smtp relay insertion between internet and mx

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp relay insertion between internet and mx

Fabio Sangiovanni
Hello list,

I need to put a SMTP relay between Internet and my company's mx (which
stores inboxes), in order to do some processing.
Current situation is that the mx receives messages directly from the
Internet, without hops inbetween; on the mx, postfix is configured to
retrieve allowed recipients from a mysql database, in particular with
the following directives in main.cf:

virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
     proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf

On the relay, I'm going to use a relay domain address class, with the
following directives:

relay_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
relay_recipient_maps =
         proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
relay_transport = relay:[my.mx.ip]

At the moment, everything is working as expected; of course my goal is
preserving access policies: I need to accept/reject the same recipients
before and after the relay adoption (smtpd_recipient_restrictions will
also be the same, obviously).
Do you see any outstanding issues in this particular confiuguration,
provided that the database will be exactly the same? According to the
docs, maps referred by those directives should be identical in syntax,
so a swap shouldn't be problematic.

Summary:
current situation: internet -> mx
wanted configuration: internet -> relay -> mx, with the same allowed
recipients

Please let me know if you need more information on my setup.

Thanks,

Fabio Sangiovanni
Reply | Threaded
Open this post in threaded view
|

Re: smtp relay insertion between internet and mx

Wietse Venema
Fabio Sangiovanni:

> Hello list,
>
> I need to put a SMTP relay between Internet and my company's mx (which
> stores inboxes), in order to do some processing.
> Current situation is that the mx receives messages directly from the
> Internet, without hops inbetween; on the mx, postfix is configured to
> retrieve allowed recipients from a mysql database, in particular with
> the following directives in main.cf:
>
> virtual_mailbox_domains =
> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_maps =
>      proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
> proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
>
> On the relay, I'm going to use a relay domain address class, with the
> following directives:
>
> relay_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> relay_recipient_maps =
>          proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
> proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
> relay_transport = relay:[my.mx.ip]

One subtle difference is that for historical reasons relay_domains
matches subdomains by default (i.e. example.com matches foo.example.com)
while virtual_mailbox_domains does not.

To avoid surprises you may want to set parent_domain_matches_subdomains
explicitly, without "relay_domains". You could specify an empty
value, or just "parent_domain_matches_subdomains = smtpd_access_maps".

There are some tips in STANDARD_CONFIGURATION_README to ensure that
Postfix does something reasonable with mail addressed to
user@[gateway-ipaddress].

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtp relay insertion between internet and mx

Fabio Sangiovanni
Wietse Venema <wietse <at> porcupine.org> writes:

> One subtle difference is that for historical reasons relay_domains
> matches subdomains by default (i.e. example.com matches foo.example.com)
> while virtual_mailbox_domains does not.
> [...]
> http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
>
> Wietse

Thanks Wietse, very helpful.

Fabio