Recently I set up an email server on my local LAN. It is set to receive mail on a nonstandard port (8025 Port-Forwarded to port 25 on the LAN side) and to send mail SMTP to an email relay, also on a nonstandard port (3325). I have this setup working fine now using a single port forward to take the external (8025) (inbound mail) and send it to the server on port 25.
After configuring this I came across the PostFix plugin which looks pretty cool. My question(s) is, would it make sense to return the mail server on my LAN to a "standard" ports setup and have the Postfix gateway on OPNsense handle sending the outbound mail to the relay? And the same for inbound? Do I understand this correctly that the Postfix gateway is sort of similar to a reverse proxy for my email server? If so would I gain any security benefits using Postfix Plugin instead of Port Forwarding? (as I do with other webservers like Nextcloud) It would seem that I could get another layer of spam filtering with the Postfix Plugin. Mail Server is running Postfix on the LAN.
I have OPNsense installed with several plugins including NGINX as the reverse proxy for a few web services. OPNsense handles SSL offloading with NGINX and Let's Encrypt. I have been happy with NGINX (and HAPROXY) and the integration of Let's Encrypt. Can I/should I reverse proxy a mail server as well with NGINX? or Postfix as the gateway? Or am I fine exposing one external port (port-forwarded 8025 to 25 to mail server)?
Thanks for your input
Thoughts?
The postfix plugin allows the easy integration of rspamd (other plugin) and with that also clamav. It is designed to run a mail server behind which has bad protection.
Thank, so I will plan to make the change. I assume I would have to set up the relay on the Postfix plugin page in OPNsense and remove the relay auth settings from my mail server itself?