[Tutorial] OPNsense - Create a Postfix Mail Relay for Exchange Online in 8 steps

[vpx]

1. Go to System->Settings->Plugins, search for "os-postfix" and install ith via the + sign on the right (in the screenshot it is already installed, that's why it shows a trash bin to remove it).



2. Refresh the Web GUI with F5 and you'll find "Postfix" under Services. Go to Services->Postfix->Domains and add your own domain, the field "Destination" is your Exchange Online target.



3. Go to senders and add your e-mail address which you want to send from, if you want to allow all e-mail addresses than just leave it empty.



4. Go to Services->Postfix->General and change "IP Version" to "IPv4" if you don't use IPv6. In "Trusted Networks" add your local subnet (in this case 192.168.3.0/24) or add single IPs for every allowed host. I don't know if the field "Smart Host" here is working at all, it had no effect if it was filled or empty. Maybe it just works with authentication which we don't need in this case.

[vpx]

5. Go to Firewall->Rules->LAN (or whatever Interface receives the mails in your configuration) and add the rule "Local Route Postfix". This is needed if you use a gateway (in this sample a Load Balancing/Failover-Multi WAN) as this gateway will just send out your mails directly into the Internet where it is discarded (because the destination is a class C address) instead of reaching the postfix service on your firewall. The rule is also needed if your rules are more restrictive than the "Default allow LAN to any rule".



6. Go to your Exchange Admin Center->Mail flow->Connectors and add a new connector named "Mailrelay" with the direction "Your organization's email server" to "Office 365".

[vpx]

7. Activate it and enter a description.



8. Choose authentication by IP address and enter the public static IP addresses from your ISP.

[vpx]

Additional note:

You have to uncheck the option "Permit SASL Authenticated" in Services->Postfix->General as also described here:

https://serverfault.com/questions/1061757/opnsense-logs-every-second-postfix-smtpd-otp-unavailable-because-cant-read-wri

Otherwise you will get this message in the log with every mail:

2023-07-05T10:15:06   Error   postfix/smtpd   OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied

[tiermutter]

Nice work. I never came to the idea setting up postfix on my Sense, instead I used a VM that also do some DDNS for multi WAN / failover I could'nt get to work on OPNsense fir the time being. When the time has come, I will maybe come back here again and discard the VM to save some ressources

[mike0000]

Thank you for the tutorial. I use Exchange 365 and am wondering what the use cases for this are?

[Patrick M. Hausen]

Have an outbound mail server that can actually bounce instead of forward? Which Exchange cannot.
Have a local mail server for all your appliances, printers, scanners, UPS, ...