Paul Derby

Q: Configure postfix to accept inbound mail only from Google

I like to host my own email on a Mac Mini running OS X Server.  I’ve also looked for solutions that allow filtering out SPAM before the mail gets sent to my server.  For many years I used Postini’s spam filtering service to clean incoming email before Postini forwarded the mail on to my server.  I now use Google mail, part of Google Apps service to remove spam and to archive all the mail.

 

The approach of letting Google clean emal before sending the mail on to my OS X Server uses two domains, one a “public” domain for incoming email and another a “private” domain used only for  forwarding the filtered email to OS X server.

 

All went well with the defult Postfix configuration that came with OS X Server for a few months, then SPAM started creeping into my “private” domain as various spammers discovered my private email address and started sending mail directly to the Mac Mini, bypassing Google.

 

Whenever I had spare time I would search the web looking for how to configure Postfix on OS X server so that email from Google and my other machines would be accepted and all other email would be blocked.  There were lots of write-ups on how to relay outgoing email to Google, but I couldn’t find straightforward configuration instructions for configuring Postfix to only allow incoming email forwarded by Google or coming from my machines and block all other sources.

 

With a Google apps account you get telephone support so I gave Google a call and within a few rings got a very pleasant guy who listened to what I wanted to do and didn’t have the configuration setup, but did offer to send me a document showing the blocks of IP addresses used by Google for sending email. 

 

I’ve posted several requests for help doing this type of configuration and never received responses that made sense.  So in the interest of helping anyone else that wants to configure Postfix to accept connections from a set of specific IP addresses and refuse connections from all other connections for inbound email, here is what will get you going:

 

Use your favorite text editor to edit the Postfix configuration file (I use BBEDIT) but use whatever you like. 

 

On the OS X Server open this file:

/Library/Server/Mail/Config/postfix/main.cf


Immediately do a “save as…” to make a backup copy with a different name, such as …mail.df.back1 in the same directory so you can revert to the backup if necessary.

 

substitute your domain names in the following commands:

 

public.com   -  change to your publicly advertised  routable domain

hidden.com  -  change to your OS X Server  routable domain

lan.com - change to your OS X Server lan domain, should be registered to make things clean and shouldn’t be .local

10.6.18.0/24 - change to your LAN subnet

host - change to your host name

 

 

Your Postfix configuration file should contain these commands (and probably more).  Each situation varies so do what you have to for your situation….

 

Have Postfix add your public domain name in the email header

 

myorigin = public.com

mydomain_fallback = localhost

message_size_limit = 41943040

biff = no

aaa.bbb.ccc.ddn - Your publicly routable IP addresses provided by your ISP

 

Let Postfix know your LAN network, the routable addresses you have from your ISP, and the Google networks where the Google email servers live.  Get the latest list of Google networks hosting email at this address: https://support.google.com/a/answer/3070269

 

mynetworks =

          10.6.18.0/24,

          127.0.0.0/8

# ISP provided routable  IP Addresses, individually or cidr aaa.bbb.ccc.0/24 notation if possible

          aaa.bbb.ccc.dd1,

          aaa.bbb.ccc.dd2,

          aaa.bbb.ccc.dd3,

          aaa.bbb.ccc.dd4,

# Google networks 

          64.18.0.0/20

          64.233.160.0/19

          66.102.0.0/20

          66.249.80.0/20

          72.14.192.0/18

          74.125.0.0/16

          173.194.0.0/16

          207.126.144.0/20

          209.85.128.0/17

          216.239.32.0/19

smtpd_client_restrictions =

          permit_mynetworks

          permit_sasl_authenticated

#  Comment out the spam blacklist sites since Google does spam filtering for you

#          reject_rbl_client bl.spamcop.net

#          reject_rbl_client zen.spamhaus.org

#          permit

#  If you get this far, reject because the IP address isn’t one of yours or Google’s

          REJECT

 

The rest of the config file should be  pretty much what you already have in place

 

recipient_delimiter = +

smtpd_tls_ciphers = medium

inet_protocols = all

inet_interfaces = all

config_directory = /Library/Server/Mail/Config/postfix

smtpd_enforce_tls = no

smtpd_use_pw_server = yes

relayhost =

smtpd_tls_cert_file =  your cert file path here

mydomain = hidden.com

smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain

smtpd_sasl_auth_enable = yes

smtpd_helo_required = yes

smtpd_tls_CAfile = your file path here

content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_recipient_restrictions =

     permit_mynetworks,

     permit_sasl_authenticated,

     check_policy_service unix:private/policy,

     reject_unauth_pipelining,

     reject_invalid_hostname,

     reject_unauth_destination,

     reject_unknown_recipient_domain,

     reject_non_fqdn_recipient,

     permit

header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks

myhostname = host.hidden.com

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

smtpd_use_tls = yes

smtpd_tls_key_file = your path here

enable_server_options = yes

recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps

virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users

virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, ipv6.$mydomain, public.com

mailbox_transport = dovecot

postscreen_dnsbl_sites = zen.spamhaus.org*2

maps_rbl_domains =

 

This config file should do the job of keeping out everyone but the Google email servers and devices on your WAN and LAN.

 

Any suggestions to make this better or more efficient welcomed!



Mac mini, OS X Server, 10.8.5 Mountain Lion Server

Posted on Apr 13, 2014 3:22 PM