I user EFA as my SMTP relay for internal devices/servers

Questions and answers about how to do stuff
Post Reply
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

I user EFA as my SMTP relay for internal devices/servers

Post by curibe » 20 Dec 2019 15:11

what is the best method to allow submission of messages from postfix.

1. should i set all my outbound gateway ips in outbound mail relay? (Settings 8 and 1 in EFA CLI)

2. should outbound mail relay be * and set ips in the whitelist on EFA portal.

for 1 i seem to be hitting a character limit when i enter the X amount of ips in the settings.

I guess im looking for best practices. to accomplish adding Ip's to allow submission of mail.

User avatar
shawniverson
Posts: 3230
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: I user EFA as my SMTP relay for internal devices/servers

Post by shawniverson » 21 Dec 2019 10:21

Best practice is to use the submission port on 587.

To do that, you create a user on the system like this. This example creates a submitsmtp user.

Code: Select all

sudo useradd -M -s /sbin/nologin submitsmtp
passwd submitsmtp
Then, configure your systems to use port 587 with STARTTLS and the newly created user and password. The username will be submitsmtp@example.org.

If you wish to use port 25, you may need to edit /etc/postfix/main.cf directly instead of the eFa CLI due to the character limit to add a long list of IPs and ranges. Not a good idea to allow all or '*' as this will allow any endpoint to send mail via your relay. Whitlisting is optional, depending on whether you want outbound mail scanned or not. You can also enable the ShortCircuit plugin in /etc/mail/spamassassin/local.cf and add your IPs there to bypass spamassassin for internal mail, if desired.

curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: I user EFA as my SMTP relay for internal devices/servers

Post by curibe » 16 Jan 2020 03:08

so no options to allow only by ip. I do not our internal devices or servers to authenticate.

EFA not be exposed to the internet.

so Devices will submit messages to EFA (via IP allowed), EFA relays to Office 365.

please let me know. thanks.

User avatar
shawniverson
Posts: 3230
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: I user EFA as my SMTP relay for internal devices/servers

Post by shawniverson » 16 Jan 2020 11:02

You can allow an entire ip range, such as 192.168.1.0/24 to relay. I'd just allow your internal ranges to relay in that case that you trust.

Post Reply