On 27/11/2022 11:46 AM, Wietse Venema wrote:
I think there is no risk of (false) loop detection between MSA
instance and MTA instance, because the MSA instance is supposed to
send all mail to the security gateway, regardless of destination:
MSA client -> port 465/587 MSA server -> security gateway -> port 25 MTA
server
I believe i should have mentioned that submission and MTA have different
addresses configured. Something like this:
submission inet n - y - - smtpd
smtpin.example.org:smtp inet n - y - - smtpd
I think there's no risk of a loop happening in this setup you mentioned
as the security gateway would never deliver a message to the MSA
(because of the different addresses).
What happens with messages from remote MTAs? if it looks like this:
remote MTA -> security gateway -> port 25 MTA server
i.e. the hosted domain's MX records point to the security gateway
service, then the MSA does not need lookup tables to route mail to
the security gateway; it can rely on MX records instead.
The hosted domains that use security gateways do setup the MX records
pointing to it, so the MSA could indeed rely only on the MX records.
I think this setup with two instances, with the MSA instance having no
local recipients would work, i was looking for a way to reach the same
conclusion (MSA not being aware of local recipients, thus always
forwading to the domain's MX) using a single instance, but there’s no
way because of qmgr’s lookups.
From what you two concluded, there's no way to reach this behavior
without splitting the instances, am i correct?
