what is the best method to allow submission of messages from postfix.
1. should i set all my outbound gateway ips in outbound mail relay? (Settings 8 and 1 in EFA CLI)
2. should outbound mail relay be * and set ips in the whitelist on EFA portal.
for 1 i seem to be hitting a character limit when i enter the X amount of ips in the settings.
I guess im looking for best practices. to accomplish adding Ip's to allow submission of mail.
I user EFA as my SMTP relay for internal devices/servers
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: I user EFA as my SMTP relay for internal devices/servers
Best practice is to use the submission port on 587.
To do that, you create a user on the system like this. This example creates a submitsmtp user.
Then, configure your systems to use port 587 with STARTTLS and the newly created user and password. The username will be submitsmtp@example.org.
If you wish to use port 25, you may need to edit /etc/postfix/main.cf directly instead of the eFa CLI due to the character limit to add a long list of IPs and ranges. Not a good idea to allow all or '*' as this will allow any endpoint to send mail via your relay. Whitlisting is optional, depending on whether you want outbound mail scanned or not. You can also enable the ShortCircuit plugin in /etc/mail/spamassassin/local.cf and add your IPs there to bypass spamassassin for internal mail, if desired.
To do that, you create a user on the system like this. This example creates a submitsmtp user.
Code: Select all
sudo useradd -M -s /sbin/nologin submitsmtp
passwd submitsmtp
If you wish to use port 25, you may need to edit /etc/postfix/main.cf directly instead of the eFa CLI due to the character limit to add a long list of IPs and ranges. Not a good idea to allow all or '*' as this will allow any endpoint to send mail via your relay. Whitlisting is optional, depending on whether you want outbound mail scanned or not. You can also enable the ShortCircuit plugin in /etc/mail/spamassassin/local.cf and add your IPs there to bypass spamassassin for internal mail, if desired.
Re: I user EFA as my SMTP relay for internal devices/servers
so no options to allow only by ip. I do not our internal devices or servers to authenticate.
EFA not be exposed to the internet.
so Devices will submit messages to EFA (via IP allowed), EFA relays to Office 365.
please let me know. thanks.
EFA not be exposed to the internet.
so Devices will submit messages to EFA (via IP allowed), EFA relays to Office 365.
please let me know. thanks.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: I user EFA as my SMTP relay for internal devices/servers
You can allow an entire ip range, such as 192.168.1.0/24 to relay. I'd just allow your internal ranges to relay in that case that you trust.