Configuring Postfix E-Mail Gateway for MS Exchange Server 2013 with RHEL/CentOS 7

1. Overview

In this article, we will configure Postfix on CentOS 7 as a Mail Gateway for internal MS Exchange 2013 Server or any other back-end E-mail server.
This systems provides several advantages such as blocking unwanted traffic, virus-scanning ,spam prevention, and reduce load on the internal back-end mail server.

2. Prerequisites

In this article, it is presumed that:

a. You have an public domain and have access to manage the DNS record for that domain name.
b. You have a public IP address from an ISP assigned to your Cisco edge router.

3. System Architecture Diagram

The following diagram is the scenarios for this configuration. There is one Cisco router facing with the internet. Postfix E-Mail Gateway staying behind the Cisco router. All incoming E-mails from the internet to the internal MS Exchange 2013 server must go through Postfix Mail Gateway first to scan for virus and spam E-mails.
Likewise, Any E-mails from internal MS Exchange 2013 server going to the external recipients on the internet will come across Postfix E-Mail Gateway to scan for virus and spam first too. For any E-mail sending from internal user and destination for internal recipients, MS Exchange 2013 server will maintain it.

As my computer is not strong enough to install MS Exchange 2013 server, I will use CentOS 7 Linux box to be the internal E-Mail server instead with Postfix, Dovecot, and Squirelmail like the diagram below.

A. Public Domain and MX Record

We have a public domain name which “techspacekh.com”. The MX record, the priority number is 1,  for this domain is “smtp.techspacekh.com” and pointing to our public IP address, 1X0.X4.2X7.X43, on Cisco router interface Fa0/0.

B. Cisco Router

• Fa0/0, 1X0.X4.2X7.X43, WAN interface connected to the internet
• Fa0/1, 10.111.102.254, LAN interface connected to local switch

C. Postfix E-Mail Gateway

• Hostname: mgw01
• IP Address: 10.111.102.88
• Sub Netmask: 255.255.255.0
• Gateway: 10.111.102.254
• Relay Domain: techspacekh.com
• Operating Systems: CentOS 7
• Applications: Postfix, Amavisd-new, Spamassassin, and ClamAV.
• This server must be able to access to the internet

D. Internal E-Mail Server

• Hostname: mxs01
• IP Addresss: 10.111.102.69
• Sub Netmask: 255.255.255.0
• Gateway: 10.111.102.254
• Domain: techspacekh.com
• Operating Systems: CentOS 7
• Applications: Postfix, Dovecot, and Squirelmail
• After finish installed all the required packages, we can deny internet access for this server

E. End Users

For end users, they will use web browser to send and receive mail both from/to internal and external.

The following diagram illustrate the logical mail flow of both incoming and outgoing on Postfix Mail Gateway. For both incoming and outgoing E-Mail, Postfix Mail Gateway receives an E-mail on port 25, passes it to Amavisd-new on port 10024 which then invokes Spamassassin first and then ClamAV, and afterwards Amavisd-new re-injects the mail into Postfix on port 10025 which then finally delivers the E-mail if it is a clean E-Mail.

3. Configure DNS Record

The domain “techpacekh.com” is hosted with GoDaddy, so the following will show you how to create MX record on GoDaddy.

In the GoDaddy site, click on your registered domain. For this article, we’ll use domain “techspacekh.com”. At the bottom of the Records section, click Add.
Click the Type drop-down list and select A. In the Host field, enter “smtp”. In the Points to field, enter your public IP and then click Save.

After adding A record, we need to add MX record. Click Add again at the bottom of the Records section.  Click the Type drop-down list and select MX. In the Host field, enter “@”. In the Points to field, enter “smtp.techspacekh.com”. In the Priority field, enter 1. and then click Save.

The DNS record update process would take about three to five minutes to globally updated. After the records are updated, we can test it with the following “nslookup” command on MS Windows.

>nslookup
> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8
> set q=mx
> techspacekh.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
techspacekh.com MX preference = 1, mail exchanger = smtp.techspacekh.com
> set q=a
> smtp.techspacekh.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    smtp.techspacekh.com
Address:  1X0.X4.2X7.X43

We can also test MX record with “dig” command on Linux.

# dig mx techspacekh.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> mx techspacekh.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55741
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;techspacekh.com.               IN      MX

;; ANSWER SECTION:
techspacekh.com.        3600    IN      MX      1 smtp.techspacekh.com.

;; AUTHORITY SECTION:
techspacekh.com.        172800  IN      NS      ns49.domaincontrol.com.
techspacekh.com.        172800  IN      NS      ns50.domaincontrol.com.

;; ADDITIONAL SECTION:
ns49.domaincontrol.com. 172800  IN      A       216.69.185.25
ns49.domaincontrol.com. 172800  IN      AAAA    2607:f208:206::19
ns50.domaincontrol.com. 172800  IN      A       208.109.255.25
ns50.domaincontrol.com. 172800  IN      AAAA    2607:f208:302::19

;; Query time: 272 msec
;; SERVER: 192.168.10.20#53(192.168.10.20)
;; WHEN: Tue Apr 11 22:52:11 +07 2017
;; MSG SIZE  rcvd: 205

If we want to know the A record, we can use command “dig” again as the following.

# dig a smtp.techspacekh.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> a smtp.techspacekh.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3425
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;smtp.techspacekh.com.          IN      A

;; ANSWER SECTION:
smtp.techspacekh.com.   3600    IN      A       1X0.X4.2X7.X43

;; AUTHORITY SECTION:
techspacekh.com.        172604  IN      NS      ns50.domaincontrol.com.
techspacekh.com.        172604  IN      NS      ns49.domaincontrol.com.

;; ADDITIONAL SECTION:
ns49.domaincontrol.com. 172604  IN      A       216.69.185.25
ns49.domaincontrol.com. 172604  IN      AAAA    2607:f208:206::19
ns50.domaincontrol.com. 172604  IN      A       208.109.255.25
ns50.domaincontrol.com. 172604  IN      AAAA    2607:f208:302::19

;; Query time: 87 msec
;; SERVER: 192.168.10.20#53(192.168.10.20)
;; WHEN: Tue Apr 11 22:55:27 +07 2017
;; MSG SIZE  rcvd: 205

It is also possible to test MX record online with this link  http://mxtoolbox.com.

Kaynak: http://www.techspacekh.com/configuring-postfix-e-mail-gateway-for-ms-exhchange-server-2013-with-rhelcentos-7/