Howto/20230921 Use a cheap VPS to bypass ISP blocking of port 25 to postfix mail server

From Interpause
Jump to navigationJump to search

Disclaimer

My Howtos are mainly for me to document the steps required in case I ever have to re-do them again. Hopefully they will help other system admins out there, but I regret that this is not my primary objective.

Problem

We just switched to a new Internet Service Provider (ISP) that blocks port 25, both ways, making us no longer able to send or receive emails.

Solution

  • For outbound emails, use the ISP's smtp server to send emails.
  • For inbound emails, use a cheap VPS whose port 25 is open to receive and then forward emails to the main mail server on external port 2025 (not blocked by ISP). We already have a cheap VPS for our OpenVPN server with racknerd that costs 11USD/year so, for us, there is no extra cost to setup this mail forwarder.
  • Our solution is based on the following guide to setup a backup MX: https://www.howtoforge.com/postfix_backup_mx

Prerequisites

  • You already have a working email server (mail1.interpause.com) configured with postfix, but port 25 is completely blocked
  • You have rented a cheap VPS (mail2.interpause.com) and have installed postfix using the default configuration
  • You have access to your ISP's smtp server (smtp.ebox.ca on port 587).
  • Be sure to swap my domains and ISP's smtp server for your own!

Steps

1) Setup MX records on domain provider to point to VPS
  • For namecheap, it looks like this:

NamecheapMXRecord.gif

2) Setup /etc/postfix/main.cf on mail1.interpause.com
myhostname = mail1.interpause.com
mydestination = mail1.interpause.com, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8 [::1]/128 mail1.interpause.com mail2.interpause.com
relayhost = [smtp.ebox.ca]:587
3) Setup /etc/postfix/main.cf on mail2.interpause.com
myhostname = mail2.interpause.com
mydestination = $myhostname, localhost, localhost.localdomain, localhost
relayhost = [mail1.interpause.com]:2025
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mail1.interpause.com mail2.interpause.com
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
relay_domains = $mydestination, interpause.com
relay_recipient_maps =
# you may need to duplicate some parameters from the original mail1 config:
message_size_limit = 30720000
4) Update port forwarding on router
  • Forward unblocked external port 2025 to internal port 25 of mail1.interpause.com
5) (Optional, but recommended) Add postfix restrictions to prevent spam/spoofing using the following guide
6) Reboot both servers mail1 and mail2, or restart postfix
sudo service postfix restart

Final Remarks

  • We like this solution because all our mail data and accounts remains safe and sound on our primary mail server. Cheap VPS providers can always go bankrupt with very short notice (happened to us twice so far over the many years). Mail may queue briefly on the cheap VPS mail2 server, but will soon get forwarded to the safety of the primary mail1 server.
  • If you have multiple VPSes available, then you may also setup additional mail forwarders as backup (mail3, mail4, etc.) in case mail2 goes down/offline and update the MX record accordingly.
  • If your mail server manages multiple domains, then you would need update the MX record of each domain and append the virtual domains appropriately to relay_domains and possibly elsewhere too (interpause.com, interpause2.com, interpause3.com, etc.).

Troubleshooting

  • Check the log file at /var/log/mail.log and google any error messages
  • Use telnet to test connections:
telnet mail2.interpause.com 25
telnet mail1.interpause.com 2025
telnet smtp.ebox.ca 587

Good luck!

Retrieved from "https://interpause.com/index.php?title=Howto/20230921_Use_a_cheap_VPS_to_bypass_ISP_blocking_of_port_25_to_postfix_mail_server&oldid=469"