On 07/21/2013 12:23 AM, /dev/rob0 wrote:
On Sat, Jul 20, 2013 at 05:18:58PM -0400, Wietse Venema wrote:
/dev/rob0:
The doubt in my mind about this is for mail truly destined to
our hosted domains. It resolves to an Internet (not an internal)
IP address which is in the MX instance's proxy_interfaces
setting. We're in a DC and behind NAT, with that Internet IP
address being NATed to this host.
They don't have "hairpin NAT" set up, whereby if I try to connect
to this NATed IP address it would go to the router and come back
to me. I'm fine with that, actually; while that would solve the
instant problem, it could be bad in other ways.
An MTA should never connect to its own MTA address and port.
Thanks for the reply.
So how can I deliver mail from our users to our hosted domains? It's
not connecting to its own port. The MSA has 587, the MX has 25.
[127.0.0.1]:25 is my own IP address (from the POV of the MSA) but not
my port.
That is what proxy_interfaces and inet_interfaces are for.
It should be no problem to use an additional RFC 1918 address and set
inet_interfaces. I guess that's the solution to this. The MSA can
have 172.16.5.87 for example, and the MX can have 172.16.0.25 (both
being in the same /16, that is.)
Why would you not allow submission to deliver to the hosted domains ?
You can simply add the maps to the existing ones you use (if any).
--
J.
