Re: AW: forcing MX lookups

Mon, 27 Feb 2012 04:28:25 -0800 

On 21/02/2012 19:26, Wietse Venema wrote:

Ed W:

As the OP suggested, a desirable solution would be for the MTA to only
check the various maps to decide a domain is local *after* having done a
DNS check to see if the MX record points "to this machine".  ie the end
goal is if the MX record points to some other machine, then we deliver
to that machine, even if it's listed in our maps as being local...

You can use transport_maps=tcp:host:port etc. to ask an external
program for the MX lookup, and to have that external program decide
if it should reply with a local mail delivery transport if the MX
record points to your machine.

This will drop your mail delivery performance quite a lot, as there
is only one queue manager, and each mail delivery request will be
waiting for the previous transport map lookup to complete.

A better alternative may be check_recipient_mx_access at RCPT
TO time.

smtpd_recipient_restrictions =
     # This example assumes that we are not providing mail relay service
     # or mail submission service.
     ...
     reject_unauth_destination
     check_recipient_mx_access cidr:/etc/postfix/mxnetworks
     ...

/etc/postfix/mxnetworks:
     # Assuming this is your network with MX servers.
     1.2.3.4/24 dunno
     # If the MX did not match, reject the request.
     0.0.0.0/0  reject

This rejects mail when a recipient domain is "claimed" by one of
your customers, but the MX host for the domain is not local.

This is better than doing it at queue manager time, because multiple
smtpd processes can do these MX lookups in parallel.

        Wietse


Thanks this seems like the better solution.
It would seem that an incremental tweak could be to combine both solutions, rather than reject, redirect to some transport map which forwards to some instance without local maps - this would cause the mail to be forwarded to the MX destination as defined by DNS.
(Why: Most users should be fine with "reject", but for my requirements it's proved better to bounce invalid emails from *authorised users* vs rejecting at submission time. Mac Mail for example doesn't seem to correctly show reject error messages. Also we have users behind VERY slow dialup connections and bouncing works better for their submission process also.) 

Thanks for the solution!

Ed W

Reply via email to