No Backscatter Email Alias Relay

Jump to Table of Contents

Preface

Setting up an email relay that aliases addresses in various domains to a specific offsite user doesn’t have to mean backscatter. Here is one solution.

What you get

  • Redirect mail from certain domains you control (e.g. domain1.example.com and domain2.example.com) to a specific user in another domain (for example you@example.net) for any number of aliases in domain1.example.com and domain2.example.com.
  • Keep spam to a minimum (to the extent possible with a VPS with 1GB of RAM; better options are available with more RAM).
  • Avoid backscatter even with maliciously crafted email intended to take advantage of the bounce mechanism when you use a relay and it rejects mail your server didn’t.

Caveats

  • You need a local user with which to receive bounces so that you have the choice of manually deciding to redirect or delete, as appropriate.
  • This does mean this isn’t a viable solution for high volume mail servers.

Prerequisites

  • This article is based on using Postfix on Ubuntu 20.04. Other versions of Linux may have a different default Postfix configuration and thus these instructions may need adjusting on non-Debian/Ubuntu systems or even older (or later) versions of Debian/Ubuntu.
  • A server with an acceptable public IP (i.e. not on blacklists or having a low reputation with the final destination email server) for sending mail or you need an email relay.
  • The server must be able to receive mail on port 25 and to send to same, or receive mail on port 25 and be able to use an email relay to send (many VPS providers do no allow sending mail directly to the internet (specifically port 25 outgoing is often blocked), and those that do often have low reputation IP blocks due to abuse or poorly configured servers being abused unbeknownst the server operator).
  • The server must be able to receive traffic on port 80 (HTTP) (or you will have to adjust the instruction for another means than Certbot standalone mode for obtaining SSL certificates).
  • The server must have at least 1GB of RAM.
  • Some knowledge of Linux system administration (this guide assumes a certain level of working knowledge and ability to troubleshoot errors while attempting to follow the guide).
  • Knowledge of regular expression (regexp) syntax and use.

Packages

  • certbot
  • mutt
  • opendmarc
  • opendkim
  • postfix
  • postfix-policyd-spf-perl
  • spamass-milter

Install the Packages

sudo apt install -y certbot mutt opendmarc opendkim postfix postfix-policyd-spf-perl spamass-milter

Configuration

OpenDKIM

  1. In the file /etc/default/opendkim, comment (that is make sure the line begins with #) all lines beginning with SOCKET=
  2. Add a line as below:
    SOCKET=inet:8896@127.0.0.1
    
  3. In the file /etc/opendkim.conf make sure the line containing AuthservID matches your hostname. If your hostname was mail.example.com then it should contain AuthservID mail.example.com
  4. In the same file, make sure lines contain Domain, KeyFile, and Selector or commented
  5. In the same file, make the line contain Mode be Mode v
  6. In the same file, set the Socket line to be Socket inet:8896@127.0.0.1
  7. In the same file, make sure the line with TrustAnchorFile is commented
  8. Add the following lines:
    DNSTimeout 8
    On-BadSignature r
    On-DNSError t
    
  9. Once you have saved the above files issue:
    systemctl restart opendkim
    

OpenDMARC

  1. In the file /etc/default/openddmarc, comment (that is make sure the line begins with #) all lines beginning with SOCKET=
  2. Add a line as below:
    SOCKET=inet:8897@127.0.0.1
    
  3. In the file /etc/opendmarc.conf, make sure the line containing AuthservID matches your hostname. If your hostname were mail.example.com, then it should contain AuthservID mail.example.com
  4. In the same file, set one line to be RejectFailures true
  5. In the same file, set the Socket line to be Socket inet:8897@127.0.0.1
  6. In the same file, set make sure the TrustAuthservIDs line is TrustAuthservIDs HOSTNAME
  7. In the same file, add the following lines:
    SPFIgnoreResults false
    SPFSelfValidate true
    RequiredHeaders true
    
  8. Once you have saved the above files issue:
    systemctl restart opendmarc
    

Spamass-Milter and SpamAssassin

  1. In the file /etc/default/spamassassin, change the line with CRON=0 to CRON=1
  2. In the file /etc/default/spamass-milter replace the lines beginning with OPTIONS= with the following snippet:
    # Default, use the spamass-milter user as the default user, ignore
    # messages from localhost
    OPTIONS="-u spamass-milter -i 127.0.0.1"
    
    # Reject emails with spamassassin scores > 3.
    #OPTIONS="${OPTIONS} -r 15"
    OPTIONS="${OPTIONS} -r 3"
    
    # Do not modify Subject:, Content-Type: or body.
    OPTIONS="${OPTIONS} -m"
    
    # Scan messages up to Postifix max size
    OPTIONS="${OPTIONS} -- -s 10240000"
    
  3. In the file /etc/spamassassin/local.cf, comment the line containing rewrite_header
  4. In the same file, uncomment and set the required_score line to be required_score 3.0
  5. In the same file, comment the line containing use_bayes 1 (bayesian filtering is better used when not using spamassasin as a prequeue milter)
  6. In the same file, set the line bayes_auto_learn 1 to bayes_auto_learn 0
  7. Once you have saved the above files issue:
    systemctl enable spmassassin spamass-milter
    systemctl restart spamass-milter spamassassin
    

Certbot

  1. Assuming your mail server is mail.example.com and you have port 80 (HTTP) on the server open in your firewall (if any), issue the command:
     sudo certbot certonly --standalone -d mail.example.com
    

    and answer the prompts.

Postfix

NB: Includes configuration of postfix-policyd-spf-perl

  1. Add the following lines to /etc/postfix/master.cf:
    spfcheck  unix  -       n       n       -       0       spawn
      user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
    
  2. Edit /etc/postfix/main.cf to look like the example below (leaving comments that come with the default configuration, if you wish), assuming your mail server is mail.example.com, you are required to use email relay relay.example.com, your final destination email address is in the example.net domain, you are relaying mail original sent to domain1.example.com and domain2.example.com, and the final local user for postmaster mail is named user1:
    myorigin = mail.example.com
    myhostname = mail.example.com
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    append_dot_mydomain = no
    readme_directory = no
    compatibility_level = 2
    smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
    smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
    smtpd_tls_security_level=may
    smtp_tls_CApath=/etc/ssl/certs
    smtp_tls_security_level=may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_relay_restrictions =
        permit_mynetworks
        reject_unauth_destination
        check_policy_service unix:private/spfcheck
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    mydestination = $myhostname, localhost.lxd, localhost, mail
    relayhost = [relay.example.com]
    relay_domains = example.net
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    virtual_alias_domains = domain1.example.com domain2.example.com
    virtual_alias_maps = regexp:/etc/postfix/virtual
    luser_relay = user1@localhost
    local_recipient_maps =
    milter_protocol = 6
    smtpd_milters = inet:127.0.0.1:8896,inet:127.0.0.1:8897,unix:/spamass/spamass.sock
    milter_default_action = tempfail
    notify_classes = resource, software, 2bounce
    bounce_notice_recipient = postmaster@localhost
    2bounce_notice_recipient = postmaster@localhost
    default_transport = local:$myhostname
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay_transport_map
    spfcheck_time_limit = 3600
    
  3. Edit /etc/aliases to contain at least, assuming the final local user for postmaster mail is named user1 and your final destination mail address for email generated on the server is mailuser@example.net:
    postmaster: user1
    root: mailuser@example.net
    
  4. Issue the command:
    sudo newaliases
    
  5. Create the file /etc/postfix/sender_relay_transport_map with the following contents (using the same assumptions as above):
    MAILER-DAEMON@mail.example.com local:mail.example.com
    MAILER-DAEMON@localhost local:mail.example.com
    
  6. Issue the command:
    sudo postmap hash:/etc/postfix/sender_relay_transport_map
    
  7. Create the file /etc/postfix/virtual as appropriate. An example which redirects userX or info in any domain in the virtual_alias_domains above to mailuser@example.net:
    /^user.@.*/ mailuser@example.net
    /^info@.*/ mailuser@example.net
    
  8. Issue the commands:
    sudo postfix check
    sudo postfix reload
    

Testing and Regular Checks

  • Check your system’s logs to verify all is well.
  • You should send mail to the users in your aliased domains (e.g. domain1.example.com or domain2.example.com) to verify valid mail is redirecto to your final destination user (e.g. mailuser@example.net).
  • You should also periodically check /var/log/mail.log and /var/log/mail.err to verify what happens with spam or otherwise unwanted mail.
  • You will also need to regularly login as your local user (e.g. user1 on mail.example.com) and check mail (e.g. using mutt) to deal with any bounced mail (even though bounces should be rare).

Table of Contents