On Fri, Dec 24, 2010 at 4:20 PM, Stan Hoeppner <s...@hardwarefreak.com> wrote: > Roman Gelfand put forth on 12/24/2010 10:45 AM: >> I neglected to mention the exchange server, source outbound server, >> is on internal edge of the dmz. > > Bah, you did mention the Exchange server and I just missed it. The 587 > is more geared toward MUAs like Outlook and TBird. If you just want to > relay the mail from _only_ the Exchange server simply have, I think. > > mynetworks = 127.0.0.0/8, IP_OF_EXCH_SERVER
Is there a reason I should include localhost? > >> On Fri, Dec 24, 2010 at 12:02 AM, Stan Hoeppner <s...@hardwarefreak.com> >> wrote: >>> Roman Gelfand put forth on 12/23/2010 10:01 PM: >>> >>>> I am now looking to use the postfix mail gateway, smart host, >>>> to send mail out. Specifically, I would like to bypass all of >>>> the checks done for incoming mail >>> >>> If you are referring to user submitted mail to be relayed to the outside >>> world, you would use the 587 smtpd server for this purpose, configured >>> very similarly to your re-injection smtpd server, possibly similar to >>> this example: > > I don't know Exchange that well. If you can tell the IMC (if MS still > uses that) to relay to a port other that TCP 25 on the Postfix server, > use something like 10225 instead of 587 below. If Exch can't do this, > you'll have re-enable your standard smtpd listener on TCP 25 and rethink > the way you've already replaced it with your "straight into the content > filter" method. > >>> 10225 inet n - n - - smtpd >>> -o smtpd_enforce_tls=yes >>> -o smtpd_sasl_auth_enable=yes >>> -o smtpd_client_restrictions= >>> -o smtpd_helo_restrictions= >>> -o smtpd_sender_restrictions= >>> -o content_filter= >>> -o smtpd_recipient_restrictions=permit_sasl_authenticated, \ >>> permit_mynetworks,reject >>> -o receive_override_options=no_unknown_recipient_checks, \ >>> no_address_mappings,no_header_body_checks >>> >> >> I am looking to send out exchange outbound email via the postfix >> server. Based on what you said, I need to add another server to >> master.cf to handle outgoing requests. This mail server will be >> listening on port 587. > > Use the 10225 above if you can. > >> So, it appears that exchange is handing over the message to postfix's >> smtpd server. However, postfix's smtp is, perhaps, sending something >> that remote server doesn't understand and ultimately times out? > > Exchange isn't liking the TLS requirement. Like I said I don't know if > you can configure Exchange to do this. Better use regular non TLS SMTP > over 10225. > >> Dec 24 11:35:47 mail postfix/smtp[4442]: connect to >> mx1.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out >> Dec 24 11:36:17 mail postfix/smtp[4442]: connect to >> mx2.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out >> Dec 24 11:36:17 mail postfix/smtp[4442]: 0CA34640C3: >> to=<recei...@targetdomain.com>, relay=none, delay=61, >> delays=0.45/0.07/60/0, dsn=4.4.1, status=deferred (connect to >> mx2.targetdomain.com[xx.xx.xx.xx]:25: Connection timed out) >> >> 0CA34640C3 2935 Fri Dec 24 11:35:16 sen...@mydomain.com >> (connect to mx2.targetdomain.com[xx.xx.xx.xx]:25: >> Connection timed out) >> recei...@targetdomain.com >> >> In making the postfix the smart host, I would like to make it very >> difficult if not impossible to relay emails from sources other than >> the internal exchange server. I have noticed you added tls and >> authentication. Is that the standard way to lock down relay server? > > No, it's not standard. The TLS/587 instructions I gave you were for > MUAs. Try using using the master.cf smtpd on 10225 listed above if you > can tell Exchange to use TCP 10225 in the relay config. > > -- > Stan >
