This is an excellent help. Just to confirm. You are saying that 1) postfix should be just on a gateway without SASL service 2) the mail gateway should, after doing some filtering, pass the email to the back end server which is dovecot via lmtp. 3) setup virtual users and sasl authentication on dovecot. 4) for outbound email, the user agents should use mail gateway.
Please, let me know if this is what you meant. Thanks again On Sun, Nov 4, 2012 at 3:17 PM, Jeroen Geilman <jer...@adaptr.nl> wrote: > On 11/04/2012 04:09 PM, Roman Gelfand wrote: >> >> Consider the following config... >> >> postfixF - mail gateway >> postfixB - backend mail server >> >> The mail client agents are pointing to postfixB for outbound email. > > > That sounds backwards. Since the former machine is your mail gateway, surely > that handles all outgoing mail. > In case you really meant that it is your MX, there is no reason not to use > it for both. > > >> Both postfixF and postfixB are authenticating users using saslauthd >> service. In postfixB's main.cf relayhost postfixF. Assuming the same >> user/password exists on both servers, is it possible to specify in >> postfixB's main.cf/master.cf just the user name with which to connect >> to postfixF? > > > No, that doesn't make sense. > SASL authentication (whether for relaying or anything else) happens on the > machine you are authenticating against. > So it doesn't matter if the SASL user exists on the sending machine; it has > to exist on the receiving relayhost. > > You setup sounds sub-optimal, since these functions can (and most likely > should) be combined to offer a robust and simple interface. > > I would suggest using a single authentication service to both send and read > mail, since SASL is easily scaled over multiple machines. > This saves you from duplicating the user database, and all possible user > errors that may ensue. > Since this authentication service will be used on the mailbox store to > validate IMAP users, it makes most sense to run it from there, especially > since Dovecot can do both IMAP and SASL exceedingly well. > > Furthermore, it is debatable whether postfix is even needed on a backend > mail store (unless it has to do a lot of routing or manipulation), since > postfix is an MTA, not a mail store. > > -- > J. >
