On Mon, Nov 28, 2022 at 10:18:22AM -0300, Gustavo Balduino wrote:
> On 27/11/2022 11:46 AM, Wietse Venema wrote:
> > I think there is no risk of (false) loop detection between MSA
> > instance and MTA instance, because the MSA instance is supposed to
> > send all mail to the security gateway, regardless of destination:
> >
> > MSA client -> port 465/587 MSA server -> security gateway -> port 25 MTA
> > server
> >
>
> I believe i should have mentioned that submission and MTA have different
> addresses configured. Something like this:
>
> submission inet n - y - - smtpd
> smtpin.example.org:smtp inet n - y - - smtpd
>
> I think there's no risk of a loop happening in this setup you mentioned
> as the security gateway would never deliver a message to the MSA
> (because of the different addresses).
It's not a risk of a loop happening, but rather a risk of Postfix loop
detection being too conservative, and refusing to relay from the MSA to
port 25 on the same host. That can be worked around by ensuring that
the MSA's inet_interfaces does not include the MTAs IP address, and its
myhostname setting is also different.
> The hosted domains that use security gateways do setup the MX records
> pointing to it, so the MSA could indeed rely only on the MX records.
So the security gateways are *inbound*, not outbound. That makes things
simpler. If you had enough iron (or used virtual machines), you'd just
operate the MSA on a separate system, but if need be you can use two
Postfix instances.
The MSA has an empty set of local, virtual alias, virtual mailbox and
relay domains, and just deliveres all mail the "remote" recipient
domain. This configuration is simple, and would arguably be even more
so if simply operated on separate machines or VMs, but separate Postfix
instances can emulate multiple machines fairly closely, especially if
you have available separate IP addresses and associated hostnames for
each.
--
Viktor.
