Administration - Postfix as Secure SMTP Relay for E-mail to Mimecast Smarthosts

Updated

This article contains information on configuring Postfix as a secure SMTP Relay for Mimecast, including TLS encryption setup, Postfix installation, configuration for incoming and outgoing mail, and steps to ensure secure email routing for legacy systems..

Configure Postfix as a secure SMTP relay for outbound email to Mimecast smarthosts

Organizations often face the challenge of integrating legacy on-premises application servers that do not support TLS while needing to ensure that emails sent over the internet are secure. Additionally, IT and Security teams may prefer to maintain centralized control over their premise outbound email routing. To address these challenges, Mimecast customers can set up a Postfix server on Ubuntu to act as an SMTP relay. This setup allows you to accept opportunistic TLS on incoming connections while enforcing TLS 1.3 for outgoing emails to xx-smtp-outbound-1.mimecast.com

Mimecast does not support Postfix, nor is Postfix a Mimecast technology partner. This guide is provided as a general reference and is offered without any warranty or support. Implementation and configuration of Postfix are the responsibility of the user, and Mimecast cannot provide assistance or guarantee compatibility with your specific setup.

Prerequisites

  1. Authorized Outbound IP Address: The S-NAT (source NAT) IP address is added to the Mimecast Authorized IP address. See Maintaining Authorized Outbound IP Addresses
  2. Ubuntu 24.04 Server: Ensure that your server is up-to-date with all security patches and updates.
  3. Postfix: This guide assumes Postfix is not yet installed on the server.
  4. SSL/TLS Certificate: A valid SSL/TLS certificate for your domain (optional for this setup but recommended).

Step 1: Install Postfix

  1. Update your package list and install Postfix:
sudo apt update 
sudo apt install postfix nano
  1. During the installation, select Internet Site when prompted. Set the system mail name to your domain name (e.g., yourdomain.com).

Step 2: Configure Postfix for Incoming Mail with Opportunistic TLS

  1. Open the Postfix main configuration file:

sudo nano /etc/postfix/main.cf

  1. Add or modify the following parameters to enable opportunistic TLS for incoming connections:
      • Enable TLS for incoming mail

 

smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/your_cert.pem
smtpd_tls_key_file = /etc/ssl/private/your_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
      •  Replace the following:
/etc/ssl/certs/your_cert.pem and /etc/ssl/private/your_key.pem

with the paths to your SSL certificate and private key files.

  1. Save the file and exit (CTRL+X, then Y, and Enter).

Step 3: Configure Postfix for Outgoing Mail with Enforced TLS 1.3

Still in the main.cf file, add the following configurations to enforce TLS 1.3 for outgoing mail to Mimecast:

  1. Enable TLS 1.3 for outgoing mail:
smtp_tls_security_level = encrypt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2, TLSv1.3
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
  1. Set the relay to Mimecast:
relayhost = [xx-smtp-outbound-1.mimecast.com]:25 (replace 'xx' with your hosting jurisdiction, eg. au-smtp-outbound-1.mimecast.com for APAC)
  1. Save and exit the file.

For more information on Smarthost per region, visit Email Security Cloud Gateway - SMTP Connector: Exchange

Step 4: Restart Postfix

After making these changes, restart Postfix to apply the new configurations:

sudo systemctl restart postfix

Step 5: Verify the Configuration

To ensure that your Postfix server is correctly configured:

  1. Check Postfix Logs: Monitor the logs for any errors or warnings related to TLS connections.  
    sudo tail -f /var/log/mail.log
  2. Send a Test Email: Use a mail client or mail command to send a test email through your Postfix relay to verify that the outgoing mail is encrypted with TLS 1.3:                                                    echo "Test email from Postfix" | mail -s "TLS Test" user@example.com.
  3. Using telnet or your favorite e-mail client, configure your SMTP outbound settings to point to your postfix server IP and test secure relay out through Mimecast.

Conclusion

By configuring Postfix as an SMTP relay, you can ensure that your legacy applications are able to send emails securely over the internet, and you retain control over the destination SMTP relay. This setup enhances your organization's email security by enforcing the latest TLS standards for outgoing mail.

Related to

Was this article helpful?
1 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.