9.3. Postfix

SMTP mail handling in PNS is very flexible and is designed to allow for as many different e-mail “needs” as possible. Based on the size, profile and security requirements of a company, there are a number of configurations possible for handling email traffic.

Very small companies trust their ISP to host SMTP service for them and only connect with a mail retrieval (post office) protocol (POP3 or IMAP) to download the mail and use the ISP's mail server as their outgoing SMTP server. Larger companies may have their own SMTP server but still use the ISP's mail server as their official mail exchanger and only relay mail between the two. Companies needing maximal protection have a fully functional, DNS-registered mailserver. The next level is companies with a sophisticated mail routing architecture, multiple domains and complex email traffic rules.

PNS aims to provide protection support for all types of SMTP requirements. It has a proxy class for SMTP that is the primary tool for handling SMTP traffic. It is not a fully functional mail server but a fully transparent filter module rather. It does not send and receive SMTP mail messages and it does not have a local mail store either. This proxy can interoperate with antivirus software for filtering viruses in SMTP traffic. With the SmtpProxy or a customized, derived version of it most SMTP firewalling needs can be fulfilled.

There are, however, cases when simply proxying SMTP traffic is not enough and some more intelligent mail handling procedure is required due to the organization's special needs.

Example 9.3. Special requirements on mail handling
  1. If the company maintains multiple mail domains and/or complex mail routing rules are needed using transport tables.

  2. If the company aims to avoid time-outs when antivirus filtering is enabled and large attachments need to be scanned. SmtpProxy will only accept (acknowledge) a mail message after it has arrived and has been scanned for viruses unlike most MTAs, which may lead to timeout situations when communicating with other, real MTAs on the Internet.

For such cases PNS installs a fully functional Postfix service besides the SmtpProxy. Because it is fully functional, virtually any setups and configurations possible with a Postfix mail server are also possible here. It does not mean that PNS should be operated as a generic mail server for users, only that sophisticated SMTP configurations are possible with it.

Note

By default, PNS does not install a mailbox protocol server program, because a firewall should not run a POP3 or IMAP server.

Another use of the Postfix component is to provide SMTP delivery service for local services, like syslog-ng and others that need be able to send mail. Local delivery of e-mail, however, should not be allowed, if possible.

Note

The Postfix native service is not intended to replace the SmtpProxy application proxy in SMTP–handling configurations.

Even if the configuration options of SmtpProxy are not adequate, it is still recommended to be the SMTP mail handling 'front-end' at the firewall which, after proxy-level filtering, passes SMTP traffic to the Postfix service.

Because possible uses of the Postfix component are so versatile, it is impossible to cover even the most typical ones in this chapter. Nor is it a firewall administrator's task to set up a complex mail routing architecture, therefore only a brief introduction of the configuration interface is presented. For more information and details on Postfix, see Appendix C, Further readings.