Re: Backup mx on cable

Tue, 09 Jul 2013 14:41:32 -0700 

On Wed, Jul 10, 2013 at 01:24:10AM +0400, Fred Zinsli wrote:

> Thankyou for clarifying my technical ineptitude. But I thought it would
> have been obvious that I had limited technical knowledge by the content of
> my message. And rather than flame me, you may have been a little more
> constructive.
> 
> As far as I can make out, postfix can tell the nature of a connection via
> the PTR (rDNS) record information, although this can be modified on
> request. It is that information I was eluding to, as postfix does use that
> information within the relaying_stoplist to prevent just that.
> 
> So given my secondary (backup) MX server is on one off those types of
> connection, how do I allow it to connect to my primary server when it
> returns to service given I have not modified the relaying_stoplist file?
> 
> Now whilst I may have used some incorrect terms. Think about my puny
> little brain, and how technically inept you were when you were getting
> into IT.

On the primary MX host, there is no need to adjust relay controls
to permit access from secondary MX hosts, after all the mail queued
by the secondary is *inbound* mail.

All you need to do is not subject the secondary to anti-spam
controls, since all the anti-spam controls must be done by the host
that processes the original third-party mail transaction.

Therefore, all you need is:

  main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_client_access cidr:${config_directory}/2mx.cidr,
        ... anti-spam controls if any ...

  2mx.cidr:
        # Actual IP     OK comment text so you why later
        192.0.2.1       OK secondary MX smtp.example.net

Replace 192.0.2.1 and smtp.example.net with the correct data.

With Postfix 2.10 your anti-relay controls may be separate:

      smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

and if that's the case then the recipient restrictions are for anti-spam
only, but still need to allow white-listed clients (mynetworks and SASL)
and thus become:

    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access cidr:${config_directory}/2mx.cidr,
        ... anti-spam controls if any ...

-- 
        Viktor.

Reply via email to