Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Harakiri
Hi,

http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps

states the order of the address lookup. Im not quiet sure if this setting works if you
use a postfix for inbound and outbound messages without using a 2nd postfix instance.

Lets say i have 2 internal e-mail domains which are managed on an e-mail server.

spam-check.com
no-spam-check.com

Both are routed over a postfix server, with sender_dependent_relayhost_maps i want that
spam-check.com domain is going over another anti-spam gateway which sents the message finally to
the internet using mx lookup and no-spam-check.com should be directly delievery from this postfix
using MX records. This should all work fine with the sender based routing.

Now lets see the inbound case, i.e. external.com is sending messages to my domains spam-check.com
and no-spam-check.com -

Based on the description for sender based routing "This information is overruled with
relay_transport, default_transport and with the transport(5) table." - for recipients of an
inbound message, the transport table will be used - so i could define a transport for
no-spam-check.com and spam-check.com to my internal mail server, in other words the sender based
routing table is ignored - no infinite loops should happend. Right ?







      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Victor Duchovni
On Thu, May 08, 2008 at 12:03:34PM -0700, Harakiri wrote:

> Hi,
>
> http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
>
> states the order of the address lookup. Im not quiet sure if this setting works if you
> use a postfix for inbound and outbound messages without using a 2nd postfix instance.
>

This feature does not change transport selection, it merely changes
the default nexthop to be the table lookup result, rather than the
recipient domain. If a transport entry defines an explicit nexthop,
that is used instead and the feature has no effect.

So transports are still selected by recipient, but the nexthop (relayhost)
may be sender-dependent.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Harakiri

--- Victor Duchovni <[hidden email]> wrote:

> On Thu, May 08, 2008 at 12:03:34PM -0700, Harakiri wrote:
>
> > Hi,
> >
> > http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
> >
> > states the order of the address lookup. Im not quiet sure if this setting works if you
> > use a postfix for inbound and outbound messages without using a 2nd postfix instance.
> >
>
> This feature does not change transport selection, it merely changes
> the default nexthop to be the table lookup result, rather than the
> recipient domain. If a transport entry defines an explicit nexthop,
> that is used instead and the feature has no effect.
>
> So transports are still selected by recipient, but the nexthop (relayhost)
> may be sender-dependent.

Thanks for your reply, but maybe i made myself unclear - i know that the feature does not change
the transport selection - it is merely a fall back you could say, if no transport map is defined.
I just wanted to know if this works also for inbound traffic when you want to relay mail to your
internal mailserver or is the sender based routing a problem here, because you could not possible
have an entry for every external sender domain in the world =)



      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Victor Duchovni
On Thu, May 08, 2008 at 01:05:58PM -0700, Harakiri wrote:

> > So transports are still selected by recipient, but the nexthop (relayhost)
> > may be sender-dependent.
>
> Thanks for your reply, but maybe i made myself unclear - i know that
> the feature does not change
> the transport selection - it is merely a fall back you could say,
> if no transport map is defined.

No, it is not a "fallback" it works even when a transport table entry
is present, provided the entry does not specify an explicit nexthop.

> I just wanted to know if this works also for inbound traffic when you want
> to relay mail to your internal mailserver or is the sender based routing
> a problem here, because you could not possible
> have an entry for every external sender domain in the world =)

Postfix has no notion of "inbound" or "outbound". Mail comes in (to the
queue), and then it goes out (gets processed by a delivery agent). So
your question is rather suprising. What exactly is the problem?

Transport selection always picks a transport[:nexthop] based on the
recipient. If no optional nexthop is specified, the recipient domain
becomes the nexthop, but sender-dependent relayhost lookups can pre-empt
that and provide a sender-dependent nexthop.

If you want internal domains to go a specific internal hub:

    example.com relay:[internal-gw.example.com]
    example.net relay:internal-mx.example.net

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Harakiri

--- Victor Duchovni <[hidden email]> wrote:
> If you want internal domains to go a specific internal hub:
>
>     example.com relay:[internal-gw.example.com]
>     example.net relay:internal-mx.example.net

Sigh, i know all that - my question was very simple - if i use sender based routing for outbound
traffic (i also do know that postfix doesnt differ in and out) to relay certain mail to another
hop before finally delivering it via mx - might their be a problem for inbound mails , i.e.
infinte loops, errors for dsn and so on, for these mails i guess transport maps will be taken
first ?

outbound --> sender routing takes first (because you dont have transport maps for "external
recipient"

inbound --> transport maps/relay settings takes first (because you dont have sender routing tables
for the whole internet/mail)


      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Wietse Venema
Harakiri:

> --- Victor Duchovni <[hidden email]> wrote:
> > If you want internal domains to go a specific internal hub:
> >
> >     example.com relay:[internal-gw.example.com]
> >     example.net relay:internal-mx.example.net
>
> Sigh, i know all that - my question was very simple - if i use
> sender based routing for outbound traffic (i also do know that
> postfix doesnt differ in and out) to relay certain mail to another
> hop before finally delivering it via mx - might their be a problem
> for inbound mails , i.e.  infinte loops, errors for dsn and so
> on, for these mails i guess transport maps will be taken first ?
>
> outbound --> sender routing takes first (because you dont have
> transport maps for "external recipient"
>
> inbound --> transport maps/relay settings takes first (because
> you dont have sender routing tables for the whole internet/mail)

If the documentation is inaccurate about the precedence of
routing features, please say where.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Victor Duchovni
In reply to this post by Harakiri
On Thu, May 08, 2008 at 04:53:09PM -0700, Harakiri wrote:

> Sigh, i know all that - my question was very simple - if i use sender
> based routing for outbound traffic to relay certain mail to another
> hop before finally delivering it via mx

Then the nexthop for mail from the relevant senders is selected based on
the sender when the recipient specific transport does not specify an
explicit nexthop.

Are you using sender dependent routing correctly? What real problem
does your use of sender dependent routing solve? Is it really a sender
specific properly or are mis-using sender as a proxy for message origin
(inside/outside your network, ...)

> - might their be a problem for inbound mails , i.e.
> infinte loops, errors for dsn and so on, for these mails i guess transport maps will be taken
> first ?

It is always possible to misconfigure routing to create loops, what specific
scenario concerns you? If the recipient and sender are both in your domain,
and not local to the gateway, don't use sender dependent routing to punt
the mail elsewhere, it may come right back at you.

This should only be possible if you are misusing sender-based routing
and failing to specify explicit nexthops for internal mail relays.

> outbound --> sender routing takes first (because you dont have transport
> maps for "external recipient"

There is no "outbound", mail comes it and then it leaves. Sender based
routing is NOT first, it provides a default nexthop other than the recipient
domain when the recipient transport lacks a nexthop. It does not replace
the transport. The selection of transport and sender dependent relayhost
are orthogonal when the transport lacks a nexthop. There is no first/second
relationship. Whent the recipient transport has an explicit nexthop, the
sender relayhost is simply ignored.

> inbound --> transport maps/relay settings takes first (because you dont
> have sender routing tables for the whole internet/mail)

This is simply false, there is no inbound/outbound distinction. You say
you understand this, but you persist in proving otherwise. Certainly if
the sender is not listed in the table then sender dependent routing has
no effect, but the same is true for outbound mail.

Construct your use cases of various combinations of sender/recipient
pairs and figure out where the mail will be sent based on your transport
and sender-dependent-relayhost tables. Note Postfix does not know who's
in and who's out, it just routes the mail to the recipient (perhaps via
a gateway that may depend on the sender address).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Harakiri

--- Victor Duchovni <[hidden email]> wrote:

> On Thu, May 08, 2008 at 04:53:09PM -0700, Harakiri wrote:

> Construct your use cases of various combinations of sender/recipient
> pairs and figure out where the mail will be sent based on your transport
> and sender-dependent-relayhost tables. Note Postfix does not know who's
> in and who's out, it just routes the mail to the recipient (perhaps via
> a gateway that may depend on the sender address).

Yes thanks, i only wanted to simplify my cases with the words inbound and outbound - once the
sender is an internal user and recipient is external, and once the sender is external and the
recipient is internal.

Without it, it of course boils down to simply sender+recipient combinations.
I read the documentation and the lists, from what i saw is that sender based routing was not
suggested - instead a second postfix instance is better.

However, i only wanted a validation that i did understand the routing correct :

Example (simplified, prop. not correct syntax)

sender_based_map
internal-with-check.com:[next_hop_will_do_mx_lookup]
internal.com: use mx
*:all other use mx

recipient_map
internal-with-check.com:[mymailserver.internal.com]
internal.com:[mymailserver.internal.com]
*:all other use mx

Mails :

sender [hidden email] to [hidden email]
should go to next_hop_will_do_mx_lookup, no recipient map applies

sender [hidden email] to [hidden email]
should go to destination via mx, no recipient map applies


sender [hidden email] to [hidden email]
should go to mymailserver.internal.com, no sender map applies

sender [hidden email] to [hidden email]
should go to mymailserver.internal.com, no sender map applies


      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Wietse Venema
Can you explain the problem that you are trying to solve, instead
of the solution (sender dependent routing)?

If you are trying to implement multiple mail server personalities
with Postfix: this is not supported, and will never be.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Q about sender_dependent_relayhost_maps inbound vs outbound traffic

Victor Duchovni
In reply to this post by Harakiri
On Fri, May 09, 2008 at 02:02:24AM -0700, Harakiri wrote:

> Example (simplified, prop. not correct syntax)

Simplified to the the point of being incomprehensible to anyone (including
yourself I suspect).

> sender_based_map
> internal-with-check.com:[next_hop_will_do_mx_lookup]
> internal.com: use mx
> *:all other use mx

What on earth does this mean. The sender table specifies a mapping between
a sender address and a relayhost, not a transport. Are you trying to
say that for senders in the domain on the LHS of the table entry below
the nexthop should be the RHS gateway when the recipient is delivered
using SMTP (rather than local)?

    internal-with-check.com [next_hop_will_do_mx_lookup]

Does this system do *any* local delivery? Do any users submit mail
directly via sendmail(1) rather than via SMTP? If not, there is
not much difference betwen sender-dependent routing and a "FILTER
smtp:[next_hop...]"  access check on the sender domain.

> recipient_map
> internal-with-check.com:[mymailserver.internal.com]
> internal.com:[mymailserver.internal.com]
> *:all other use mx

There is no "recipient map" there a transport table, whose syntax is
to select a transport and nexthop. Do make your examples more realistic.

> Mails :
>
> sender [hidden email] to [hidden email]
> should go to next_hop_will_do_mx_lookup, no recipient map applies

Is this because the domain in question is hosted on the gateway in
question, and all email from the domain should originate there, or
because you are considering misusing sender based routing to solve a
different problem that you have not explained?

Sender based routing is a SOHO feature, intended for machines with
perhaps a few local accounts and most user mailboxes hosted by an ESP.

> sender [hidden email] to [hidden email]
> should go to destination via mx, no recipient map applies

The documentation adequately describes this case.

The transport table is always checked, but there is certainly no
requirement to least every destination there.

> sender [hidden email] to [hidden email]
> should go to mymailserver.internal.com, no sender map applies

The documentation adequately covers this case.

> sender [hidden email] to [hidden email]
> should go to mymailserver.internal.com, no sender map applies

The documentation adequately covers this case.

There are likely more cases to consider. And your real motivation for
sender based routing left to describe.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Loading...