Backup mx and relay_recipients

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Backup mx and relay_recipients

Joseph L. Casale
I have two mails servers for different companies owned by the same company.
It has been decided each of these companies shall provide backup mx for each other.
My problem is each MTA uses relay_recipients which is maintained for each site.

I intend on using relay_domains and transport_maps in main.cf to allow, then direct
mail to the opposite server.

Is there anyway to place a wildcard on the backup mx server for the remote domain so it
does not check the relay_recipients for the opposite companies mail? I could insert a
"@remote.domain.com" but as the process is automated its a bit of a pain to make sure
that is always added, I was hoping for something in main.cf that could overlook the
relay_recipients check for a specific domain.

Thanks!
jlc
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx and relay_recipients

mouss-2
Joseph L. Casale wrote:

> I have two mails servers for different companies owned by the same company.
> It has been decided each of these companies shall provide backup mx for each other.
> My problem is each MTA uses relay_recipients which is maintained for each site.
>
> I intend on using relay_domains and transport_maps in main.cf to allow, then direct
> mail to the opposite server.
>
> Is there anyway to place a wildcard on the backup mx server for the remote domain so it
> does not check the relay_recipients for the opposite companies mail? I could insert a
> "@remote.domain.com" but as the process is automated its a bit of a pain to make sure
> that is always added, I was hoping for something in main.cf that could overlook the
> relay_recipients check for a specific domain.
>  

relay_recipients=
will disable relay recipient validation, but then you will generate
backscatter. This is no more acceptable.

put a full list of all valid users on both servers.

Also see the recent thread "how to run a backup MX - accepting/rejecting
mail to unknown users" (started by Martin F Krafft)
Reply | Threaded
Open this post in threaded view
|

RE: Backup mx and relay_recipients

Joseph L. Casale
>relay_recipients=
>will disable relay recipient validation, but then you will generate
>backscatter. This is no more acceptable.
>
>put a full list of all valid users on both servers.
>
>Also see the recent thread "how to run a backup MX - accepting/rejecting
>mail to unknown users" (started by Martin F Krafft)

My situation in both setups is that both Primary MTA's are the only MTA's
that can see the actual colab/mail server. So both primaries will send mail
destined for the other company to that companies primary which does the recipient
verification and antispam.

I would prefer not to keep identical copies of the user list on both MTA's as
the earlier op also stated. Given recipient verification and antispam is still
done as a result, is there no way to bypass relay_recipients for one domain?

Thanks!
jlc
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx and relay_recipients

mouss-2
Joseph L. Casale wrote:

>> relay_recipients=
>> will disable relay recipient validation, but then you will generate
>> backscatter. This is no more acceptable.
>>
>> put a full list of all valid users on both servers.
>>
>> Also see the recent thread "how to run a backup MX - accepting/rejecting
>> mail to unknown users" (started by Martin F Krafft)
>>    
>
> My situation in both setups is that both Primary MTA's are the only MTA's
> that can see the actual colab/mail server. So both primaries will send mail
> destined for the other company to that companies primary which does the recipient
> verification and antispam.
>
> I would prefer not to keep identical copies of the user list on both MTA's as
> the earlier op also stated. Given recipient verification and antispam is still
> done as a result, is there no way to bypass relay_recipients for one domain?
>  


    http://www.postfix.org/postconf.5.html#relay_recipient_maps


Reply | Threaded
Open this post in threaded view
|

RE: Backup mx and relay_recipients

Joseph L. Casale
>    http://www.postfix.org/postconf.5.html#relay_recipient_maps

I did read that, and re-read it incase I missed something so I am safe in concluding
there is no way around this? If you enable it, it covers everything relayed without
any possible bypass based on certain criteria.

I could allow scp with keys through the firewall for just the two MTA's but I sure
hoped for a more trivial/secure way around this.

Thanks!
jlc


Reply | Threaded
Open this post in threaded view
|

Re: Backup mx and relay_recipients

Michael Monnerie-4
In reply to this post by Joseph L. Casale
On Mittwoch, 18. Juni 2008 Joseph L. Casale wrote:
> Is there anyway to place a wildcard on the backup mx server for the
> remote domain so it does not check the relay_recipients for the
> opposite companies mail? I could insert a "@remote.domain.com" but as
> the process is automated its a bit of a pain to make sure that is
> always added, I was hoping for something in main.cf that could
> overlook the relay_recipients check for a specific domain.

Why dont you use
http://www.postfix.org/postconf.5.html#reject_unverified_recipient 
together with
address_verify_map = btree:/etc/postfix/verify
address_verify_negative_refresh_time = 3h
address_verify_negative_expire_time = 3d
unverified_recipient_reject_code = 550

This first makes a verify if an address exists (via SMTP to the other
server) and saves it some time. This way, if you create a new user on
one server, the other automatically learns it.

mfg zmi
--
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660 / 415 65 31                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net                   Key-ID: 1C1209B4

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx and relay_recipients

mouss-2
In reply to this post by Joseph L. Casale
Joseph L. Casale wrote:
>>    http://www.postfix.org/postconf.5.html#relay_recipient_maps
>>    
>
> I did read that, and re-read it incase I missed something so I am safe in concluding
> there is no way around this?

I hope you did not miss the part that says:

"Specify @domain as a wild-card for domains that have no valid recipient
list"

so you can do it if you really want to, but it's at your own risk.

> If you enable it, it covers everything relayed without
> any possible bypass based on certain criteria.
>
> I could allow scp with keys through the firewall for just the two MTA's but I sure
> hoped for a more trivial/secure way around this.
>
>  

you can use mysql/ldap (over ssl, stunnel, ssh tunnel, ipsec, ipv6,
...). or, you can simply use rsync over ssh. if you are worried about
security, create a user without privileges to do the rsync, then have a
privileged daemon that runs locally and that copies the map to the right
place and postmap it.

An alternative is to use reject_unverified_recipient and tune the cache
lifetime. but this may be a waste of resources...

Reply | Threaded
Open this post in threaded view
|

RE: Backup mx and relay_recipients

Joseph L. Casale
>I hope you did not miss the part that says:
>
>"Specify @domain as a wild-card for domains that have no valid recipient
>list"

No, but as I said (possibly not clearly) the recipient list is generated automatically
right now, I suppose I could attempt to make it add this.
so you can do it if you really want to, but it's at your own risk.

>An alternative is to use reject_unverified_recipient and tune the cache
>lifetime. but this may be a waste of resources...

Yea, that solution looks like it has its own issues. I think I will resort to allowing a
low priv user scp access to dump the list, and permit just the primary ssh access
in the firewall.

Thanks for the guidance.
jlc