Wietse,
Viktor,
Thanks for your kind answer.
It seems a bit difficult but I'll try to understand and apply it.
This request (redirect emails of certain domains to 3rd party mail
providers with auth) can't be denied because we are moving from
commercial mail security appliance to postfix and this feature is
already provided to customers. (TBH I don't know how the current
appliance is processing such things under the hood.)
Thanks again,
Zsombor
Idézet (Viktor Dukhovni <postfix-us...@dukhovni.org>):
On Mon, Aug 24, 2020 at 09:35:51AM -0400, Wietse Venema wrote:
> Some of our customers wanted us to forward all emails sent to some
> recipient domains to 3rd party relay servers instead of the mail
> server defined in the recipient domain's MX records.
>
> Also they provided smtp username and password for these relay servers.
>
> I.e.
> - *@foo1.bar is sent to mailprovider-X.com with foo1user + foo1pass
> - *@foo2.bar is sent to mailprovider-Y.com with foo2user + foo2pass
> - etc.
If these email messages are sent by your customers, you need:
- In master.cf, one dedicated Postfix SMTP client per customer,
with its own "-o smtp_sasl_passwd_maps=maptype:mapname" setting
with that customer's login information for the remote servers.
smtp-custxxx unix - - - - - smtp
-o smtp_sasl_passwd_maps==hash:/etc/postfix/sasl-custxxx
- In main.cf, "smtp_sender_dependent_default_transport_maps =
maptype:mapname", and use that table select the dedicated Postfix
SMTP client for each customer.
And also SASL auth, with reject_known_sender_login_mismatch or similar,
so that nobody else can impersonate these customers.
This ensures that the right customer's login is used with the
right renote SMTP server, and only for email sent by that customer.
Given authentication of the customer's credentials *and* envelope sender
address.
This can be a difficult combination of things to get right.
Caution is highly recommended, and perhaps best to not offer
the feature at all. The risk/reward ratio may not be high
enough.
--
Viktor.
