On 6/16/2015 10:16 AM, Michael Peter wrote: > Hi, > > I have couple of questions regarding the permit_mynetworks option.
It's generally better to control the scope of mynetworks rather than removing permit_mynetworks. Rather than the entire network, just list localhost and maybe trusted internal hosts that don't AUTH. > > 1- is the permit_mynetworks must be added to allow bounces emails from > postfix? or postfix can still send bounces or undelivered email > notifications without need to add permit_mynetworks in the > smtpd_recipient_restrictions? Bounce notices generated internally by postfix are not subjected to any restrictions. If the bounce is generated by a separate host, that host will need to be listed in mynetworks and permit_mynetworks is required. > > 2- Is the permit_mynetworks must be added so the postfix can work properly > handling the emails ? anyway our users uses sasl authenticate that's why > we want to remove permit_mynetworks, but we are afraid that this might > break some thing in postfix, that's why we want to be double sure. ? > If all users must authenticate, it's common to set main.cf mynetworks = 127.0.0.1, [::1] so that local processes can submit mail. It's up to you to determine if local processes require submission on your server. If not required in you environment, set mynetworks empty. mynetworks = > - > > Also our last question, In case of different case that the mail server is > secondary mail server , it relays back the email to the primary server > when it is back. > > 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so > the secondary server can send the emails to the primary server (when the > primary server was down) ? or still the secondary server can send the > pending emails to the primary server even if permit_mynetworks in not > written in the smtpd_recipient_restrictions? If this is a secondary MX delivering to an internal mailstore, generally it is not required to be listed in mynetworks, and permit_mynetworks is not required. -- Noel Jones
