On Wed, Jan 21, 2015, at 08:40 AM, rogt3...@proinbox.com wrote:
> On Wed, Jan 21, 2015, at 08:32 AM, Noel Jones wrote:
> > Of course, automatic address verification depends on the target
> > server correctly responding to unknown recipients.
I'm putting the pieces of my MULTI_INSTANCE + FIREWALL/GATEWAY together and
starting to tighten up the MX restrictions.
My goal is for the gateway to only accept mail for valid recipients @ 2 domains
domain1.com
domain2.com
and TRY to have those valid-recipients checked by probing a remote/downstream
mail server that primarily hosts those domains instead of maintaining a
local/rsync'd list (which remains a possible fallback).
So I'm at the "automatic address verification" step mentioned earlier.
I have three instances
main (null client)
postfix-in (postscreen + inject into 'postfix-out')
postfix-out (forward to a remote mailserver)
The postfix-in instance uses postscreen
master.cf
...
smtp inet n - n - 1
postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
On postscreen PASS it hands off to the instance's internal smtpd which then
injects
main.cf
myhostname = gateway.mydomain.com
default_transport = smtp:[127.0.0.1]:10026
local_transport = $default_transport
into the outbound instance.
master.cf
127.0.0.1:10026 inet n - n - - smtpd
My logs show postscreen is checking & black/whitelisting like it should, and
that it does a simple pass to the postfix-out instance.
WIthout most MX restrictions removed, accepting for all @domain1.com &
@domain2.com, mail's getting delivered.
That's good.
Now I want to add the RECIPIENT VALIDATION on this gateway -- the step
discussed above -- using a probe to my remote/main server, mail.mydomain.com
Reading the http://www.postfix.org/ADDRESS_VERIFICATION_README.html I *think*
that the right instance to do that in is still postfix-in -- right after the
postscreen PASS to the instance's internal smtpd.
Is that right? Or does the postfix-out instance need to do the probing?
In either case to do the remote probe, looks like I need to enable it
relay_recipient_maps =
pick the probe identity
double_bounce_sender = double-bounce
address_verify_sender = $double_bounce_sender
set where to store the probe results and leave them persistend
address_verify_map = lmdb:/var/lib/postfix-in/verify_cache
address_verify_cache_cleanup_interval = 0
then tell it which host to probe.
Here's where I get confused.
Since both domains
domain1.com
domain2.com
are hosted -- and will be address-probed -- on the same server, is it enough to
set on the gateway (in whichever instance is the right one)
address_verify_relayhost = [mail.mydomain.com]
address_verify_default_transport = smtp:[mail.mydomain.com]:25
? or do I need to
address_verify_relayhost = [mail.mydomain.com]
address_verify_default_transport =
address_verify_transport_maps =
lmdb:${config_directory}/verify_transport
where
cat ${config_directory}/verify_transport
domain1.com smtp:[mail.mydomain.com]:25
domain2.com smtp:[mail.mydomain.com]:25
?
I'm pretty sure I'm not doing this quite right, and that I need to be using
"gateway.mydomain.com" somewhere in this config. Just can't wrap my head
around the flow yet.
Roger
