sender_dependent_relayhost_maps problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sender_dependent_relayhost_maps problem

Bjoern A. Zeeb
Dear all,

I am confronted with a problem in a mail-cluster of internal, external,
and a 3rd party postfix setup.

For simplicity I’ll reduce the setup to:

MX-I (internal mail relay, user authentication, .., also LMTP delivery)
MX-E (external mail relay, incoming/outgoing)
MX-3 (3rd party mail setup)

The setup itself has been running fine like this for years;  the cluster
uses external (LDAP) lookups for mail routing and delivery.

Now a user needed to authenticate outgoing email to MX-3.  Outgoing and
incoming email for that user is handled by MX-E, the user uses MX-I to
send his emails.

So I thought adding sender_dependent_relayhost_maps on MX-E would do the
trick (I cannot do it for the entire domain/destination MX); and it
partly does, and leads to another problem.

On MX-E:

main.cf:
sender_dependent_relayhost_maps =
         hash:$config_directory/sender_dependent_relayhost

sender_dependent_relayhost:
[hidden email]    [MX-3]:587

salspass:
[hidden email]   login:pass

With this the outgoing email gets properly authenticated to MX-3.

Now sometimes the same email comes back to MX-E via an *alias* (no From:
changes) on MX-3.   MX-E will receive the looped back email from MX-3
and then decides by its transport rules that it should send it to MX-I.

Here’s the problem:  MX-E now tries to do SASL auth to MX-I for this
looped back email and that fails.


Is there any better (simpler) solution than to have a dedicated/split
outgoing or incoming MX for this user?


Thanks for any suggestions,
Bjoern
Reply | Threaded
Open this post in threaded view
|

Re: sender_dependent_relayhost_maps problem

Viktor Dukhovni
On Sun, Jul 28, 2019 at 08:14:38PM +0000, Bjoern A. Zeeb wrote:

> Now sometimes the same email comes back to MX-E via an *alias* (no From:
> changes) on MX-3.   MX-E will receive the looped back email from MX-3
> and then decides by its transport rules that it should send it to MX-I.
>
> Here’s the problem:  MX-E now tries to do SASL auth to MX-I for this
> looped back email and that fails.
>
> Is there any better (simpler) solution than to have a dedicated/split
> outgoing or incoming MX for this user?

Use the "relay" transport for inbound traffic, and the "smtp" transport
only for outbound traffic.  In the "relay" transport disable SASL auth:

    relay unix ... smtp
        -o smtp_sasl_auth_enable=no

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: sender_dependent_relayhost_maps problem

Bjoern A. Zeeb
On 29 Jul 2019, at 0:56, Viktor Dukhovni wrote:

> On Sun, Jul 28, 2019 at 08:14:38PM +0000, Bjoern A. Zeeb wrote:
>
>> Now sometimes the same email comes back to MX-E via an *alias* (no From:
>> changes) on MX-3.   MX-E will receive the looped back email from MX-3
>> and then decides by its transport rules that it should send it to MX-I.
>>
>> Here’s the problem:  MX-E now tries to do SASL auth to MX-I for this
>> looped back email and that fails.
>>
>> Is there any better (simpler) solution than to have a dedicated/split
>> outgoing or incoming MX for this user?
>
> Use the "relay" transport for inbound traffic, and the "smtp" transport
> only for outbound traffic.  In the "relay" transport disable SASL auth:
>
>     relay unix ... smtp
> -o smtp_sasl_auth_enable=no

Thanks!