On Wednesday, December 18, 2024 06:05 AEST, Wietse Venema via Postfix-users
<postfix-users@postfix.org> wrote:
Kenneth Porter via Postfix-users:
> The biggest headache I had when I used a backup MX was avoiding
> backscatter. So I tweaked my milter on the primary to always accept mail
> from the backup and never reject/bounce it. If necessary, silently drop
> spam.
>
> Alas, secondaries tend to be targets for spammers, on the assumption
> they get less attention by admins and have weaker spam rules. If you run
> SpamAssassin, you could add a small extra score for mail coming through
> the secondary when the primary is known to be up.
That may raise false rejects when the primary and secondary MX are
on different networks, and for some reason the path client -> primary
has a temporary outage that does not affect the path client ->
backup -> primary.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Thanks all for the advice. I have setup a trial secondary MX on a less-used
alternate domain.
* I have enabled postscreen, as per the primary MX * I have added
relay_domains, set the relay_recipients file contents, and increased
maximal_queue_lifetime * I have added a DNS MX record * As the new VPS also
sends logwatch update emails to my main email domain (which it is not yet relay
for so it needs to send to the primary MX), I have added the VPS address to
mynetworks and spamassassin's trusted addresses on the primary MX, and to my
SPF record (as it sends ‘from’ the domain). Will this have any unintended
consequences?
Questions:
How does the secondary MX know to transport to the primary when it is back
online? (some online “guides” talk about editing transports, but the postfix
documentation does not)
My primary MX has updated since earlier Postfix versions, and so has a set of
smtp_recipient_restrictions - is smtpd_recipient_restrictions the right place
to put them on the Secondary MX's config (postfix 3.5)? How do these interact
with smtpd_relay_restrictions?
Thanks
Simon
Primary server smtpd_recipient_restrictions:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unlisted_recipient, reject_rhsbl_sender
{obscured}.dbl.dq.spamhaus.net=127.0.1.[2..99], reject_rhsbl_helo
{obscured}.dbl.dq.spamhaus.net=127.0.1.[2..99], reject_rhsbl_reverse_client
{obscured}.dbl.dq.spamhaus.net=127.0.1.[2..99], permit
Secondary MX current config:
[root@bl03 postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 14d
message_size_limit = 26214400
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = bl03.simonandkate.net
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = {obscured}.zen.dq.spamhaus.net=127.0.0.[2..255]*5
bl.mailspike.net*2 b.barracudacentral.org*2 dnsbl.sorbs.net
hostkarma.junkemailfilter.com=127.0.0.2*2
hostkarma.junkemailfilter.com=127.0.0.4 hostkarma.junkemailfilter.com=127.0.1.2
list.dnswl.org=127.0.[2..15].0*-2 list.dnswl.org=127.0.[2..15].1*-3
list.dnswl.org=127.0.[2..15].[2..3]*-4 wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-1
hostkarma.junkemailfilter.com=127.0.1.1*-1
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = simonmwilson.net
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_security_level = may
smtpd_recipient_restrictions =
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
--
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
