Viktor Dukhovni:
> On Sat, Nov 26, 2022 at 08:26:08AM -0500, Wietse Venema wrote:
>
> > > For different message routing for submission vs. inbound port 25 see:
> > >
> > > https://www.postfix.org/MULTI_INSTANCE_README.html
> > >
> > > One Postfix instance listens on port 25 only, and another on port
> > > [submission] only. Each has their own configuration. The MSA
> > > routes some domains differently than the MTA does.
> >
> > This works as long as the number of customers with security gatways
> > is small, because it needs one Postfix instance per security gateway.
>
> One MSA instance should be sufficient for multiple customers, with:
>
> default_transport = smtp:[mta.example]
> sender_dependent_default_transport_maps = ...
Unfortunately, that would mis-deliver email for local recipients,
which is the reason that this thread exists.
This is why we need multiple instances (one for port 25 and one for
port 578/465), or a single instance with a "content filter" based
approach.
Wietse
> The security gateways may expect customer-specific SASL auth
> credentials, in which case one also has to configure sender dependent
> SASL credentials (or perhaps TLS client certs).
>
> And of course the MTA has to be an open relay for the filter provider
> (IIRC they turn the message around for actual delivery), and I'd want
> to make sure that connection is also authenticated.
>
> --
> Viktor.
>
