0

There is a need to make a relay server for the company's corporate mail. The need arose due to the presence of some google ip in the spam lists, and this sometimes leads to the fact that letters end up in spam. What exactly is needed? You want gmail to send all outgoing mail through this relay server. However, I did not find the possibility in the Google Workspace control panel to specify data for authorization on the server, only the host and port. It is necessary to limit the possibility of relaying only if the letter is sent from the corporate domain. Tell me, please, how can this be done?

There is a VPS (Ubuntu 22.04) server on hetzner with raised postfix (v 3.6.4).

config main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_security_level=may
smtp_use_tls=yes
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
myhostname = mail.example.com
mydomain = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.$mydomain, localhost, $myhostname
relayhost =
#relay_domains = gmail.com, google.com, mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

With these settings, I get an error that Relay access denied. This can be fixed by adding the subnets of Google mail services to the "mynetworks =" line, only with this configuration it is like an open relay server and there is a lot of spam from Google mail (thanks for explaining this point to me in the post: Postfix block spam email address ).

Jun 20 08:49:19 mail postfix/smtpd[1444537]: NOQUEUE: reject: RCPT from mail-qk1-f200.google.com[209.85.222.200]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Jun 20 08:49:19 mail postfix/smtpd[1444537]: disconnect from mail-qk1-f200.google.com[209.85.222.200] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7
Tarik
  • 1
  • 2
  • 1
    Don't do this. SMTP is hard. Google have teams of experts trying to ensure your deliverability. Even if you get relaying sorted you're g0oing to have deliverability issues. You've not configured SPF verification. I don't know what you're miler is doing but you do at least need DKIM. – symcbean Jun 20 '23 at 12:41
  • Thanks for your reply. When I limited relay access to Google subnets, everything worked correctly, letters were delivered and passed all the necessary checks (SPF, DKIM, DMARC). – Tarik Jun 20 '23 at 13:09

1 Answers1

1

The main problem is that when you configure what Google Workspace calls an outbound gateway you can't provide any "advanced" authentication.

The only mechanism available for the outbound gateway, your mail relay, are IP-based access controls.

That means that you must configure Postfix accept and forward email from all ​Google Workspace mail server IP addresses.

That requires you to retrieve (and possibly regularly update) the list of IP-addresses used by Google for e-mail forwarding according to the procedure here: https://support.google.com/a/answer/60764

retrieve the SPF records for the domain _spf.google.com:

nslookup -q=TXT _spf.google.com 8.8.8.8

This returns a list of the domains included in Google's SPF record, such as:

_netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com

Look up the DNS records associated with those domains, one at a time:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

That should result in something like:

on-authoritative answer:
_netblocks3.google.com    text = "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

And that are the IP-address ranges you will need to grant access to the relay functionality.
Yes, that will be a great many IP-address ranges and addresses.
No, in contrast to what the comments on your other post suggested, that doesn't make your server an open relay.

For postfix that typically means adding them to your mynetworks = entry in main.cf and using the default or other appropriate smtpd_relay_restrictions :

mynetworks = 127.0.0.0/8 81.171.2.0/24 [::1]/128 [fe80::]/64 172.217.0.0/19  172.217.32.0/20 ... etc. etc. 
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

Enforcing that mails are only relayed/forwarded when they have your own domains example.com and example.co.uk set as the sender / From: requires an additional refinement:

Set up a an access map

 #/etc/postfix/access

 example.com OK
 example.co.uk OK

run postmap /etc/postfix/access

and add check_sender_access hash:/etc/postfix/access to the smtpd_relay_restrictions in

     smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, defer_unauth_destination
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thanks for your reply. I returned the google subnets and also configured the access file as you indicated. At the moment everything is working and I will continue to monitor the behavior of the server. Previously, with this setting, there were many transfers from Google mail. Do I understand correctly that setting the */etc/postfix/access* file will most likely close this problem? I provided examples of such requests in the post I indicated. I can’t add to the comment because it’s a very big conclusion, sorry. – Tarik Jun 20 '23 at 13:33
  • Unfortunately setting the /etc/postfix/access file did not restrict relaying from other domains. I sent mail via my relay server from another Google workspace (respectively, another domain) and the letter was redirected. Can you tell me how to solve this problem? – Tarik Jun 21 '23 at 07:45
  • :facepalm: - smtpd_relay_restrictions (and similar settings) are checked left from right and the first match resulting in an allow or deny is applied. I don't think you can or at least I don't know how to configure that two or more access controls need to be met concurrently. – HBruijn Jun 22 '23 at 07:12
  • This is sad :( In any case, thank you very much for your help, I will look for possible solutions :) – Tarik Jun 22 '23 at 07:15