Roman Gelfand put forth on 12/24/2010 10:45 AM: > I neglected to mention the exchange server, source outbound server, > is on internal edge of the dmz.
Bah, you did mention the Exchange server and I just missed it. The 587 is more geared toward MUAs like Outlook and TBird. If you just want to relay the mail from _only_ the Exchange server simply have, I think. mynetworks = 127.0.0.0/8, IP_OF_EXCH_SERVER > On Fri, Dec 24, 2010 at 12:02 AM, Stan Hoeppner <s...@hardwarefreak.com> > wrote: >> Roman Gelfand put forth on 12/23/2010 10:01 PM: >> >>> I am now looking to use the postfix mail gateway, smart host, >>> to send mail out. Specifically, I would like to bypass all of >>> the checks done for incoming mail >> >> If you are referring to user submitted mail to be relayed to the outside >> world, you would use the 587 smtpd server for this purpose, configured >> very similarly to your re-injection smtpd server, possibly similar to >> this example: I don't know Exchange that well. If you can tell the IMC (if MS still uses that) to relay to a port other that TCP 25 on the Postfix server, use something like 10225 instead of 587 below. If Exch can't do this, you'll have re-enable your standard smtpd listener on TCP 25 and rethink the way you've already replaced it with your "straight into the content filter" method. >> 10225 inet n - n - - smtpd >> -o smtpd_enforce_tls=yes >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions= >> -o smtpd_helo_restrictions= >> -o smtpd_sender_restrictions= >> -o content_filter= >> -o smtpd_recipient_restrictions=permit_sasl_authenticated, \ >> permit_mynetworks,reject >> -o receive_override_options=no_unknown_recipient_checks, \ >> no_address_mappings,no_header_body_checks >> > > I am looking to send out exchange outbound email via the postfix > server. Based on what you said, I need to add another server to > master.cf to handle outgoing requests. This mail server will be > listening on port 587. Use the 10225 above if you can. > So, it appears that exchange is handing over the message to postfix's > smtpd server. However, postfix's smtp is, perhaps, sending something > that remote server doesn't understand and ultimately times out? Exchange isn't liking the TLS requirement. Like I said I don't know if you can configure Exchange to do this. Better use regular non TLS SMTP over 10225. > Dec 24 11:35:47 mail postfix/smtp[4442]: connect to > mx1.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out > Dec 24 11:36:17 mail postfix/smtp[4442]: connect to > mx2.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out > Dec 24 11:36:17 mail postfix/smtp[4442]: 0CA34640C3: > to=<recei...@targetdomain.com>, relay=none, delay=61, > delays=0.45/0.07/60/0, dsn=4.4.1, status=deferred (connect to > mx2.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out) > > 0CA34640C3 2935 Fri Dec 24 11:35:16 sen...@mydomain.com > (connect to mx2.targetdomain.com[xx.xx.xx.xx]:25: > Connection timed out) > recei...@targetdomain.com > > In making the postfix the smart host, I would like to make it very > difficult if not impossible to relay emails from sources other than > the internal exchange server. I have noticed you added tls and > authentication. Is that the standard way to lock down relay server? No, it's not standard. The TLS/587 instructions I gave you were for MUAs. Try using using the master.cf smtpd on 10225 listed above if you can tell Exchange to use TCP 10225 in the relay config. -- Stan
