Re: Override relayhost by MX

Thu, 06 May 2021 06:17:15 -0700 


Thanks Matus for taking time to respond. Appreciated.


On 2021-05-06 14:34, Matus UHLAR - fantomas wrote:

On 06.05.21 10:37, Vytenis Adm wrote:

We have a postfix server, which forwards all customer's outbound 
emails to a "relayhost". Our "relayhost" is somewhat costly, so our 
goal is to minimize it's usage. MX is served by separate Postfix 
instance.



Our goal is to deliver local emails to our MX directly, bypassing 
"relayhost". Several clients are sharing the infrastructure, so 
querying DB to see whether the domain is local is tricky: this may 
lead to abuse when the domain changes ownership, or emails 
delivered locally when MX is remote, as some customers have their 
own NS.


"check_recipient_mx_access" option looked promising.



On 2021-05-06 12:42, Matus UHLAR - fantomas wrote:

this applies for incoming mail, not outgoing.


On 06.05.21 14:07, Vytenis Adm wrote:

Outbound (SMTP-AUTH) Postfix instance receives mail from our users, 
so it's inbound email from Postfix perspective. 
"check_recipient_mx_access" can override relay based on DNS MX 
record, but it has issues I mentioned in my original posting. Looked 
promising though.



check_recipient_mx_access will allow your server to accept mail for a 
domain
but has completele no effect on how mail for that domain is to be 
delivered.

That's what I mean it applies for incoming mail.




Maybe I wasn't too specific about "check_recipient_mx_access". What we 
tried (and it was working in most cases), is set it like this:



smtpd_recipient_restrictions =

    <...>


    check_recipient_mx_access 
hash:/etc/postfix/smtpd_recipient_restrictions



/etc/postfix/smtpd_recipient_restrictions:

    ourmx1.example.com FILTER smtp:[ourmx1.example.com]



That way all outbound emails containing "ourmx1.example.com" DNS MX 
would use transport "smtp:[ourmx1.example.com]", and fallback to 
"relayhost". Unfortunately, if client had their own MX set as a higher 
priority one, emails were forwarded to "smtp:[ourmx1.example.com]". Also 
emails containing multiple recipients would be forwarded to 
"smtp:[ourmx1.example.com]" as well. We had to abandon this idea, as 
promising as it seemed.






Unfortunately, some clients have our MX as a secondary, and 
"check_recipient_mx_access" ignores the fact that primary MX is 
remote. Also, it ignores the fact that emails contain remote 
addresses in CC



Option we're considering is using a DNS response rewriting. If the 
MX is not matching as a local one - rewrite it to "relayhost". This 
sounds like a dirty hack however.


Maybe there are other options or ideas?


tried looking at transport_maps ?
http://www.postfix.org/postconf.5.html#transport_maps


you should be able to configure where to send mail to different 
domains, and

"relayhost" would only be applied for default mail



Yes, we did look into it, and it's not an option. "transport_maps" 
looks into a DB, and we can't rely on it. Clients can point MX to 
their own servers, and "transport_maps" will route to our MX 
regardless of what is set in customer's DNS.


the "DB" can be local file or even inline in postfix configuration.
you can configure domain to go through its MX server, see:
http://www.postfix.org/transport.5.html


TL;DR: we don't know which domain's emails should be forwarded via DNS 
MX to our inbound Postfix, and which to "relayhost" - that's the issue. 
The only source of truth is DNS MX records themselves.


Here's an example :


Two our clients are using our mail system, have the following domains: 
"client1domain.tld" and "client2domain.tld"



If we set "relayhost" (as it is set now), all (local or not) emails are 
sent via "relayhost":



    al...@client1domain.tld -> our-outbound-SMTP->relayhost -> 
ourmx1.example.com ->b...@client1domain.tld



    al...@client1domain.tld -> our-outbound-SMTP->relayhost -> 
mx.gmail.com ->b...@gmail.com



We can follow your suggestion and define a "transport_map" that forwards 
all "client1domain.tld" bound emails to "ourmx1.example.com" directly, 
bypassing DNS - that's easy and doable:


    client1domain.tld smtp:[ourmx1.example.com]

Then all is working nicely:


    al...@client1domain.tld -> our-outbound-SMTP -> ourmx1.example.com 
->b...@client1domain.tld



Now imagine "client1domain.tld" owner changes their MX to 
"competitormx1.example.com", and our second client is sending an email 
to b...@client1domain.tld


How it should be relayed:


    al...@client2domain.tld -> our-outbound-SMTP ->relayhost -> 
competitormx1.example.com ->b...@client1domain.tld


How it it would be relayed:


    al...@client2domain.tld -> our-outbound-SMTP -> ourmx1.example.com 
->b...@client1domain.tld (Email does NOT reach it's destination on 
"competitormx1.example.com" !!)



Hope this makes sense :)


--

Vytenis






























					Reply via email to