On Sat, Nov 26, 2022 at 08:26:08AM -0500, Wietse Venema wrote:
> > For different message routing for submission vs. inbound port 25 see:
> >
> > https://www.postfix.org/MULTI_INSTANCE_README.html
> >
> > One Postfix instance listens on port 25 only, and another on port
> > [submission] only. Each has their own configuration. The MSA
> > routes some domains differently than the MTA does.
>
> This works as long as the number of customers with security gatways
> is small, because it needs one Postfix instance per security gateway.
One MSA instance should be sufficient for multiple customers, with:
default_transport = smtp:[mta.example]
sender_dependent_default_transport_maps = ...
The security gateways may expect customer-specific SASL auth
credentials, in which case one also has to configure sender dependent
SASL credentials (or perhaps TLS client certs).
And of course the MTA has to be an open relay for the filter provider
(IIRC they turn the message around for actual delivery), and I'd want
to make sure that connection is also authenticated.
--
Viktor.
