Recently there have been requests for sending mail with source IP
addresses that depend on the envelope sender. Sometimes the request
appeared to be related to showshoe spamming, and sometimes it
appeared to be a legitimate attempt to protect IP-based domain
reputations of different customers.
Current solution
================
The current solution that Postfix offers is to use multiple instances:
one back-end instance per source IP address, and one front-end
instance that uses sender_dependent_relayhost_maps to choose the
right back-end instance. That is a "heavy" solution, even though
Postfix 2.6 multi-instance support hides most of the complexity.
Past solutions
==============
Attempts to modify existing features for this job make Postfix
harder to explain, or have negative performance impact for content
inspection as with a recent proposal to change the meaning of a
FILTER actions with an empty destination (this would replace FIFO
selection by domain-based round-robin selection).
Going back in time, the old Postfix sender_dependent_routing feature
was withdrawn a few years ago because it replaced ALL mail routing
decisions by sender-based routing. That broke deliveries to local
recipients, and was therefore not good for a general-purpose MTA.
A promising solution
====================
The solution is not to make ALL routing decisions dependent on the
sender address, but ONLY the routing decisions for mail that leaves
the machine.
A sender-dependent default_transport would change the meaning of
default_transport (namely, giving default_transport a lower precedence
than sender_dependent_default_transport_maps) and introduces a few
new parameters.
(It looks like a sender-dependent default_transport would do the
job. It does not seem to make sense to make relay_transport also
sender-dependent, because relay_transport is supposed to be used
only for domains Postfix is MX host for.)
The draft design looks like this:
default_transport (default: smtp)
The default mail delivery transport and next-hop destination for desti-
nations that do not match $mydestination, $inet_interfaces,
$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
$relay_domains. In order of decreasing precedence, the nexthop desti-
nation is taken from $default_transport, $sender_dependent_relay-
host_maps, $relayhost, or from the recipient domain. This information
can be overruled with the sender_dependent_default_transport_maps
parameter and with the transport(5) table.
Specify a string of the form transport:nexthop, where transport is the
name of a mail delivery transport defined in master.cf. The :nexthop
part is optional. For more details see the transport(5) manual page.
Example:
default_transport = uucp:relayhostname
sender_dependent_default_transport_maps (default: empty)
A sender-dependent override for the global default_transport parameter
setting. The tables are searched by the envelope sender address and
@domain. A lookup result of DUNNO terminates the search without over-
riding the global default_transport parameter setting. This informa-
tion is overruled with the transport(5) table.
For safety reasons, this feature does not allow $number substitutions
in regular expression maps.
This feature is available in Postfix 2.7 and later.
empty_address_default_transport_maps_lookup_key (default: <>)
The sender_dependent_default_transport_maps search string that will be
used instead of the null sender address.
This feature is available in Postfix 2.7 and later.
address_verify_sender_dependent_default_transport_maps (default: empty)
Overrides the sender_dependent_default_transport_maps parameter setting
for address verification probes.
This feature is available in Postfix 2.7 and later.
A first stab at some code looks promising. I'll run tests as time
is available, but I am currently busy with reviewing research
proposals, and that will take most cycles until early December.
Wietse
