Viktor Dukhovni:
> On Sat, Nov 26, 2022 at 04:56:49PM -0500, Wietse Venema wrote:
> > Viktor Dukhovni:
> > > On Sat, Nov 26, 2022 at 08:26:08AM -0500, Wietse Venema wrote:
> > >
> > > > > For different message routing for submission vs. inbound port 25 see:
> > > > >
> > > > > https://www.postfix.org/MULTI_INSTANCE_README.html
> > > > >
> > > > > One Postfix instance listens on port 25 only, and another on port
> > > > > [submission] only. Each has their own configuration. The MSA
> > > > > routes some domains differently than the MTA does.
> > > >
> > > > This works as long as the number of customers with security gatways
> > > > is small, because it needs one Postfix instance per security gateway.
> > >
> > > One MSA instance should be sufficient for multiple customers, with:
> > >
> > > default_transport = smtp:[mta.example]
> > > sender_dependent_default_transport_maps = ...
> >
> > Unfortunately, that would mis-deliver email for local recipients,
> > which is the reason that this thread exists.
>
> The MSA would have no local recipients, all mail is delivered to the
> MTA or a filter services. The main thing that requires care is loop
> detection, relaying to the MTA can be via a non-default (!= 25)
> port on the loopback interface, or else one has to muck around with
> distinct settings for myhostname.
I think there is no risk of (false) loop detection between MSA
instance and MTA instance, because the MSA instance is supposed to
send all mail to the security gateway, regardless of destination:
MSA client -> port 465/587 MSA server -> security gateway -> port 25 MTA
server
What happens with messages from remote MTAs? if it looks like this:
remote MTA -> security gateway -> port 25 MTA server
i.e. the hosted domain's MX records point to the security gateway
service, then the MSA does not need lookup tables to route mail to
the security gateway; it can rely on MX records instead.
I think we need a bit more information from the requestor.
Wietse
