multiple relay servers

Hi All,


Customer asked us to relay their mails to a specific smtp server.

Actually they provided 6 possible destination servers.


When add them to sender_dependent_relayhost_maps postmap complains  
that there are duplicate entries:

@foo.bar [mail1.whatever]:123
@foo.bar [mail2.whatever]:123
@foo.bar [mail3.whatever]:123
etc.


How can I solve this?


Thanks,
Zsombor

Create mail.whatever with A or CNAME records that point to each server.

Then you use:

@foo.bar [mail.whatever]:123

I can' force the customer changing their DNS.

Any postfix solution?

BTW it looks like postfix delivers mails to all the relay servers so  
the postmap warning is a bit misleading as if it won't work.

But this brings up another question: if any of the relay servers can't  
accept mail will postfix try any other relay server in the list at the  
next attempt?


Zsombor

>> How can I solve this?
>
> Create mail.whatever with A or CNAME records that point to each server.
>
> Then you use:
>
> @foo.bar [mail.whatever]:123

Zsombor B:
There can be only one table entry with the name @foo.bar. The
postmap command ignores the rest with a warning.

> How can I solve this?

Postfix 3.5 supports multiple relayhosts:

transport_maps example:
    example.com relay:[mail1.example]:123, [mail2.example]:123, ...

sender_dependent_relayhost_maps example:
    @foo.bar [mail1.example]:123, [mail2.example]:123, ..

This is a fixed order (as if you had multiple records in /etc/hosts).

If these folks want to receive mail in six places, why can't they
set up DNS records like everyone else does?

        Wietse

Hi Wietse,


> Postfix 3.5 supports multiple relayhosts:

Currently we are on 3.2

> If these folks want to receive mail in six places, why can't they
> set up DNS records like everyone else does?

I'm already over this discussion, that's why I have asked the question. :(
Big company, rigid people, dumb rules.


Thanks,
Zsombor



Idézet (Wietse Venema <[hidden email]>):

Zsombor B:
In that case, make up a fake hostname with multiple address records
in /etc/hosts, and configure Postfix "smtp_host_lookup = dns,
native". This asumes that you have "multi on" in /etc/host.conf
on LINUX systems.

Postfix will randomize the order or addresses for the "same" name
(assuming the default "smtp_randomize_addresses = yes" is in effect).

        Wietse

smtp_host_lookup (default: dns)
       What mechanisms the Postfix SMTP client uses to look  up  a  host's  IP
       address.  This parameter is ignored when DNS lookups are disabled (see:
       disable_dns_lookups and smtp_dns_support_level).  THE  "DNS"  MECHANISm
       IS ALWAYS TRIED BEFORE "NATIVE" IF BOTH ARE LISTED.

       Specify one of the following:

       dns    Hosts can be found in the DNS (preferred).

       native Use the native naming service only (nsswitch.conf, or equivalent
              mechanism).

       dns, native
              Use the native service for hosts not found in the DNS.

       This feature is available in Postfix 2.1 and later.

If DNSSEC isn't required for the domain(s) in question (or at least
postfix in this specific case) you might look at RPZ as a way of rewriting
just a single record in the zone: https://www.dnsrpz.info/

On Wed, 21 Oct 2020, IL Ka wrote:

On 10/21/20 11:16 AM, Fred Morris wrote:
> If DNSSEC isn't required for the domain(s) in question (or at least postfix in this specific case) you might look at RPZ as a way of rewriting just a single record in the zone: https://www.dnsrpz.info/

You can also use a local validating recursive resolver (such as
Unbound) and inject a fake record yourself.  Postfix doesn't validate
DNSSEC on its own.  That said, I am not sure how to get Unbound to
lie about the AD bit.

Demi

On 10/21/20 11:16 AM, Fred Morris wrote:
> If DNSSEC isn't required for the domain(s) in question (or at least
> postfix in this specific case) you might look at RPZ as a way of
> rewriting just a single record in the zone: https://www.dnsrpz.info/

Demi M. Obenour:
> You can also use a local validating recursive resolver (such as
> Unbound) and inject a fake record yourself.  Postfix doesn't validate
> DNSSEC on its own.  That said, I am not sure how to get Unbound to
> lie about the AD bit.

Postfix "requests" DNSSEC validation only when the TLS security
level involves DANE support, so lack of DNSSEC validation for a
SPECIFIC name x not necessarily a problem.

However, Postfix 3.6 and later will try to determine if DNSSEC
is available (by default, querying the root zone NS record) and
will log a warning if the response is not DNSSEC validated.
http://www.postfix.org/postconf.5.html#dnssec_probe

So as long as unbound etc. are  transparent for most of DNS,
some selective rewriting should be OK.

        Wietse