Join Log in
Score:0
avatar Server

Postfix relay to M365: two hosts lists, one auth to send external and other internal only

br flag
Filipe

I'm a security admin with mailboxes on Exchange Online (aka Microsoft 365), not seasoned to postmail, but I have to deploy a postmail service on premises to allow some devices (internal applications, switches, etc) to send e-mail through Exchange Online.

My preferred approoach is an internal device (example: printer) or application (ex: some on premises server) talks SMTP with my on premises postfix that in turn talks SMTP to Exchange Online.

I have everything configured on Exchange side to this, with a relay connector, no problem receiving e-mail.

I configured postfix to relay and at first it's working ok, allowing only hosts on a file to use the service:

mynetworks = hash:/etc/postfix/hosts_auth_to_relay

But I want to mantain two authorization lists:

List1: hosts authorized to relay only to Exchange internal mailboxes... The criteria is mail to my domain (example: mycorpdomain.com).

List2: hosts authorized to relay to all domains (i.e.: gmail.com, hotmail.com, etc.com)

I'm struggling with smtpd_recipient_restrictions and smtpd_relay_restrictions but I got all mail denied when using them. Do you know how to state this two authorizations on main.cf?

41
0 + 0
Score:0
avatar Server
br flag
Filipe

Problem resolved after countless try and error. Here's how:

PLUS: I don't want senders allowed to send anything to localhost, that's why I have that blocked_destinations.

main.cf relevant lines:

relay_domains = mydomaincorp.com

relayhost = [mysubdomainonmicrosoft.mail.protection.outlook.com]

mynetworks = hash:/etc/postfix/hosts_auth_to_relay

smtpd_client_restrictions =  check_client_access hash:/etc/postfix/hosts_auth_to_relay, check_client_access hash:/etc/postfix/hosts_auth_to_level1, reject

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blocked_destinations, permit_mynetworks, check_recipient_access hash:/etc/postfix/destinations_level1, reject

hosts_auth_to_relay

#My server that e-mail all domains
10.0.0.10      OK

hosts_auth_to_level1

#My server that e-mail only to mydomaincorp.com
10.0.0.20    OK

destinations_level1

mydomaincorp.com    OK

blocked_destinations

localhost       REJECT
localhost.mydomaincorp.com    REJECT

If I try to send e-mail to mydomaincorp.com from an unlisted host (i.e. 10.0.0.30) the response is 554 5.7.1 <10.0.0.30>: Client host rejected: Access denied That's the expected behaviour.

Don't knows if it's the optimal configuration, but at least it works.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.