Note: This is an RHCE 7 exam objective.
Prerequisites
In order to test this configuration, you will need to configure a central mail server.
Installation Procedure
The configuration of a master DNS server can be avoided by using the [mail.example.com] syntax (see below) or the IP address of the mail gateway.
Install the postfix package if it is not already there:
# yum install -y postfix
Activate the postfix service at boot (normally already enabled):
# systemctl enable postfix
Start the postfix service (normally already started):
# systemctl restart postfix
Main Configurations
There are two cases to distinguish:
- the system doesn’t receive any mail from outside but forwards all mails sent by local users (even mails from local users to local users) to a central mail server: this is the null-client configuration,
- the system accepts any mail from the local network and forwards them with the ones sent by the local users to a central mail server: this is the mail gateway configuration.
The RHCE 7 exam objective seems to be more geared towards the null-client configuration.
This tutorial will explain how to put in place this configuration. Details related to the mail gateway configuration will be shown later.
Null-client Configuration
Let’s assume that your server is called server.example.com on the 192.168.1.0/24 network and your central mail server (outgoing mail gateway) is called mail.example.com at 192.168.1.1.
Edit the /etc/postfix/main.cf file and change the following directives:
myhostname = server.example.com mydomain = example.com myorigin = $mydomain inet_interfaces = loopback-only mydestination = relayhost = 192.168.1.1
Note1: Be careful not to specify $mydomain in the mydestination option (this will store all the mails locally, which is not exactly what you want).
Note2: If you’ve got a DNS server dealing with MX records, you can specify relayhost = mail.example.com instead of the IP address.
Note3: If you don’t set up a DNS server (but use the /etc/hosts file) or if your DNS server doesn’t deal with MX records, you can specify relayhost = [mail.example.com], this form turns off MX lookups.
Check the syntax:
# postfix check
Check the non-default configuration:
# postconf -n
Reload the postfix configuration:
# systemctl restart postfix
Note: It is normally not necessary to restart the processes when parameters are changed, a reload is enough. However, when changing the inet_interfaces parameter, you need to restart all the processes.
There is an quicker way than editing the /etc/postfix/main.cf file, you can also use the postconf command. This command with the -e option changes a parameter with its specified value and writes everything in the /etc/postfix/main.cf file! You can check that by restarting the postfix processes or rebooting the server!
# postconf -e 'relayhost = 192.168.1.1'
To get the value associated with the relayhost parameter, type:
# postconf relayhost relayhost = 192.168.1.1
Time To Test
To send a mail to me at the central mail server (you need to create such a user on your central mail server), type:
# echo "This is a test." | mail -s "Test" me@example.com
Note: The echo command introduces the content of the mail. The -s option specifies the mail subject followed by the recipient.
To check the local mail queue, type:
# mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 822FA3DE4 535 Tue Aug 5 16:54:45 root@example.com (cannot update mailbox /var/mail/me for user me. destination /var/mail/me is not owned by recipient) me@example.com -- 0 Kbytes in 1 Request.
To requeue a mail (-r), type:
# postsuper -r 822FA3DE4 postsuper: name_mask: all postsuper: inet_addr_local: configured 2 IPv4 addresses postsuper: inet_addr_local: configured 2 IPv6 addresses postsuper: renamed file deferred/8/822FA3DE4 as maildrop/822FA3DE4 postsuper: 822FA3DE4: requeued postsuper: Requeued: 1 message
To delete the mail (-d) in the local queue, type:
# postsuper -d 822FA3DE4
Note: The postsuper -d ALL command deletes all the mails in the mail queue (ALL in upper case).
To read the previous mail for me on the central mail server (here mail.example.com), connect to it and type:
[mail]# su - me $ mail Heirloom Mail version 12.4 7/29/08. Type ? for help. "/var/spool/mail/me": 1 message U 1 root Tue Aug 5 18:31 22/755 "Subject: Test"
To check all the process followed by an email, type:
# tail -f /var/log/maillog 18:07:40 postfix/pickup[2338]: 822FA3DE4: uid=89 from=<root@example.com> orig_id=0FB353E45 18:07:40 postfix/cleanup[24446]: 822FA3DE4: message-id=<20140805145446.0FB353E45@server.example.com> 18:07:40 postfix/qmgr[2339]: 822FA3DE4: from=<root@example.com>, size=535, nrcpt=1 (queue active) 18:07:40 postfix/local[24448]: warning: specify "strict_mailbox_ownership = no" to ignore mailbox ownership mismatch 18:07:41 postfix/local[24448]: 822FA3DE4: to=<me@example.com>, relay=local, delay=4375, delays=4375/0.02/0/0.25, dsn=4.2.0, status=deferred (cannot update mailbox /var/mail/me for user me. destination /var/mail/me is not owned by recipient)
Gateway Configuration
In case you want to set up a mail gateway configuration (a server receiving emails from the local network and forwarding them to a central mail server), execute the following steps.
Edit the /etc/postfix/main.cf file and change the following directives:
myhostname = server.example.com mydomain = example.com myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 192.168.1.0/24, 127.0.0.0/8 relayhost = 192.168.1.1
Note: Compared to the null-client configuration, Postfix processes listen to all network interfaces (the inet_interfaces directive), accept mails sent to the example.com domain (the mydestination directive) restricted to the local network (the mynetworks directive).
Caution: Don’t specify $mydomain in the mydestination variable if you don’t want to store mails locally (this mistake was previously made in this tutorial).
Check the syntax:
# postfix check
Check the non-default configuration:
# postconf -n
Reload the postfix configuration:
# systemctl restart postfix
Open the firewall to receive emails from outside:
# firewall-cmd --permanent --add-service=smtp success
Reload the firewall configuration:
# firewall-cmd --reload success
Useful Tips
Before or during the exam, you can go to the /usr/share/doc/postfix-2.10.1/README_FILES directory to read the BASIC_CONFIGURATION_README and STANDARD_CONFIGURATION_README files filled with many Postfix configuration examples.
Additional Resources
Useful free Postfix resources can be found at the Postfix website. The Postfix Overview page is a good place to start. Also, this global picture of Postfix can help you better understand the numerous processes involved.
Beyond the exam objectives, you can also read this article about configuring a Postfix Relay through Gmail on CentOS 7.
I want to be sure of something, when a question comes like “all the mails should be routed to aaa.bbb.ccc.ddd” that means that this what should be placed in relayhost ?
Thanks
Yes, I think so.
I may be barking up the wrong tree here, but saw quite a few cases where people allow an smtp service on firewalld when configuring Postfix null-client. I cannot think of any valid reason why it should be required, as a null-client cannot receive emails from outside. It’s funny as a training provider did the same thing.
This does apply to MariaDB too actually, when explicitly asked to configure a MariaDB server to be accessible locally only, some people put a firewalld rule to allow traffic on TCP port 3306. What’s the point here? Anyone’s got ideas? You would never do such things in production.
I don’t think there is any good reason to do that in both cases.
It’s simply a wrong configuration.
Please correct me if I say wrong: If in exam they say: “Configure the SMTP mail service on serverX and desktopX which relay the mail only from local system ” then I should leave “mydestination” blank. Otherwise I should leave that as default main.cf config file. Is that correct ??? Or should I leave that blank anyway ???
Thanks
You are right, you have to disable local mail delivery by not specifying mydestination.
There is another configuration that sometimes shows in practice exams for the RHCE where the null client is a hybrid configuration which forwards some traffic for specific IPs or subnet(s), while retaining local SMTP messages directed at itself only.
Below is an example of this question.
desktopX is running an SMTP smartrelay.
serverX will be a null client for relaying SMTP messages for systems that use it similar to a relay gateway, but will retain messages directed at itself.
This is a valid configuration and is commonly used in situations where systems behind a firewall must relay mail in a DMZ, or within the same VLAN, to another primary mail server outside of both the the firewalled VLAN and/or DMZ.
Task text:
Your serverX system should accept new email messages over SMTP from the 172.25.X.0/24 subnet. All messages not addressed to @serverX.example.com or @localhost[.localdomain] should be forwarded to the SMTP smarthost running on desktopX example.com.
serverX requirements breakdown:
– should accept new e-mail messages using SMTP
– should accept messages from the 172.25.X.0/24 subnet
– should accept & retain any messages intended for @serverX.example.com
– should accept & retain any messages coming from @localhost or @localhost.localdomain
– should forward all other messages via SMTP to the smarthost on desktopX.example.com
– assumption #1 is that if firewalld is running, then add the smtp service to the firewall to allow incoming smtp traffic from 172.25.X.0/24
– assumption #2 service should be activated
– assumption #3 service should persist, automatically starting up upon reboot
desktopX requirements breakdown:
– n/a, should already be setup as an SMTP smarthost
– this setup is not covered in the RH254, and should be on the exame
– full setup is however identified our studies and lab setup notes.
Other assumptions for testing this configuration:
– a DNS record exists for MX pointing to desktopX as the primary MX for the domain. This helps test the relayhost entry below which uses brackets to enforce not going to MX for domain.
– used freeipa in local testing with an MX record defined in root zone @ with defined forward and reverse lookups for each system involved in the configuraiton.
Translation into configuration on the hybrid serverX SMTP Null Forwarder / Gateway:
One command to configure postfix:
postconf -e “myhostname = serverX.example.com” “relayhost = [desktopX.example.com]” “mynetworks = 127.0.0.0/8 172.25.X.0/24” “mydestination = serverX.example.com, localhost, localhost.localdomain” “inet_interfaces = all” “inet_protocols = ipv4”
README IMPORTANT below:
– In this scenario, there is no need to reconfigure local_transport b/c local transport is still enabled for any @serverX.example.com, @localhost, or @localhost.localdomain messages intended for serverX.example.com existing mail users.
– You may be able to get by with excluding inet_protocols entry above, but you would have to test it.
– mydestination is a little different since this not a true “null client”, as it will accept messages coming from @serverX.example.com, @localhost, or @localhost.localdomain. See not on “NO” local_transport configuration required above.
– myorigin in my configuration is set to $myhostname. If you check “postconf myorigin” on your null client, and it is not set to $myhostname, then you can just use the example above, and explicitly set myhostname = serverX.example.com
– mynetworks is also slightly different than a true null client set up to only test from itself. In addition to the loop-back (127.0.0.0/8), the 172.25.X.0/24 has also been added to be able to accept e-mails from the subnet which will be forwarded onto desktopX.example.com if they do not meet the mydestination configuration defined above.
– don’t forget to have one extra screen open on both serverX.example.com and desktopX.example.com
Enable the smtp service in firewalld:
firewall-cmd –permanent –add-service=smtp
firewall-cmd –reload
firewall-cmd –list-all
– should see smtp service listed
Restart postfix:
systemctl restart postfix.service
systemctl enable postfix.service
systemctl status postfix.service
systemctl is-enabled postfix.service
Interesting. I need some time to decode your configuration. Thanks.
My apologies, but I struggled to parse your sentences. What does “See not on NO local_transport configuration required above.” mean?
This was RHCEv6. In v6 exam, you were required to configure an SMTP server and null client. In v7 (current exam) you are required to configure an SMTP null client ONLY.
If you need a dummy mail server for testing, I found Test Mail Server Tool (http://www.toolheap.com/test-mail-server-tool/). It runs on Windows, listens on port 25 and dumps received email into a directory. You will need an MX record in DNS for it to work — I added the A and MX records to DNS on my IPA server.
Interesting. Thanks.
To confirm – for the exam we’re only required to know the null client config? The gateway config section should therefore be overkill for the exam right?
It seems but I can’t really confirm.
you said.
Note3: If you don’t set up a DNS server (but use the /etc/hosts file) or if your DNS server doesn’t deal with MX records, you can specify relayhost = [mail.example.com], this form turns off MX lookups.
This setup works fine with IP, but when I used hostname instead of ip. it does not find the hostname,
Error:
relay=none, delay=0.42, delays=0.25/0.13/0.04/0, dsn=4.3.5, status=deferred (Host or domain name not found. Name service error for name=labserver1.example.com type=A: Host not found)
1) I have turned off ipv6 delivery.
2) labserver1.example.com are defined in /etc/hosts.
3 ) relayhost = [labserver1.example.com]
any clues please
On the server where the error is generated, can you post the output of the following command:
I have reproduced the issues with example.local
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.100 system1.exmaple.local system1
192.168.1.110 system2.example.local system2
[root@system2 ~]# host system1.example.local
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached
I am getting the same error.
Oct 28 10:35:49 system2 postfix/smtp[5731]: 4E64625F1AA: to=, relay=none, delay=573, delays=571/0.22/1.3/0, dsn=4.3.5, status=deferred (Host or domain name not found. Name service error for name=system1.example.local type=A: Host not found)
I am a little rusty on the mail server protocols. I suspect you will need a local dns to test mail server. If you are studying for RHCE, it is good to have this knowledge.
Note: while .local is not a registered domain, from what I can tell, it may cause issues. The RFC 2606 only allows for .test .example .invalid .localhost.
http://www.iana.org/domains/reserved
It shows that the DNS record for system1.example.local cannot be resolved.
So to sum up, smtp will not work without dns if we have to use hostname as relay host?
Is it safe to assume that we will be provided with dns MX record during the exam for mail server?
Thanks
If you use a hostname that does not resolve to any IP address, it will obviously not work.
Those of use that sat the exam can’t really talk about the exam in detail, due to the NDS, Non Discloser Agreement.
In any real world there would be a DNS with mx records somewhere.
Your answer would be highly appreciated. I have the same issue #host server1.example.com:Host or domain name not found. Name service error for name=labserver1.example.com type=A: Host not found. cat /etc/hosts: 192.168.10.1 server1.example.com which is correct. I can not see the any mails in client server for the user which I sent. Please advice me.
You have your hosts mixed up, according to your message above the one that fails is labserver1.example.com and not server1.example.com.