DJ Lucas wrote:
Hi guys, I believe that I already have the answer to this pretty basic
setup, but I just wanted to do a quick sanity check.
I'm setting up a backup MX, and for one of the domains that it will
relay to, it should do no filtering whatsoever as there is a Symantec
device in front of the primary. The device is configured with a
catch-all, and I have verified that no backscatter is generated when
sending to an invalid address, and the admin of that server wants to
review everything coming at him.
The other three domains are very small, servicing less than 80 users
total. I had planned to validate the recipient addresses via hash
tables...I can automatically generate these..in fact probably only one
table need be present for (I think) only something like 74 users.
Carefully consider if a backup MX is really needed... They are
nothing but spam magnets.
Make sure the symantec gateway really eats *everything* thrown
at it. Anything it rejects will cause you to generate a
bounce. Send enough bogus bounces and YOU will get blacklisted.
Did you read the postfix docs about setting up a backup MX?
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
Anyway, in addition to the default configuration, I plan to add the
following:
/etc/postfix/transport:
example.com relay:[primary.example.com]
example1.com relay:[primary.example1.com]
example2.com relay:[primary.example2.com]
example3.com relay:[primary.example3.com]
OK.
/etc/postfix/example.com:
example.com OK
/etc/postfix/otherdomains:
us...@example1.com OK
us...@example3.com OK
us...@example2.com OK
us...@example1.com OK
...
use...@example2.com OK
Since you're using this as an access map, you'll need to
explicitly reject the ones that don't match. Add:
example1.com REJECT 5.1.1 no recipient by that name
example2.com REJECT 5.1.1 no recipient by that name
example3.com REJECT 5.1.1 no recipient by that name
main.cf:
# Begin /etc/postfix/main.cf
...
# Domains to accept mail for.
relay_domains = example.com, example1.com, example2.com, example3.com
OK.
# IP address is currently unknown (will be replaced with real when
determined)
proxy_interfaces = 0.0.0.0
# Map recipient addresses to the primary MX
transport_maps = hash:/etc/postfix/transport
# Validate recipients (except for example.com) and do normal checks
smtpd_recipient_restrictions =
reject_unauth_destination should go here.
check_recipient_access hash:/etc/postfix/example.com,
OK, example.com is whitelisted from further checks.
reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_unauth_pipelining is ineffective here. Put it under
smtpd_data_restrictions instead.
reject_non_fqdn_recipient,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:postgrey/socket,
check_recipient_access hash:/etc/postfix/otherdomains,
reject_unauth_destination,
You should move reject_unauth_destination to the top of the list.
reject_unknown_recipient_domain
This will never fire - you've accepted the domains you relay
for, and rejected the ones you don't. Nothing is left.
...
# End /etc/postfix/main.cf
It just seems entirely too simple. Does that config work like I think
it will, or am I off in La La land? Also, this server will handle no
mail locally. I explicitly ignored 'permit_mynetworks'.
Usually one would set "mynetworks = 127.0.0.1" and use
permit_mynetworks, but this isn't a requirement.
I simply use
the internal domain name of the site that it is at, since it is not
resolvable from the outside world (backupmx.mailhost.local).
Additionally, I did not use relay_recipient_maps, is it still required
with the suggested configuration?
While it's usually better to stick with the "standard" config,
you're OK as is. You should probably document what you've
done so you remember what you did and why 10 months from now.
TIA
-- DJ Lucas
--
Noel Jones
