Vicktor, >>Thus your claim that the mail will have a single recipient in the "To:" >>address, or will not employ "Bcc" is simply wrong. Your Postfix systems are >>outbound >>relays, not MSAs.
Thanks for your correction. Learned the concept difference between MSA and outbound relay. >>Your real problem is that you're using the same servers to deliver >>*all* outbound email, both email that originates outside and needs to be >>forwarded for one of your externally hosted users, and email that your >>internally >>hosted users send out. >>This design severely limits your choices. When I did a related design for a >>previous employer with another hosting provider, I used dedicated systems to >>>>route just the mail for externally hosted users, separate from the outbound >>relays handling other mail. You are totally correct. Our previous email system was running like yours - forwarding accounts' mail flow to externally hosted users is separated from real outbound mail flow that our internally hosted users send out. Current Microsoft exchange system can't archive this goal. As you know, when politics involves business and technical decision, many reasonable things in the past have to be changed. >> These dedicated systems were whitelisted by the provider, but restricted to >> delivery of mail to just the users in question, not the world at large. Yes. Our previous system did so. >>You're likely running into Sender-ID/SPF issues, where Microsoft applies >>anti-spoofing policy to your outbound machines, because you don't present a >>clean >>stream of email for just the hosted users. So far it is OK. Microsoft antispam system EOP knows all IPs of our outbound servers. >>You need a more sophisticated design and a willingness from the hosting >>provider to work with you. You may need to hire an experienced consultant to >>>>help with the design and implementation, but the difficulty will be in >>assessing the skill of the consultant, this is hard to do, unless you're >>sufficiently skilled >>yourself. Thanks for your suggestion!!! When the design of current system was in assessing phase, one Microsoft experienced consultant pointed out our design problem, BUT ....... >>At the very least you may need to implement the SRS rewriting mechanism for >>forwarding mail in the age of SPF. You'll have to find a good Postfix SRS >>>>tutorial. This will likely resolve most of the problem you are reporting. Thanks for your information about Postfix SRS tutorial. I will learn it. Thanks a lot! Carl -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: Wednesday, August 06, 2014 9:56 AM To: postfix-users@postfix.org Subject: Re: How to fetch From address from header via Postfix head_check? On Wed, Aug 06, 2014 at 12:02:30PM +0000, Xie, Wei wrote: > Main email system is Microsoft exchange system. The Exchange Hub servers > deliver the all outbound mails (internal users send emails to external users > or external users send emails to internal users BUT whose email addresses are > forwarding to his/her external mailboxes) to Postfix servers. The postfix > servers receive all emails which the recipient addresses are external email > addresses. So I think it simply an outbound relay, forwarding mail whose > recipients are external to your email systems. Thus your claim that the mail will have a single recipient in the "To:" address, or will not employ "Bcc" is simply wrong. Your Postfix systems are outbound relays, not MSAs. Your real problem is that you're using the same servers to deliver *all* outbound email, both email that originates outside and needs to be forwarded for one of your externally hosted users, and email that your internally hosted users send out. This design severely limits your choices. When I did a related design for a previous employer with another hosting provider, I used dedicated systems to route just the mail for externally hosted users, separate from the outbound relays handling other mail. These dedicated systems were whitelisted by the provider, but restricted to delivery of mail to just the users in question, not the world at large. You're likely running into Sender-ID/SPF issues, where Microsoft applies anti-spoofing policy to your outbound machines, because you don't present a clean stream of email for just the hosted users. You need a more sophisticated design and a willingness from the hosting provider to work with you. You may need to hire an experienced consultant to help with the design and implementation, but the difficulty will be in assessing the skill of the consultant, this is hard to do, unless you're sufficiently skilled yourself. At the very least you may need to implement the SRS rewriting mechanism for forwarding mail in the age of SPF. You'll have to find a good Postfix SRS tutorial. This will likely resolve most of the problem you are reporting. -- Viktor.
