I have a postfix mail server that should relay all outgoing mail to an Exchange 2010 server (the Exchange box is my smarthost). I have administrator access to the Exchange 2010 system, but I'm not very familiar with it. How should I set up authentication on the Exchange 2010 system?
I guess I could add a standard user with a mailbox on the Exchange box, then configure my postfix box to log in to port 587 to relay mail. That option doesn't feel right -- it seems like there should be way to do server to server authentication, not just client to server authentication. Is there? If so, how would I set it up?
Edit:
- the postfix mail server is at a remote site with a dynamic IP address, so authenticating by IP address won't work
- I would like the email traffic between the two to be encrypted
- I would like mutual authentication (the Postfix box knows it's talking to the Exchange box and not a man in the middle; Exchange knows that it is talking to the Postfix box)
- setting up an IPsec tunnel seems overly complicated for what should be a trivial Exchange configuration
- Exchange must allow the Postfix box to send messages to any destination
- the messages submitted by the Postfix box must not be rejected as spam even if they look like spam
I usually don't have my Linux and internal servers authenticate to the Exchange server if they're on the same network. Same for other devices that may need to relay (copiers, monitoring systems, etc.). I still may need the smarthost funcationality, though.
The approach I take to enable a dumb server/device-to-server relay like what you're looking for is to enable the smarthost on the Postfix or Sendmail system. It seems as though you know that part. For Sendmail, it's a matter of uncommenting the "dnl" line related to the SMARTHOST entry in
/etc/mail/sendmail.mc
, and defining an address. For Postfix, it's definingrelayhost
in/etc/postfix/main.cf
. (restart both daemons after the change)On the Exchange 2010 side, you need to create a new Receive Connector:
Add a new one by right-clicking the frame and selecting "New Receive Connector".
Name it something descriptive, like the FQDN of the Linux server you wish to send from (e.g. postfix.abc.com).
Specify the address/mask of the relaying server; 172.16.2.30/32 in this example.
Continue through the prompts and add the receive connector.
Open the
Exchange Management Shell
command line window.You'll want to grant your new receive connector Anonymous privileges.
Execute:
...where "RelayConnector" is
postfix.abc.com
in my example.Immediately select the newly-created entry in the Management GUI and select "Properties".
In the "Authentication" tab, deselect all entries. In the "Permission Groups" tab, ensure "Anonymous users" is checked. That's all!
I believe there are 2 components to the solution:
You can control email relay in exchange by IP, by permission, by using IPSec or mTLS. For an internal unix postfix box, the easiest would be to restrict by IP. You need to create a Send Connector and limit the IP-scope, as detailed in the guide above.
You may need to look-up specific smarthost forwarding guides for postfix.
Configuring Server-Server Authentication between postfix and exchange: Exchange 2010 uses mTLS for externally secured mail relay. Here's a guide on how to set this up from Exchange end. http://technet.microsoft.com/en-us/library/bb123543.aspx
Postfix also supports TLS authentication, but I am not sure how to configure the postfix side of the solution. http://www.postfix.org/TLS_README.html