In message <pine.neb.4.64.1601161549560.26...@pokey.whooppee.com>
Paul Goyette writes:
> While researching to see if I could find a way to fix my other issue
> (how my primary-MX server can differentiate between messages originating
> on my backup-MX server and those that are simply relayed from elsewhere)
> I thought maybe I could configure the backup-MX to use two different
> smtp transports to sends messages to my primary machine.
>
> But I'm having difficulty on how to configure this...
>
> It would appear that master.cf is the place to go. And it seems that I
> could easily add a new line similar to
>
> my_smtp:12345 inet n - n - - smtpd
Better to use this on the secondary where the problem is
smtp inet n - n - - smtpd
submission inet n - n - - smtpd \
[ use -o ... or -o configpath=/path-to-altconfigdir ]
Note that submission is in /etc/services as is smtp (587 and 25).
On port 25 on the secondary only relay mail that is destined to
mydestination to the primary. Your primary can then always spam check
anything that arrives on port 25.
Use the -o options to only allow your hosts to connect to port 587 and
also to allow relaying the primary MX.
Any misconfigured host in your domain that still sends to port 25 will
get relaying to the outside blocked and then gets spam checked sending
mail to you to complain.
Also take a look at http://www.postfix.org/POSTSCREEN_README.html
which explains how to spam filter before queueing and therefore before
relaying to the primary. In the MTA (port 25) postscreen replaces
smtpd in the smtp line but there is more to is so read the How-To.
This is an extra step but tosses a lot of obvious spam earlier.
btw- Consider a stronger authentication than IP address, but that is
another topic entirely.
> But it's not clear to me if this syntax will define a new listener (in
> which case this would belong on my primary-MX machine) or if this would
> enable an _outgoing_ connection to primary-MX's port 12345 (in which
> case this would belong on the backup-MX machine). And in any case, it
> is definitely not clear what syntax would be used for the inverse case.
>
>
> If I can get this to work, I think I can modify the local_transport
> parameter on the backup machine to use a non-standard TCP port when
> relaying messages to the primary-MX machine. Then, on the primary-MX
> I can specify the dspam content filter only on the standard port, and
> not on the special port.
>
>
>
> +------------------+--------------------------+------------------------+
> | Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
> | (Retired) | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com |
> | Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
> +------------------+--------------------------+------------------------+
