Q: Configure postfix to accept inbound mail only from Google
I like to host my own email on a Mac Mini running OS X Server. I’ve also looked for solutions that allow filtering out SPAM before the mail gets sent to my server. For many years I used Postini’s spam filtering service to clean incoming email before Postini forwarded the mail on to my server. I now use Google mail, part of Google Apps service to remove spam and to archive all the mail.
The approach of letting Google clean emal before sending the mail on to my OS X Server uses two domains, one a “public” domain for incoming email and another a “private” domain used only for forwarding the filtered email to OS X server.
All went well with the defult Postfix configuration that came with OS X Server for a few months, then SPAM started creeping into my “private” domain as various spammers discovered my private email address and started sending mail directly to the Mac Mini, bypassing Google.
Whenever I had spare time I would search the web looking for how to configure Postfix on OS X server so that email from Google and my other machines would be accepted and all other email would be blocked. There were lots of write-ups on how to relay outgoing email to Google, but I couldn’t find straightforward configuration instructions for configuring Postfix to only allow incoming email forwarded by Google or coming from my machines and block all other sources.
With a Google apps account you get telephone support so I gave Google a call and within a few rings got a very pleasant guy who listened to what I wanted to do and didn’t have the configuration setup, but did offer to send me a document showing the blocks of IP addresses used by Google for sending email.
I’ve posted several requests for help doing this type of configuration and never received responses that made sense. So in the interest of helping anyone else that wants to configure Postfix to accept connections from a set of specific IP addresses and refuse connections from all other connections for inbound email, here is what will get you going:
Use your favorite text editor to edit the Postfix configuration file (I use BBEDIT) but use whatever you like.
On the OS X Server open this file:
/Library/Server/Mail/Config/postfix/main.cf
Immediately do a “save as…” to make a backup copy with a different name, such as …mail.df.back1 in the same directory so you can revert to the backup if necessary.
substitute your domain names in the following commands:
public.com - change to your publicly advertised routable domain
hidden.com - change to your OS X Server routable domain
lan.com - change to your OS X Server lan domain, should be registered to make things clean and shouldn’t be .local
10.6.18.0/24 - change to your LAN subnet
host - change to your host name
Your Postfix configuration file should contain these commands (and probably more). Each situation varies so do what you have to for your situation….
Have Postfix add your public domain name in the email header
myorigin = public.com
mydomain_fallback = localhost
message_size_limit = 41943040
biff = no
aaa.bbb.ccc.ddn - Your publicly routable IP addresses provided by your ISP
Let Postfix know your LAN network, the routable addresses you have from your ISP, and the Google networks where the Google email servers live. Get the latest list of Google networks hosting email at this address: https://support.google.com/a/answer/3070269
mynetworks =
10.6.18.0/24,
127.0.0.0/8
# ISP provided routable IP Addresses, individually or cidr aaa.bbb.ccc.0/24 notation if possible
aaa.bbb.ccc.dd1,
aaa.bbb.ccc.dd2,
aaa.bbb.ccc.dd3,
aaa.bbb.ccc.dd4,
# Google networks
64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.239.32.0/19
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
# Comment out the spam blacklist sites since Google does spam filtering for you
# reject_rbl_client bl.spamcop.net
# reject_rbl_client zen.spamhaus.org
# permit
# If you get this far, reject because the IP address isn’t one of yours or Google’s
REJECT
The rest of the config file should be pretty much what you already have in place
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = all
config_directory = /Library/Server/Mail/Config/postfix
smtpd_enforce_tls = no
smtpd_use_pw_server = yes
relayhost =
smtpd_tls_cert_file = your cert file path here
mydomain = hidden.com
smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_tls_CAfile = your file path here
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service unix:private/policy,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
permit
header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks
myhostname = host.hidden.com
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_use_tls = yes
smtpd_tls_key_file = your path here
enable_server_options = yes
recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps
virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users
virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, ipv6.$mydomain, public.com
mailbox_transport = dovecot
postscreen_dnsbl_sites = zen.spamhaus.org*2
maps_rbl_domains =
This config file should do the job of keeping out everyone but the Google email servers and devices on your WAN and LAN.
Any suggestions to make this better or more efficient welcomed!
Mac mini, OS X Server, 10.8.5 Mountain Lion Server
Posted on Apr 13, 2014 3:22 PM