Questions regarding Ciphermail configuration and Domain filtering

General
1

Hello everyone,

as I’ve only recently started working with Postfix, email infrastructure, and Ciphermail, I still have several questions regarding the setup.

My goal is to use Ciphermail as an outbound-only mail relay (MTA).
No regular user accounts (other than the admin account) are required on the mail gateway, and only a small number of internal systems should be allowed to send outbound email via this MTA.

  1. Should all configuration changes be performed exclusively through the Ciphermail management interface, which then propagates the necessary updates to the underlying Postfix configuration files?
    In other words, is Ciphermail intended to be the authoritative configuration layer?
    I want to avoid inconsistencies or accidentally overwriting settings when making manual adjustments directly in the Postfix configuration.

  2. What is the recommended way to perform domain-based filtering when using Ciphermail as an MTA?
    For example, I would like to allow outbound email to addresses such as xyz@googlemail.com, while blocking delivery to domains such as xyz@outlook.com.

    Is this achievable via DLP policies?
    I was not able to implement this using only the MTA settings → “Relay Domains”.

Essentially, I need a domain-level whitelist for outbound delivery.

Thanks for all the hints and guidance!

Best
Holger

2

Should all configuration changes be performed exclusively through the
Ciphermail management interface, which then propagates the necessary updates to
the underlying Postfix configuration files?

No, that’s not required. You can change the Postfix configuration files directly.

There are only a few requirements for the integration between the CipherMail back-end and postfix.

  1. The back-end should be configured as a post-queue filter (main.cf)

    content_filter = ciphermail:[127.0.0.1]:10025

  2. Postfix master config (master.cf) should contain “reinjection” ports for the back-end
    See master.cf

  3. Email sent from the back-end should be accepted by postfix

What is the recommended way to perform domain-based filtering when using Ciphermail as an MTA?

It’s advisable to block email on postfix and not in the back-end.

There are different options for this.

  1. Add email allowed recipient domain to “relay” domains and leave “My Networks” empty
    Note that email from localhost (12.0.0.1) is always allowed to relay to other
    hosts therefore, do not test whether recipient domains are blocked from localhost.
  2. Use Postfix Configuration Parameters

There are other options, but these are the most common.

3

Thanks Martijn, this helps :slight_smile: