> Am 28.11.2014 um 20:50 schrieb "[email protected]" <[email protected]>: > > > > Am 28.11.2014 um 20:45 schrieb Christian Rößner: >>> Am 28.11.2014 um 20:26 schrieb Wietse Venema <[email protected]>: >>> >>> Christen R??ner: >>>> I look for: >>>> >>>> Table: >>>> Lhs Rhs >>>> mx.some.mta smtp:[mx.whatever.tld]:1234 >>> >>> I have implemented smtp_dns_reply_filter (currently, testing), which >>> matches a resource record against a (regular expression) pattern. >>> >>> At the moment supports IGNORE, but it would not be difficult to >>> implement a REPLACE action. The content of the resource record have >>> been "valid-hostname" sanity checked, so there is little danger of >>> malicious substitutions. >>> >>> Thus, Postfix could do >>> >>> foo.example.com. 12345 IN MX 10 bar.example.com. >>> REPLACE foo.example.com. 12345 IN MX 10 baz.example.net. >>> >>> Similar operations for A/AAAA records,with some limitations (can >>> change the last two fields only, not the fields that are determined >>> by the query itself). >>> >>> Would that solve the problem? >> >> How could a different port be specified? If I do understand your example, >> this only replaces the host, but gives no choice to specify a port > > MTA-to-MTA traffic is typically port 25 > > if you need several instances on the same machine talking with each other > consider giving that machine additional IP addresses with their own DNS names > and bind the instance on the IP instead mangle around > with differnt ports > > the benefit is that mail routing in that case don't need port-hacks and so > can be realized with hostnames in a agnostic way
This server already has two ip addresses and routing can not be done on answer decisions. That exactly is the problem here. And the main MTA on port 25 enforces a policy. It doesn't matter, if mail is coming from foreign MTAs or from the relay server on the same host. But it needs a different policy, if the relay server is contacting the main MTA. And this can only be achieved with a different port on the main MAT, as I only can turn off Milters and things in a separate instance. If I add an instance on the main MTA on i.e. port 12325, I can set smtpd_milters empty and mynerworks to the IP of the relay server, restricting smtpd_recipient_restrictions to permit_mynetworks,reject. I can enforce a replacement with: iptables -t nat -A PREROUTING -j DNAT -s ip.of.relay -d ip.of.main.mta -p tcp --dport 25 --to-destination ip.of.main.mta:12325 That is, what I would like to solve cleanly. Christian
smime.p7s
Description: S/MIME cryptographic signature
