A Simple Email Hub for Your Local Network

June 22, 2008 · 3 min read

I’ve been setting up the new Xeriom Networks MX service and figured I’d document the process. If you think something should be done differently, please leave a comment.

Requirements

The requirements are deliberately simple. We don’t need spam filtering, greylisting, logging, or virus scanning. We’re building a bare-bones service that provides reliable email delivery to hosts within our network, letting clients decide their own email policy. We will, however, do a little blacklist checking.

Installing the software

I’m using Postfix because I know it well. Since we’re not doing any filtering, the basic install fits our needs perfectly.

sudo apt-get install postfix --yes

Stop Postfix – it starts automatically after install, and we need to configure it first.

sudo /etc/init.d/postfix stop

Configuring Postfix

Edit /etc/postfix/main.cf to contain the following:

# Don't reveal the OS in the banner.
smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Send "delivery delayed" emails after 4 hours.
delay_warning_time = 4h

readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# This is mx1.xeriom.net. Change for mx2, mx3, etc.
myhostname = mx1.xeriom.net
myorigin = mx1.xeriom.net

# Map root, abuse and postmaster to real email addresses.
virtual_alias_maps = hash:/etc/postfix/virtual

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
local_transport = error:No local mail delivery
local_recipient_maps =
smtpd_helo_required = yes

# Only allow the service to be used for hosts with final
# destinations within our VM network.
permit_mx_backup_networks = 193.219.108.0/24

# Only accept mail from nice people.
# Read and understand these blacklists policies before you
# use them or you risk losing mail!
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client dul.dnsbl.sorbs.net

# Only relay mail for which this machine is a listed MX backup.
smtpd_recipient_restrictions = permit_mx_backup, reject

Now create the aliases database and redirect standard mailbox addresses to real people:

newaliases
echo 'postmaster postmaster@xeriom.net' >> /etc/postfix/virtual
echo 'abuse abuse@xeriom.net' >> /etc/postfix/virtual
echo 'root root@xeriom.net' >> /etc/postfix/virtual
postmap /etc/postfix/virtual

Restart Postfix so the changes take effect:

sudo /etc/init.d/postfix restart

After restarting, punch a hole in the firewall for SMTP traffic. If you don’t have a firewall set up yet, you should – do that now.

sudo iptables -I INPUT 4 -p tcp --dport smtp -j ACCEPT
sudo sh -c "iptables-save -c > /etc/iptables.rules"

Testing the setup

First, verify that the new MX is listed in the DNS zone and that the final MX destination falls within the networks specified in permit_mx_backup_networks. The domain I’m testing with is emailmyfeeds.com.

dig MX emailmyfeeds.com +short
0 emailmyfeeds.com.
10 mx1.xeriom.net.
10 mx2.xeriom.net.

dig emailmyfeeds.com +short
193.219.108.60

Next, use telnet to send a trial email through the new MX. Here’s the full SMTP conversation for a successful send:

telnet mx1.xeriom.net smtp
Trying 193.219.108.242...
Connected to 193.219.108.242.
Escape character is '^]'.
220 mx1.xeriom.net ESMTP Postfix
EHLO my-computer
250-mx1.xeriom.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: craig@xeriom.net
250 2.1.0 Ok
RCPT TO: craig@emailmyfeeds.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
TEST!

.
250 2.0.0 Ok: queued as A6EED440BB

If after the RCPT TO line you get something like 554 5.7.1 <test@foo.com>: Recipient address rejected: Access denied, it means either the domain doesn’t have the MX listed in its zone file yet (or the DNS change hasn’t propagated), or the final destination doesn’t fall within the ranges allowed by permit_mx_backup_networks.

One more thing: always check your MX servers using an open relay checker. If you skip this step, you’re helping distribute spam, and nobody wants that.

Using the Xeriom MX service

If you’re running a VM at Xeriom Networks, you can use this service from 2008-06-24 by following the instructions at the Xeriom wiki.

These posts are LLM-aided. Backbone, original writing, and structure by Craig. Research and editing by Craig + LLM. Proof-reading by Craig.