> Von: Christen Rößner <c...@roessner-network-solutions.com> > Datum: 28. November 2014 22:16:05 MEZ > An: "li...@rhsoft.net" <li...@rhsoft.net> > Betreff: Re: Transport based on next hop > > >> Am 28.11.2014 um 21:33 schrieb Christian Rößner >> <c...@roessner-network-solutions.com>: >> >> >>> Am 28.11.2014 um 20:50 schrieb "li...@rhsoft.net" <li...@rhsoft.net>: >>> >>> >>> >>> Am 28.11.2014 um 20:45 schrieb Christian Rößner: >>>>> Am 28.11.2014 um 20:26 schrieb Wietse Venema <wie...@porcupine.org>: >>>>> >>>>> Christen R??ner: >>>>>> I look for: >>>>>> >>>>>> Table: >>>>>> Lhs Rhs >>>>>> mx.some.mta smtp:[mx.whatever.tld]:1234 >>>>> >>>>> I have implemented smtp_dns_reply_filter (currently, testing), which >>>>> matches a resource record against a (regular expression) pattern. >>>>> >>>>> At the moment supports IGNORE, but it would not be difficult to >>>>> implement a REPLACE action. The content of the resource record have >>>>> been "valid-hostname" sanity checked, so there is little danger of >>>>> malicious substitutions. >>>>> >>>>> Thus, Postfix could do >>>>> >>>>> foo.example.com. 12345 IN MX 10 bar.example.com. >>>>> REPLACE foo.example.com. 12345 IN MX 10 baz.example.net. >>>>> >>>>> Similar operations for A/AAAA records,with some limitations (can >>>>> change the last two fields only, not the fields that are determined >>>>> by the query itself). >>>>> >>>>> Would that solve the problem? >>>> >>>> How could a different port be specified? If I do understand your example, >>>> this only replaces the host, but gives no choice to specify a port >>> >>> MTA-to-MTA traffic is typically port 25 >>> >>> if you need several instances on the same machine talking with each other >>> consider giving that machine additional IP addresses with their own DNS >>> names and bind the instance on the IP instead mangle around >>> with differnt ports >>> >>> the benefit is that mail routing in that case don't need port-hacks and so >>> can be realized with hostnames in a agnostic way >> >> This server already has two ip addresses and routing can not be done on >> answer decisions. That exactly is the problem here. >> >> And the main MTA on port 25 enforces a policy. It doesn't matter, if mail is >> coming from foreign MTAs or from the relay server on the same host. But it >> needs a different policy, if the relay server is contacting the main MTA. >> And this can only be achieved with a different port on the main MAT, as I >> only can turn off Milters and things in a separate instance. >> >> If I add an instance on the main MTA on i.e. port 12325, I can set >> smtpd_milters empty and mynerworks to the IP of the relay server, >> restricting smtpd_recipient_restrictions to permit_mynetworks,reject. >> >> I can enforce a replacement with: >> >> iptables -t nat -A PREROUTING -j DNAT -s ip.of.relay -d ip.of.main.mta -p >> tcp --dport 25 --to-destination ip.of.main.mta:12325 >> >> That is, what I would like to solve cleanly. >
> I just had a phone all with Robert Schetterer and we both come to the same > result that customers have to provide data and that I do not have to make > dirty hacks to make broken settings working in _some_ way. > > Sometimes talking is easier than writing. > > Thanks to all helping me to get to this point > > >> Christian
