On Thu, Mar 14, 2013 at 03:19:59PM +0100, Ansgar Wiechers wrote:
> On 2013-03-14 Gerald Vogt wrote:
> > On 14.03.2013 12:10, DTNX Postmaster wrote:
> >>> It seems easier to me to keep the configuration on 100+ servers as
> >>> simple as possible and do all the rewriting on the central relays.
> >>> Seems to be the better approach to me. That's why I came up with
> >>> this.
> >>
> >> Solve the problem at the source; masquerade on each individual
> >> server, and avoid jumping through hoops on the central relay.
> >>
> >> Easier to maintain. Scales better, too.
> >
> > IMHO, maintaining consistent postfix configurations on 100+ servers is
> > definitively harder than a handful of relay servers with a fixed
> > configuration on the other servers.
>
> That's what configuration management was invented for. You may want to
> look into puppet et al.
There's nothing to manage, just set "myorigin = $mydomain" on each
null client, and enable masquerading there. Null clients only
receive mail from local submission (and loopback:25) so doing
masquerading there is safe and natural.
The MULTI_INSTANCE_README.html document happens to contain a
reasonaly complete null-client recipe, start there and tweak to
requirements. Once configured, these stay stable.
As for mailhubs, my advice is to separate the MSA mailhub
(the one the null clients are configured to sent to), from
the MTA mailhub (the one routing internal mail to various
mailbox servers and to the outside).
The MSA mailhub can also do masquerading safely, and recipient
validation is not an issue there, it does not receive mail from
outside.
All this assumes an organization large enough that masquerading is
of some interest in the first place, and you have lots of sub-domains,
and multiple IP addresses to play with to deploy dedicated service
endpoints.
--
Viktor.
