Shared postfix server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Shared postfix server

Anthony Ananich
Hi, All!

I'm trying to use single postfix instance for serving several domains. So let's say postfix hostname is mail1.hostmaster.com and it is used to send messages on behalf of client1.com and client2.com.

The issue is that these messages are identified by SPAM filters as untrusted. Most of them expect hostname to match served domain name. In case Postfix send each domain's outgoing messages from unique IP and this IP is whitelisted using DNS, it seems to make no difference.

I wonder if there is a way to make postfix to use custom smtp banner (helo) based on IP address it is sending message from?

Thanks,
Anthony Ananich
Reply | Threaded
Open this post in threaded view
|

Re: Shared postfix server

Wietse Venema
Anthony Ananich:
> Hi, All!
>
> I'm trying to use single postfix instance for serving several domains. So let's say postfix hostname is mail1.hostmaster.com <http://mail1.hostmaster.com/> and it is used to send messages on behalf of client1.com <http://client1.com/> and client2.com <http://client2.com/>.
>
> The issue is that these messages are identified by SPAM filters as untrusted. Most of them expect hostname to match served domain name. In case Postfix send each domain's outgoing messages from unique IP and this IP is whitelisted using DNS, it seems to make no difference.
>
> I wonder if there is a way to make postfix to use custom smtp banner (helo) based on IP address it is sending message from?
>

Quoting from a response from ~2 days ago:

/etc/postfix/main.cf
    # Do "postmap hash:/etc/postfix/sender_transport" after editing the file.
    sender_dependent_default_transport_maps =
        hash:/etc/postfix/sender_transport

/etc/postfix/sender_transport
    @one.example        smtp_one_example:
    @two.example        smtp_two_example:
    @three.example      smtp_two_example:
    ...

Note that domains 'two.example' and 'three.example' share the same
delivery transport.

- Each delivery transport has its own smtp_bind_address and smtp_helo_name.

- Each smtp_helo_name value needs a DNS A (or AAAA) record that
  resolves to the corresponding smtp_bind_address value.

- Each IP address needs a PTR record that resolves to the smtp_helo_name
  value.

/etc/postfix/master.cf
    smtp_one_example .. .. .. .. .. .. smtp
        -o smtp_bind_address=address-for-one
        -o smtp_helo_name=helo-for-one
    smtp_two_example .. .. .. .. .. .. smtp
        -o smtp_bind_address=address-for-two
        -o smtp_helo_name=helo-for-two
    ...

Additionally, you may need to reduce process limits in master.cf,
or have smtp_one_example_destination_concurrency_limit etc. settings
in main.cf.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Shared postfix server

Jaroslaw Rafa
In reply to this post by Anthony Ananich
Dnia 11.10.2020 o godz. 19:03:29 Anthony Ananich pisze:

>
> I'm trying to use single postfix instance for serving several domains. So
> let's say postfix hostname is mail1.hostmaster.com
> <http://mail1.hostmaster.com/> and it is used to send messages on behalf
> of client1.com <http://client1.com/> and client2.com
> <http://client2.com/>.
>
> The issue is that these messages are identified by SPAM filters as
> untrusted. Most of them expect hostname to match served domain name.  In
> case Postfix send each domain's outgoing messages from unique IP and this
> IP is whitelisted using DNS, it seems to make no difference.
>
> I wonder if there is a way to make postfix to use custom smtp banner
> (helo) based on IP address it is sending message from?

That's a bad idea, as what most spam filters actually do expect is that
hostname advertised in HELO matches the actual DNS hostname of the sending
host. Also the forward and reverse DNS should match. "Forging" the HELO
hostname will only count more, and not less, towards your message being
classified as spam.

Your sending server should be either explicitly listed as trusted source in
SPF record for domains client1.com, client2.com etc. or at least be a MX
for these domains if there is no SPF record. That should satisfy most
reasonable spam filters.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."