A Simple Email Hub for Your Local Network

June 22, 2008 · 3 min read

I've been setting up the new [Xeriom Networks](http://xeriom.net/) MX service and figured I'd document the process. If you think something should be done differently, please leave a comment. ## Requirements The requirements are deliberately simple. We don't need spam filtering, greylisting, logging, or virus scanning. We're building a bare-bones service that provides reliable email delivery to hosts within our network, letting clients decide their own email policy. We will, however, do a little blacklist checking. ## Installing the software I'm using Postfix because I know it well. Since we're not doing any filtering, the basic install fits our needs perfectly. ```bash sudo apt-get install postfix --yes ``` Stop Postfix -- it starts automatically after install, and we need to configure it first. ```bash sudo /etc/init.d/postfix stop ``` ## Configuring Postfix Edit `/etc/postfix/main.cf` to contain the following: ``` # Don't reveal the OS in the banner. smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Send "delivery delayed" emails after 4 hours. delay_warning_time = 4h readme_directory = no smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # This is mx1.xeriom.net. Change for mx2, mx3, etc. myhostname = mx1.xeriom.net myorigin = mx1.xeriom.net # Map root, abuse and postmaster to real email addresses. virtual_alias_maps = hash:/etc/postfix/virtual alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all local_transport = error:No local mail delivery local_recipient_maps = smtpd_helo_required = yes # Only allow the service to be used for hosts with final # destinations within our VM network. permit_mx_backup_networks = 193.219.108.0/24 # Only accept mail from nice people. # Read and understand these blacklists policies before you # use them or you risk losing mail! smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net # Only relay mail for which this machine is a listed MX backup. smtpd_recipient_restrictions = permit_mx_backup, reject ``` Now create the aliases database and redirect standard mailbox addresses to real people: ```bash newaliases echo 'postmaster postmaster@xeriom.net' >> /etc/postfix/virtual echo 'abuse abuse@xeriom.net' >> /etc/postfix/virtual echo 'root root@xeriom.net' >> /etc/postfix/virtual postmap /etc/postfix/virtual ``` Restart Postfix so the changes take effect: ```bash sudo /etc/init.d/postfix restart ``` After restarting, punch a hole in the firewall for SMTP traffic. If you don't have a firewall set up yet, you should -- [do that now](http://barkingiguana.com/2008/06/22/firewall-a-pristine-ubuntu-804-box). ```bash sudo iptables -I INPUT 4 -p tcp --dport smtp -j ACCEPT sudo sh -c "iptables-save -c > /etc/iptables.rules" ``` ## Testing the setup First, verify that the new MX is listed in the DNS zone and that the final MX destination falls within the networks specified in `permit_mx_backup_networks`. The domain I'm testing with is emailmyfeeds.com. ```bash dig MX emailmyfeeds.com +short 0 emailmyfeeds.com. 10 mx1.xeriom.net. 10 mx2.xeriom.net. dig emailmyfeeds.com +short 193.219.108.60 ``` Next, use `telnet` to send a trial email through the new MX. Here's the full SMTP conversation for a successful send: ``` telnet mx1.xeriom.net smtp Trying 193.219.108.242... Connected to 193.219.108.242. Escape character is '^]'. 220 mx1.xeriom.net ESMTP Postfix EHLO my-computer 250-mx1.xeriom.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: craig@xeriom.net 250 2.1.0 Ok RCPT TO: craig@emailmyfeeds.com 250 2.1.5 Ok DATA 354 End data with . TEST! . 250 2.0.0 Ok: queued as A6EED440BB ``` If after the `RCPT TO` line you get something like `554 5.7.1 : Recipient address rejected: Access denied`, it means either the domain doesn't have the MX listed in its zone file yet (or the DNS change hasn't propagated), or the final destination doesn't fall within the ranges allowed by `permit_mx_backup_networks`. One more thing: **always** check your MX servers using an [open relay checker](http://www.abuse.net/relay.html). If you skip this step, you're helping distribute spam, and nobody wants that. ## Using the Xeriom MX service If you're running a VM at Xeriom Networks, you can use this service from 2008-06-24 by following the instructions at [the Xeriom wiki](http://wiki.xeriom.net/w/XeriomMXService).

These posts are LLM-aided. Backbone, research, original writing, and structure by Craig. Editing by Craig + LLM. Proof-reading by Craig.