On 5/10/2014 5:45 AM, Wietse Venema wrote:
deoren:
* primary MX with current policies. Also whitelists the backup MX via
check_client_access directive and via permit_mynetworks
Do not give the backup MX host RELAY PERMISSIONS on the primary MX host.
Wietse
Thanks for the reply/tip.
So if I don't give the backup MX host relay permissions on the primary,
will the primary MX still apply the checks for mail that doesn't
originate with the backup MX?
My primary MX settings (formatted for easier viewing):
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access.conf
check_sender_access hash:/etc/postfix/sender_access.conf
check_client_access hash:/etc/postfix/client_access.conf
check_policy_service inet:127.0.0.1:10023
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_client_hostname
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_rbl_client zen.spamhaus.org
reject_rbl_client b.barracudacentral.org
I don't think I remembered to say it in my earlier posting (apologies
for that), but I have the backup MX host listed in 'mynetworks'. I did
this based on a tip I found that suggested placing an entry like this in
the lookup table for 'check_sender_access':
domain1.tld permit_mynetworks, REJECT Unauthorized use of
domain name
domain2.tld permit_mynetworks, REJECT Unauthorized use of
domain name
I of course substituted domainX.tld for my real domains.
So in summary, I have the backup MX host listed in the lookup table for
'check_client_access' and also in $mynetworks so the
'check_sender_access' entry will function properly.
Thanks again.
