Postfix Inbound/Outbound Gateway for Google Apps

emailg-suitegatewaypostfix

I currently have a Postfix/Dovecot setup, but our server is hitting capacity, so we decided to switch to Google Apps. However, we have certain web applications that need to send and receive e-mail directly (for example, inbound e-mail being redirected to a script, and sending password-reset e-mails).

What I want to do is host certain e-mail accounts with Google Apps, while my current server continues to manage other e-mail accounts. I assume this means that I would use my current server as an Inbound/Outbound Gateway, so my questions are:

1) How do I setup Postfix as an Outbound Gateway without making it an (insecure) open relay?

2) How do I setup Postfix as an Inbound Gateway so that only certain e-mail addresses are forwarded to Google Apps?

3) I was also considering a dual-SMTP approach where both Google Apps and my server can send mail directly to the outside world, but would this be spam-filter friendly? I want to keep using a single domain for all e-mail addresses if possible.

Thank you!

Best Answer

I'm going to suggest you configure things a little differently. Google's more redundant then your one server and it will cause many fewer problems with mail delivery. The issue is, if you forward a lot of messages from an smtp server, sometimes google throttles an ip even if it has been whitelisted in the Google Apps CPanel. We've had to get Google to whitelist (not the same as the CPanel whitelist) a few SMTP relays we maintain for legacy domains.

Have your MX records all point to your Google Apps domain. You can then add static routes on each mailbox you want to forward over to the postfix server. Create a firewall rule to only accept email from google's IP networks which can be found in the spf record listed below. You might want to look at this on a regular once or twice a year to make sure it hasn't changed. Add the Postfix server's ip to your spf record and the relevant google information by following Google's instructions for creating SPF records.

SPF records are you best protection from looking like a spammer.

$ dig txt _spf.google.com

;; ANSWER SECTION: _spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Here is the SPF record for one of the 60 domains I manage. Your SPF record should look something like this:

oeh.com. 3600 IN TXT "v=spf1 a:czar.oeh.com a:kaiser.oeh.com ip4:12.52.185.83 ip4:64.88.185.105 ip4:173.45.98.190 include:listrak.com include:_spf.google.com ~all"

Related Topic