]$

The 465 entry tells you that postifx is listening on the SMTPS port (TCP/465)

Relay

There are a couple files here you will need to create after you define these bits in main.cf

1relay_domains = hash:$config_directory/relaydomains
2relay_recipient_maps =
3transport_maps = hash:$config_directory/transport

The transport file will have the format of

1domain.tld smtp:[final.destination.domain.tld]

The relaydomains file will have the format of

1domain.tld OK
1service postfix restart

At this point, you should be able to send a message and see it get delivered to the correct destination in /var/log/maillog. Something like

1echo "test" | mail -s "test" user@relay-domain.tld

Postscreen

We should have a functional mail relay now, but we want to add some basic checks on incoming mail to reduce the junk. Postscreen is a nice built-in tool for this. Familiarize yourself with it here .

main.cf additions

 1postscreen_access_list = permit_mynetworks
 2postscreen_bare_newline_action = ignore
 3postscreen_bare_newline_enable = yes
 4postscreen_bare_newline_ttl = 30d
 5postscreen_blacklist_action = drop
 6postscreen_cache_cleanup_interval = 12h
 7postscreen_cache_map = btree:$data_directory/postscreen_cache
 8postscreen_cache_retention_time = 7d
 9postscreen_disable_vrfy_command = $disable_vrfy_command
10postscreen_dnsbl_action = enforce
11postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
12postscreen_dnsbl_threshold = 3
13postscreen_dnsbl_ttl = 1h
14postscreen_dnsbl_whitelist_threshold = -1
15postscreen_greet_action = enforce
16postscreen_greet_banner = $smtpd_banner
17postscreen_greet_ttl = 1d
18postscreen_greet_wait = ${stress?2}${stress:6}s
19postscreen_helo_required = $smtpd_helo_required
20postscreen_non_smtp_command_action = drop
21postscreen_non_smtp_command_enable = yes
22postscreen_non_smtp_command_ttl = 30d
23postscreen_pipelining_enable = yes
24postscreen_whitelist_interfaces = static:all

You may want to change weights of the DNSBL based on your own mail traffic.

master.cf

The first line gets commented out, and the rest of them get uncommented. It should look like this.

1#smtp      inet  n       -       n       -       -       smtpd
2smtp      inet  n       -       n       -       1       postscreen
3smtpd     pass  -       -       n       -       -       smtpd
4dnsblog   unix  -       -       n       -       0       dnsblog
5tlsproxy  unix  -       -       n       -       0       tlsproxy

Whole main.cf

Obtained with postconf -n

 1alias_maps = hash:/usr/local/etc/postfix/aliases
 2command_directory = /usr/local/sbin
 3compatibility_level = 3.6
 4daemon_directory = /usr/local/libexec/postfix
 5data_directory = /var/db/postfix
 6debug_peer_level = 2
 7debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
 8html_directory = /usr/local/share/doc/postfix
 9inet_protocols = ipv4, ipv6
10mail_owner = postfix
11mailq_path = /usr/local/bin/mailq
12manpage_directory = /usr/local/man
13maximal_queue_lifetime = 20d
14meta_directory = /usr/local/libexec/postfix
15mydestination = $myhostname, localhost.$mydomain, localhost
16myhostname = backup-mx.domain.tld
17mynetworks = 127.0.0.0/8
18mynetworks_style = host
19newaliases_path = /usr/local/bin/newaliases
20postscreen_access_list = permit_mynetworks
21postscreen_bare_newline_action = ignore
22postscreen_bare_newline_enable = yes
23postscreen_bare_newline_ttl = 30d
24postscreen_blacklist_action = drop
25postscreen_cache_cleanup_interval = 12h
26postscreen_cache_map = btree:$data_directory/postscreen_cache
27postscreen_cache_retention_time = 7d
28postscreen_disable_vrfy_command = $disable_vrfy_command
29postscreen_dnsbl_action = enforce
30postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
31postscreen_dnsbl_threshold = 3
32postscreen_dnsbl_ttl = 1h
33postscreen_dnsbl_whitelist_threshold = -1
34postscreen_greet_action = enforce
35postscreen_greet_banner = $smtpd_banner
36postscreen_greet_ttl = 1d
37postscreen_greet_wait = ${stress?2}${stress:6}s
38postscreen_helo_required = $smtpd_helo_required
39postscreen_non_smtp_command_action = drop
40postscreen_non_smtp_command_enable = yes
41postscreen_non_smtp_command_ttl = 30d
42postscreen_pipelining_enable = yes
43postscreen_whitelist_interfaces = static:all
44queue_directory = /var/spool/postfix
45readme_directory = /usr/local/share/doc/postfix
46relay_domains = hash:$config_directory/relaydomains
47relay_recipient_maps =
48sample_directory = /usr/local/etc/postfix
49sendmail_path = /usr/local/sbin/sendmail
50setgid_group = maildrop
51shlib_directory = /usr/local/lib/postfix
52smtp_tls_loglevel = 1
53smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
54smtp_tls_note_starttls_offer = yes
55smtp_tls_protocols = !SSLv2, !SSLv3
56smtp_tls_security_level = may
57smtp_use_tls = yes
58smtpd_banner = $myhostname ESMTP Sendmail 8.10 (Solaris 2.6)
59smtpd_client_connection_count_limit = 5
60smtpd_client_connection_rate_limit = 10
61smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
62smtpd_error_sleep_time = 0
63smtpd_hard_error_limit = 10
64smtpd_helo_required = yes
65smtpd_recipient_limit = 50
66smtpd_recipient_restrictions = permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], permit_mynetworks, permit_auth_destination, warn_if_reject reject_non_fqdn_recipient, warn_if_reject reject_unknown_client, warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_hostname, reject_unverified_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_unknown_hostname, reject_unauth_destination, permit
67smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
68smtpd_sender_restrictions = warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_unknown_client, warn_if_reject reject_unknown_sender_domain, permit
69smtpd_soft_error_limit = 5
70smtpd_timeout = 30s
71smtpd_tls_CAfile = $config_directory/tls/cacert.pem
72smtpd_tls_auth_only = yes
73smtpd_tls_cert_file = $config_directory/tls/server.crt
74smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
75smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
76smtpd_tls_eecdh_grade = strong
77smtpd_tls_key_file = $config_directory/tls/server.key
78smtpd_tls_loglevel = 1
79smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
80smtpd_tls_protocols = !SSLv2, !SSLv3
81smtpd_tls_received_header = yes
82smtpd_tls_security_level = may
83smtpd_tls_session_cache_timeout = 3600s
84smtpd_use_tls = yes
85tls_eecdh_strong_curve = prime256v1
86tls_eecdh_ultra_curve = secp384r1
87tls_random_source = dev:/dev/random
88transport_maps = hash:$config_directory/transport
89unknown_local_recipient_reject_code = 550

Whole master.cf

I’ve removed any lines that are comments

 1smtp      inet  n       -       n       -       1       postscreen
 2smtpd     pass  -       -       n       -       -       smtpd
 3dnsblog   unix  -       -       n       -       0       dnsblog
 4tlsproxy  unix  -       -       n       -       0       tlsproxy
 5smtps     inet  n       -       n       -       -       smtpd
 6  -o syslog_name=postfix/smtps
 7  -o smtpd_tls_wrappermode=yes
 8  -o milter_macro_daemon_name=ORIGINATING
 9pickup    unix  n       -       n       60      1       pickup
10cleanup   unix  n       -       n       -       0       cleanup
11qmgr      unix  n       -       n       300     1       qmgr
12tlsmgr    unix  -       -       n       1000?   1       tlsmgr
13rewrite   unix  -       -       n       -       -       trivial-rewrite
14bounce    unix  -       -       n       -       0       bounce
15defer     unix  -       -       n       -       0       bounce
16trace     unix  -       -       n       -       0       bounce
17verify    unix  -       -       n       -       1       verify
18flush     unix  n       -       n       1000?   0       flush
19proxymap  unix  -       -       n       -       -       proxymap
20proxywrite unix -       -       n       -       1       proxymap
21smtp      unix  -       -       n       -       -       smtp
22relay     unix  -       -       n       -       -       smtp
23        -o syslog_name=postfix/$service_name
24showq     unix  n       -       n       -       -       showq
25error     unix  -       -       n       -       -       error
26retry     unix  -       -       n       -       -       error
27discard   unix  -       -       n       -       -       discard
28local     unix  -       n       n       -       -       local
29virtual   unix  -       n       n       -       -       virtual
30lmtp      unix  -       -       n       -       -       lmtp
31anvil     unix  -       -       n       -       1       anvil
32scache    unix  -       -       n       -       1       scache
33postlog   unix-dgram n  -       n       -       1       postlogd

Footnotes and References

Copyright

Comments