0

I would like to host several automatic email services in docker containers that send and receive emails through the Postfix server, which is also in a container. The only outward-facing container hosts nginx proxy manager. A docker network links all the containers together. I streamed port 25 in the nginx proxy manager to the Postfix container. Since I am either sending or receiving emails for the services within the internal network, I added my internal network range to main.cf

mynetwork = 172.16.0.0/12

The problem quickly emerged as I realized that other random senders were relaying spam emails through my domain. The reason is that when streaming using the proxy manager, Postfix always sees the incoming email as from the proxy, and is thus recognized as being sent from my local network, and sends it regardless.

The current solution involves entering the configuration one by one

mynetwork = service-1 service-2 ...

The problem is that if I were to add more services to my server, I would have to change the config files manually and restart Postfix service. Is there a way to exclude certain hosts from the permission list in the Postfix config like so?

mynetwork = 172.16.0.0/12 exclude:[host-name-to-exclude]

Many thanks!

Improve this question
6
  • Can't you use authentication instead of permit_mynetworks?
    – Esa Jokinen
    Commented Mar 30 at 5:43
  • You should have separate Postfix instances for sending and receiving mail. Proxy external connections on port 25 to the receive instance, but do not permit external access to the send instance. That will solve this issue without requiring authentication or the ability to exclude hosts from mynetwork.
    – larsks
    Commented Mar 30 at 14:33
  • @larsks Would this prevent the sending instance from sending outbound emails since it does not have access to any external port?
    – w41g87
    Commented Mar 30 at 15:53
  • Of course not; as I'm sure you've noticed, containers have outbound access without setting up any sort of port publishing -- that's why you can run things like apt-get update in a container.
    – larsks
    Commented Mar 30 at 15:55
  • ...and I should mention, it is critical that your receive instance is configured so that it cannot send email to other domains.
    – larsks
    Commented Mar 30 at 18:41

1 Answer 1

Reset to default
0

Is there a way to exclude certain hosts from the permission list in the Postfix config like so?

Instead of trying to solve this with access control lists, you should instead adopt a common email architecture and have separate servers for inbound and outbound email.

The inbound server is a "receive only" server, and it is the only server the exposes port 25 to the public internet. The inbound servers receives email from the internet destined for local users. It must be configured so that it cannot be used to relay email to other locations.

The outbound server handles mail from local users and can be used to relay email to arbitrary external destinations. It may require authentication, or you may rely on your network configuration to control access. Mail to local users gets sent to your inbound server; everything else gets forwarded on to the appropriate destination.

(A typical email configuration will also include a POP/IMAP server through which local users can retrieve their email.)

Improve this answer
1
  • 1
    These roles can and often do exist on the same server. Postfix can run multiple instances of smtpd on different ports with different settings; overrides are configured in master.cf.
    – Esa Jokinen
    Commented Mar 30 at 20:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .