>> This server already has two ip addresses and routing can not be done on
>> answer decisions. That exactly is the problem here.
>>
>> And the main MTA on port 25 enforces a policy.
>
> As you told in a previus message you run multiple instances on one host.
> I assume you have a clean setup about which instance use which ip address.
> -> inet_interfaces = ${myhostname}
>
> In that case I suggest to setup a secondary address on the loopback interface.
> The "main MTA" could listen there with a separate smtp instance (without
> policy)
> and the "relay MTA" could use that IP replaced by the DNS filter Wietse
> mentioned.After a call with Robert and one night of sleep, I found a good solution. My former policy was, to check for SPF, DKIM, DMARC only on MX-in. Now I also added these policies to submission and the relay server and it works. With these new policies, a customer can not inject mail with bogus headers. This also prevents my system from sending spam from infected websites that have modified the sender addresses. I love this solution. The downside is that mail delivery is slightly slower. But I think this is okay. Fighting problems at the source. Thanks for all of you Christian -- Bachelor of Science Informatik Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
