I have a Postfix instance on an EC2 server which will need to accept mail from the outside world (e.g. port 25 will be mapped to it from a virtual IP.)
I also want to use this server to send mail from my other EC2 machines. As EC2 doesn't map to the concept of a subnet which can be granted relay access, I'm thinking about running Postfix on a second port, and limiting access to that port by security group.
Ultimately I want port 25 to run like normal, and have port 26 accept mail for anyone who is able to connect to it.
Can this be done?
Sure, you can do that. You'll need to edit your master.cf to add a listener on another port (right now there's a line like
smtp inet n - - - - smtpdthat you can duplicate as:
26 inet n - - - - smtpdto add a listener on port 26.
Then you just need to allow the internal amazon IPs to connect to it by adding them to your
mynetworksstatement in main.cf; I'd just allow 10.0.0.0/8 to connect since all your internal AMIs are guaranteed to be in that range. The manual of course has more details.Edit: Drew Bloechl points out you can directly override mynetworks in the master.cf like so:
26 inet n - - - - smtpd -o mynetworks=10.0.0.0/8This configuration will apply whatever filtering, etc, rules you put into your config to everything that comes in on port 25, but will allow anyone from 10.0.0.0/8 to connect to port 26 and send mail without having to pass all those checks.
pjz's answer is close.
Add a couple lines to master.cf that looks something like this:
This will give you a second smtpd with mynetworks overridden from what is defined in main.cf. You can override other variables in the same way; look at the commented-out examples that should already exist in the file.