Mail Relay from Client Machines

ROLE mailnull

The mailnull role configures a machine as a null client - any outgoing mail from system jobs like cron or bacula is relayed to the central mailhost and no local delivery is done. We use Postfix for the null client too.

The mail server is configured to always accept mail from the local host, specific whitelisted IP addresses, and from clients that authorize using a user name and password (user agents like Thunderbird or phones). Everything else is subjected to the full battery of tests.

Historically, you whitelist the local network block so that other machines at your site can submit mail from system things like cron jobs. The other machines on site are configured as null clients to relay all mail through the central mailserver. This can also work if your machines are spread among the cloud, as long as they have fixed IP addresses known ahead of time.

In the case of machines behind an ISP with changable IPs, or for machines come or go with an unpredictable IP, we need a different approach. Those machines still relay all mail, but when they connect, they authorize with a special "relay" account, so they can be treated like a normal user agent. We would like to configure the mail server to only accept mail for local addresses when authenticated with this account, but postfix only restricts based on the FROM, not the AUTH (you can force the two to match, but that does not help us much)

Variables

The only variables that needs to be configured for the null client is the relay account password as vault_mail_relay_pw in an Ansible vault . The relay account, host and port can also be set, but the defaults are usually fine. The default values are shown below:

# Relay all mail through a smarthost with authentication using the
# given account and password.

mail_relay_acct:   "relay@{{ domain }}"
mail_relay_pw:     "{{vault_mail_relay_pw}}"

mail_relay_host:   "{{ mail_server_hostname }}"
mail_relay_port:   587