Page 1 of 1

I user EFA as my SMTP relay for internal devices/servers

Posted: 20 Dec 2019 15:11
by curibe
what is the best method to allow submission of messages from postfix.

1. should i set all my outbound gateway ips in outbound mail relay? (Settings 8 and 1 in EFA CLI)

2. should outbound mail relay be * and set ips in the whitelist on EFA portal.

for 1 i seem to be hitting a character limit when i enter the X amount of ips in the settings.

I guess im looking for best practices. to accomplish adding Ip's to allow submission of mail.

Re: I user EFA as my SMTP relay for internal devices/servers

Posted: 21 Dec 2019 10:21
by shawniverson
Best practice is to use the submission port on 587.

To do that, you create a user on the system like this. This example creates a submitsmtp user.

Code: Select all

sudo useradd -M -s /sbin/nologin submitsmtp
passwd submitsmtp
Then, configure your systems to use port 587 with STARTTLS and the newly created user and password. The username will be submitsmtp@example.org.

If you wish to use port 25, you may need to edit /etc/postfix/main.cf directly instead of the eFa CLI due to the character limit to add a long list of IPs and ranges. Not a good idea to allow all or '*' as this will allow any endpoint to send mail via your relay. Whitlisting is optional, depending on whether you want outbound mail scanned or not. You can also enable the ShortCircuit plugin in /etc/mail/spamassassin/local.cf and add your IPs there to bypass spamassassin for internal mail, if desired.

Re: I user EFA as my SMTP relay for internal devices/servers

Posted: 16 Jan 2020 03:08
by curibe
so no options to allow only by ip. I do not our internal devices or servers to authenticate.

EFA not be exposed to the internet.

so Devices will submit messages to EFA (via IP allowed), EFA relays to Office 365.

please let me know. thanks.

Re: I user EFA as my SMTP relay for internal devices/servers

Posted: 16 Jan 2020 11:02
by shawniverson
You can allow an entire ip range, such as 192.168.1.0/24 to relay. I'd just allow your internal ranges to relay in that case that you trust.