Linux - Microsoft Active Directory Integration -- Postfix Mail Gateway to Exchange

Exchange 2010 Mail Delivery Architecture

A detailed diagram of the Exchange 2010 architecture is available here.  However, for this article a working knowledge of SMTP, Exchange message routing and Active Directory are assumed.  SMTP messages from the Internet are delivered to an SMTP connector on a Hub Transport Server; optionally, an Internet-facing filtering Edge Transport Server may be placed in the DMZ. The Hub Transport system delivers messages to one or more Mailbox Stores; clients access the message stores through one or more Client Access Servers.

The built-in filtering capabilities of the Exchange Edge Transport Server are crude, inefficient and prone to false positives.  For instance, one method is manually entering suspicious words and phrases -- a technique highly prone to false positives.  Connection Filtering allows the administrator to specify allowed and blocked IP addresses or subscribe to a allow/block service provider; these, too, are unreliable and prone to false positives because netblocks may be misidentifed or, worse, the provider may not be responsive to removing netblocks that have been corrected.

Postfix - Exchange Replacement of Exchange Edge Transport

Postfix is easily configured to act as a mail relay -- a role that replaces Exchange Edge Transport, integrates into Active Directory and provides reliable spam and virus filtering.  The following packages provide this functionality:

1. postfix
2. postfix-ldap
3. the Net::LDAP perl module
4. postgrey
5. clamsmtp
6. clamav-freshclam

Postfix acts as the SMTP server and MTA.  Postfix-ldap and Net::LDAP perform Domain Controller queries that route messages from the postfix server to Exchange SMTP hub Transport Servers.  Postgrey is a greylisting daemon that filters inbound SMTP messages that originate from non-compliant SMTP servers used by the overwhelming majority of spammers.  The Clam packages provide virus filtering.

Install Software

Issue the following command to install the software packages:

#apt-get install postfix postfix-ldap postgrey clamsmtp clamav-freshclam




Then add Net::LDAP from CPAN.  Finally, update the virus definitions with the command:

# freshclam

Enable the Postgrey Greylisting Daemon

Adding greylisting only requires modifying the /etc/postfix/main.cf file by adding the following line:

smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023

Greylisting identifies the predominant type of illicit -- and non-compliant -- SMTP servers used by spammers.  These servers only forward e-mail -- they do not store e-mail and retry if the first attempt fails.  Thus, if the Postfix mail server refuses initial delivery, the spam mail server does not try again and the messages is not delivered.

Postgrey is efficient once operational.  When it receives a message, it reads the sender:, recipient: and sending mail server IP address "triplet".  It compares the triplet to entries in a Berkley database and if the triplet is found, the message is delivered without delay.  If it is not found, postgrey writes the triplet to the database and will not accept the message for a specified delay interval (typically one to five minutes).  That is, the first time a legitimate mail server sends a message from one party to another, there is a delay before acceptance and delivery, but after that the message is delivered without delay.  Spam mail servers, lacking the store capability, do not try a second time.

In practice, the author has found this blocks 97% to 98% of spam without any false positives.

Enable the ClamSMTP Virus Scanning Daemon

The Clam Antivirus suite is an open source project that provides host and mail virus filtering.  It utilizes the clamav-freshclam daemon to regularly update virus definition databases.  The clamsmtpd daemon is called from postfix.  There are several modifications to the postfix configuration files to implement mail virus filtering.

First, add the following lines to /etc/postfix/main.cf:

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
 
Then, add the following lines to /etc/postfix/master.cf:
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
 
Postfix requires another modification to the clamsmtpd daemon listener ports.  Edit the /etc/clamsmtpd.conf file and change:

OutAddress: 10025 to OutAddress: 10026
Listen: 127.0.0.1:10026 to Listen: 127.0.0.1:10025

The postfix daemon will now incorporate virus filtering through its MTA.  You may test it using the eicar.zip virus-testing standard file.

Enable Postfix LDAP Lookups to Active Directory

Finally, postfix must forward mail to the Exchange Hub Transport system.  Many articles on this subject recommend automated extraction of valid SMTP addresses from Active directory, copying them to the postfix server and hashing them as alias maps.  This is, indeed, more secure and prevents high-volume directory queries during dictionary attacks.  However, many of these articles also state that such directory lookups can DOS an Exchange System.  This is not true unless the queries are performed on an Exchange Server that is also a Domain Controller, a practice not recommended.  You may perform LDAP queries to multiple Domain Controllers (including clustered Samba - Linux Domain Controllers), so the risk is not as great (although not necessarily negligible) as many articles state.

For this case, configure postfix to use LDAP to query one or more local Domain Controllers.  Make sure there are internal DNS MX records in Active Directory.  Add a non-privileged user named mailuser to the Active Directory Users container.  Then add the following line to /etc/postfix/main.cf:

alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 
Finally, create an ldap-aliases.cf file with the following contents:
 
server_host = [one or more Domain Controller IP Addresses or FQDNs]
search_base = dc=mydomain,dc=com
bind = yes
bind_dn = cn=mailuser,cn=Users,cn=mydomain,cn=com
bind_pw = s3cr3tp455w0rd

Additional Features

Although not discussed in this article, several additional features may be used to secure the Postfix - Exchange mail relay.  Postfix is easily configured for load-balancing clustering with Pacemaker - Corosync - LCMC.  Additional Domain Controllers may be added (and load-balance clustered) using Samba.

Postscreen is another Postfix feature that applies policy checks to incoming mail servers.  A detailed HOW-TO is available here.