Ed W:
> As the OP suggested, a desirable solution would be for the MTA to only
> check the various maps to decide a domain is local *after* having done a
> DNS check to see if the MX record points "to this machine". ie the end
> goal is if the MX record points to some other machine, then we deliver
> to that machine, even if it's listed in our maps as being local...
You can use transport_maps=tcp:host:port etc. to ask an external
program for the MX lookup, and to have that external program decide
if it should reply with a local mail delivery transport if the MX
record points to your machine.
This will drop your mail delivery performance quite a lot, as there
is only one queue manager, and each mail delivery request will be
waiting for the previous transport map lookup to complete.
A better alternative may be check_recipient_mx_access at RCPT
TO time.
smtpd_recipient_restrictions =
# This example assumes that we are not providing mail relay service
# or mail submission service.
...
reject_unauth_destination
check_recipient_mx_access cidr:/etc/postfix/mxnetworks
...
/etc/postfix/mxnetworks:
# Assuming this is your network with MX servers.
1.2.3.4/24 dunno
# If the MX did not match, reject the request.
0.0.0.0/0 reject
This rejects mail when a recipient domain is "claimed" by one of
your customers, but the MX host for the domain is not local.
This is better than doing it at queue manager time, because multiple
smtpd processes can do these MX lookups in parallel.
Wietse
