Hi guys, I believe that I already have the answer to this pretty basic
setup, but I just wanted to do a quick sanity check.
I'm setting up a backup MX, and for one of the domains that it will
relay to, it should do no filtering whatsoever as there is a Symantec
device in front of the primary. The device is configured with a
catch-all, and I have verified that no backscatter is generated when
sending to an invalid address, and the admin of that server wants to
review everything coming at him.
The other three domains are very small, servicing less than 80 users
total. I had planned to validate the recipient addresses via hash
tables...I can automatically generate these..in fact probably only one
table need be present for (I think) only something like 74 users.
Anyway, in addition to the default configuration, I plan to add the
following:
/etc/postfix/transport:
example.com relay:[primary.example.com]
example1.com relay:[primary.example1.com]
example2.com relay:[primary.example2.com]
example3.com relay:[primary.example3.com]
/etc/postfix/example.com:
example.com OK
/etc/postfix/otherdomains:
us...@example1.com OK
us...@example3.com OK
us...@example2.com OK
us...@example1.com OK
...
use...@example2.com OK
main.cf:
# Begin /etc/postfix/main.cf
...
# Domains to accept mail for.
relay_domains = example.com, example1.com, example2.com, example3.com
# IP address is currently unknown (will be replaced with real when
determined)
proxy_interfaces = 0.0.0.0
# Map recipient addresses to the primary MX
transport_maps = hash:/etc/postfix/transport
# Validate recipients (except for example.com) and do normal checks
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/example.com,
reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:postgrey/socket,
check_recipient_access hash:/etc/postfix/otherdomains,
reject_unauth_destination,
reject_unknown_recipient_domain
...
# End /etc/postfix/main.cf
It just seems entirely too simple. Does that config work like I think
it will, or am I off in La La land? Also, this server will handle no
mail locally. I explicitly ignored 'permit_mynetworks'. I simply use
the internal domain name of the site that it is at, since it is not
resolvable from the outside world (backupmx.mailhost.local).
Additionally, I did not use relay_recipient_maps, is it still required
with the suggested configuration?
TIA
-- DJ Lucas
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
