Hi,
> > > This should work provided nothing causes the mail to take some other
> > > route. The routing logic is:
> > >
> > > 1. Highest priority, any content_filter override.
> > > 2. Next, the transport(5) table.
> > > 3. Next, the address-class-specific transport, i.e.
> > > relay_tansport for relay_domains, local_transport for
> > > domains listed in mydestination, ...
> > > 4. Next, default_transport possibly sender-dependent via
> > > sender_depedent_default_transport_maps.
> >
> > Where would virtual_maps or virtual_alias_domains be processed?
>
> Recipient rewriting via virtual(5) happens early during message input in
> cleanup(8). By the time the message is being delivered any configured
> and not disabled virtual(5) rewriting is complete.
>
> The virtual_alias_domains parameter makes a domain "final", which allows
> mail to these domains to not be rejected by "reject_unauth_destination".
> If, for some reason, a recipient in one of these domains fails to be
> rewritten to some real domain, that recipient will be routed to the
> error(8) transport and will bounce.
I believe I finally got it working properly - thank you for your
tremendous help. I would really appreciate it if I can ask you to
review what I've done. Hopefully this will help someone else
configuring postfix multi-instance to build a mail relay - there is
definitely a shortage of modern documentation beyond the
multi-instance readme to follow.
I think much of my confusion was trying to figure out what processing
should be done in which instance using just the shell provided in the
multi-instance readme.
postfix-out:
- Why isn't $mynetworks needed when smtpd_recipient_restrictions
relies on it to determine which mail to accept?
- Under what conditions would I populate both relay_domains and transport_maps?
> The transport table does not override virtual_alias_domains, absent the
> requisite rewrites they bounce regardless of any transport table
> entries.
I think one of the biggest mistakes I made was thinking "transport
table" referred to the transport maps, not the transport in terms of
the method used to transport the data using a socket to another
process. I've now configured the $default_transport to be used for
everything and let amavis figure out whether it should be scanned.
> > Also, if the transport_map instructs postfix to send all mail for the
> > domain to port 10024, and amavisd then sends it back to 10025, how
> > does postfix then know to eventually forward it on to its final
> > destination after the email has been processed?
>
> You say "how does Postfix", as though there is just one Postfix, but you
> have multiple Postfix instances, each configured to do its job.
Yes, and my difficulty was determining which instance should be doing
which job. Another major hurdle for me was determining which settings
from the multi-instance readme needed to be edited from the default
based on how I was using it.
I'm hoping I can ask you to review the (edited) output from "postconf
-n" for my postfix-in (postfix-117) and postfix-out. I've put some of
my legacy stuff back in but will go through each check_client_access,
for example, and make sure it's needed.
/etc/postfix-117/main.cf
alias_database =
alias_maps =
always_bcc = bcc-user
authorized_submit_users = root
body_checks = regexp:$config_directory/body_checks.pcre
bounce_queue_lifetime = 2d
compatibility_level = 2
debug_peer_level = 2
default_database_type = cdb
default_process_limit = 100
default_transport = smtp:[127.0.0.1]:10024
delay_warning_time = 4d
header_checks = pcre:$config_directory/header_checks.pcre
pcre:$config_directory/header_checks-jimsun.pcre
indexed = ${default_database_type}:${config_directory}/
inet_protocols = ipv4
initial_destination_concurrency = 20
local_header_rewrite_clients =
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
mail_owner = postfix
mailbox_size_limit = 2000000000
master_service_disable =
maximal_queue_lifetime = 3d
message_size_limit = 29312000
meta_directory = /etc/postfix
mime_header_checks = pcre:$config_directory/mime_header_checks
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_name = postfix-117
queue_directory = /var/spool/postfix-117
inet_interfaces = 209.216.99.117
config_directory = /etc/postfix-117
mydestination =
mynetworks = 127.0.0.0/8, 209.216.99.0/24
policy-spf_time_limit = 3600s
postscreen_access_list = permit_mynetworks,
cidr:$config_directory/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites =
score.senderscore.com=127.0.4.[0..19]*5
score.senderscore.com=127.0.4.[20..29]*4
score.senderscore.com=127.0.4.[30..49]*3
score.senderscore.com=127.0.4.[50..59]*2
score.senderscore.com=127.0.4.[60..69]*1
score.senderscore.com=127.0.4.[70..79]*-1
...
postscreen_dnsbl_threshold = 8
postscreen_greet_action = enforce
postscreen_whitelist_interfaces = static:all 209.216.94.0/24
relay_transport = $default_transport
transport_maps =
unknown_local_recipient_reject_code = 550
virtual_transport = $default_transport
relay_domains = mycompany.com, $mydestination
smtp_data_done_timeout = 1200s
smtp_destination_recipient_limit = 1000
smtp_send_xforward_command = yes
smtp_tls_CAfile = /etc/letsencrypt/chain.pem
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_port_logging = no
smtpd_client_restrictions =
permit_mynetworks,
check_client_access ${indexed}client_checks,
check_reverse_client_hostname_access
pcre:$config_directory/fqrdns-042715a.pcre,
check_reverse_client_hostname_access
pcre:$config_directory/reverse_client_hostname_access.pcre,
check_client_access cidr:$config_directory/client_access_blocklist
smtpd_helo_restrictions = permit_mynetworks check_helo_access
${indexed}helo_checks
check_helo_access pcre:$config_directory/helo_checks.pcre permit
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_rhsbl_sender uri.mykey.invaluement.com,
check_sender_access ${indexed}check_backscatterer,
check_helo_access pcre:$config_directory/helo_checks.pcre,
check_helo_access ${indexed}helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service unix:private/policy-spf,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:$config_directory/relay_recips_access,
permit
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access ${indexed}sender_checks,
check_sender_access pcre:$config_directory/sender_checks.pcre,
check_sender_access ${indexed}spamsources,
check_sender_ns_access ${indexed}/blacklist_ns.cf,
reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
/etc/postfix-out/main.cf:
alias_database =
alias_maps =
authorized_submit_users = root
command_directory = /usr/sbin
compatibility_level = 2
config_directory = /etc/postfix-out
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix-out
debug_peer_level = 2
default_database_type = cdb
indexed = ${default_database_type}:${config_directory}/
inet_interfaces = 127.0.0.1
inet_protocols = ipv4
local_header_rewrite_clients =
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
transport_maps = ${indexed}transport
master_service_disable =
meta_directory = /etc/postfix
milter_default_action = accept
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_name = postfix-out
mydestination =
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix-out
recipient_delimiter = +
smtp_tls_CAfile = /etc/letsencrypt/chain.pem
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
smtpd_authorized_xforward_hosts = $mynetworks
smtpd_client_connection_count_limit = 0
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_port_logging = no
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_restrictions = permit_mynetworks, reject
smtpd_relay_restrictions =
smtpd_timeout = 1200s
unknown_local_recipient_reject_code = 550
/etc/postfix-out/transport:
mycompany.com smtp:relayhost.com
/etc/postfix-out/master.cf:
127.0.0.1:10025 inet n - n - 16 smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8,209.216.99.0/24
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o local_header_rewrite_clients=
