3

I have a Postfix instance on an EC2 server which will need to accept mail from the outside world (e.g. port 25 will be mapped to it from a virtual IP.)

I also want to use this server to send mail from my other EC2 machines. As EC2 doesn't map to the concept of a subnet which can be granted relay access, I'm thinking about running Postfix on a second port, and limiting access to that port by security group.

Ultimately I want port 25 to run like normal, and have port 26 accept mail for anyone who is able to connect to it.

Can this be done?

crb
  • 7,998
  • 1
  • 38
  • 53

2 Answers2

3

Sure, you can do that. You'll need to edit your master.cf to add a listener on another port (right now there's a line like

smtp inet n - - - - smtpd

that you can duplicate as:

26 inet n - - - - smtpd

to add a listener on port 26.

Then you just need to allow the internal amazon IPs to connect to it by adding them to your mynetworks statement in main.cf; I'd just allow 10.0.0.0/8 to connect since all your internal AMIs are guaranteed to be in that range. The manual of course has more details.

Edit: Drew Bloechl points out you can directly override mynetworks in the master.cf like so:

26 inet n - - - - smtpd -o mynetworks=10.0.0.0/8

This configuration will apply whatever filtering, etc, rules you put into your config to everything that comes in on port 25, but will allow anyone from 10.0.0.0/8 to connect to port 26 and send mail without having to pass all those checks.

pjz
  • 10,595
  • 1
  • 32
  • 40
  • Doesn't this means everyone with an EC2 instance can then relay through my server on port 25? – crb Jul 19 '10 at 16:18
  • No, only your other EC2 instances in the same security zone can see your server. Mine can't see yours and yours can't see mine. – pjz Jul 19 '10 at 17:41
  • But in order to get mail to be allowed for the domain I actually want, I need to open port 25 to the world... – crb Jul 19 '10 at 18:26
  • @crb - Right. If you do mynetworks=10.0.0.0/8, you expose relay access to all EC2 instances. Any EC2 instance can relay mail through your server. That assumes you opened that port to the outside world. *EDIT* - or wait... expose port 25 to the world, then only open port 26 to your instances in that security group. Done. – BMiner May 22 '12 at 04:25
3

pjz's answer is close.

Add a couple lines to master.cf that looks something like this:

26 inet n - - - - smtpd
    -o mynetworks=10.0.0.0/8

This will give you a second smtpd with mynetworks overridden from what is defined in main.cf. You can override other variables in the same way; look at the commented-out examples that should already exist in the file.

Drew Bloechl
  • 744
  • 3
  • 6