Postfix Relay Control
September 14, 2008 Postfix Configuration
Control Relays
Controlling which domains can relay mail through Postfix is a very important setting. You certainly will need to relay mail from the domain that Postfix is on.
You do not want Postfix to relay mail from other sources, unless they are domains that you control as you will end up begin an open relay for spammers.
How to Control Relays
Postfix will not allow the server to be an open relay by default. Several parameters control who can use Postfix as a relay, mynetworks_style and mynetworks. The default configuration will allow Postfix to relay from those machines on the same subnet as the server. You are able to control this further by modifying the mynetworks_style parameter. Here are several examples:
mynetworks_style=host
This limits the relay to the local machine or host only.
mynetworks_style=class
This setting broadens the scope to the class A,B or C network that the server is on. This easily could be a problem as it will allow relaying from far too many other systems. The best way to limit the systems that can relay is to use the mynetworks parameter.
The mynetworks parameter allows you to set individual IP Addresses or subnets. When this parameter is used the mynetworks_style parameter is ignored. In the example below an internal private network is included as well as a public subnet. The example also includes a single IP Address. This gives you flexibility in configuring the options.
mynetworks=192.168.5.0/24 12.32.34.32 216.168.0.1/24
The only problem in the above example is that it requires that users have static Ip Addresses. If they have dynamic IP Addresses then Postfix must be configured fro SMTP authentication.
SMTP
SMTP is a complex solution that is difficult to implement correctly for dynamic IP Addresses. One of the problems that is involved is the ability of spammers to fake envelope addresses making your mail server an open relay. It is better to try to use the dynamic IP Addresses that are current than to use SMTP.
Setting Relay Permissions
By default Postfix is safe in that it will not allow relays from other domains or networks. Postfix scans your network to detect the networks that it is attached directly to. This means that Postfix will review the network cards on the server and relay for those networks represented on the cards. This typical configuration will not work well if your Postfix server is in a DMZ. Therefore skills in managing this configuration are important. The mynetworks parameter will help you set up any networks to relay mail for those networks.
mynetworks = 127.0.0/8. 192.168.5.0/24, 192.168.3.0/24
This configuration will send mail for the business network, the DMZ hosts and the localhost, the Postfix server itself.
