Re: Forward internal RHEL6 server local user emails to postfix mailrelay
Anyone who knows this or can give directions ? thank in advance :) ! ~maymann 2013/3/23 Michael Maymann mich...@maymann.org Hi list, I would like to forward all our internal RHEL6 server localuser emails to our postfix mailrelay. I have tried the following already on the RHEL6 servers: - .forward will not allow e.g. root to forward mail to user1 - relayhost only relay mail for external users Is there a global postfix setting for this ? Is there a generic LDAP postfix schema so localuser - email conversion can be done at our postfix mailrelay ? I guess there is not, and this would most likely be very customized, but what info would be needed to be able to help me on the way ? Thanks in advance :) ! ~maymann
Re: Forward internal RHEL6 server local user emails to postfix mailrelay
Hi Wietse, thanks for your quick reply :) ! Forwarding: I'm pretty sure this is something that is already doable with Postfix, but not sure how this is done. LDAP: I'm no LDAP guru. Don't even know what information is needed to help me in my quest for answer here. If this is not currently supported, hasn't this been requested already (otherwise I would love to request this as a new feature)... Can you please help me a little more on my way ? Thanks in advance :) ! ~maymann 2013/3/31 Wietse Venema wie...@porcupine.org TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix. Michael Maymann: Anyone who knows this or can give directions ? thank in advance :) ! ~maymann 2013/3/23 Michael Maymann mich...@maymann.org Hi list, I would like to forward all our internal RHEL6 server localuser emails to our postfix mailrelay. I have tried the following already on the RHEL6 servers: - .forward will not allow e.g. root to forward mail to user1 - relayhost only relay mail for external users Is there a global postfix setting for this ? Is there a generic LDAP postfix schema so localuser - email conversion can be done at our postfix mailrelay ? I guess there is not, and this would most likely be very customized, but what info would be needed to be able to help me on the way ? Thanks in advance :) ! ~maymann
Forward internal RHEL6 server local user emails to postfix mailrelay
Hi list, I would like to forward all our internal RHEL6 server localuser emails to our postfix mailrelay. I have tried the following already on the RHEL6 servers: - .forward will not allow e.g. root to forward mail to user1 - relayhost only relay mail for external users Is there a global postfix setting for this ? Is there a generic LDAP postfix schema so localuser - email conversion can be done at our postfix mailrelay ? I guess there is not, and this would most likely be very customized, but what info would be needed to be able to help me on the way ? Thanks in advance :) ! ~maymann
Re: LoadShared Failover
Hi List, I have now looked all over the web to try and find best possible solution for me... (redundant loadshared sending-only mailgw)... this is currently what I think of doing...: 1. Setup 2 postfix servers in 2 physical different location with same configuration (handles by our HostConfigurationManagementSys tem). 2. DNS will be configured like: ; zone file fragment IN MX 10 mail.example.com . mailIN A 10.10.10.100 IN A 10.10.20.100 3. Clients will use mail.example.com as server. Only problem I see now is when one of the postfix servers dies. Clients will still try to send mails to it as they are DNS RR'ed, but would get no response ofcause if they hit the dead one. (How) Do I handle this ? or will I just have to live with the time-loss, clients connecting to dead postfix server, gives me when it has to retry ? I can compensate a bit by setting low DNS TTL (like 15 minutes) and remove dead DNS entry manually when our monitoring system alerts about port not responding - but would like to implement a real redundant system if at all possible... How do I do this - any howto I might have missed... ? Thanks in advance :) ! ~maymann 2012/3/28 Michael Maymann mich...@maymann.org Hi List, I have now looked all over the web to try and find best possible solution for me... (redundant loadshared sending-only mailgw)... this is currently what I think of doing...: 1. Setup 2 postfix servers in 2 physical different location with same configuration (handles by our HostConfigurationManagementSystem). 2. DNS will be configured like: ; zone file fragment IN MX 10 mail.example.com . mailIN A 10.10.10.100 IN A 10.10.20.100 3. Clients will use mail.example.com as server. Only problem I see now is when one of the postfix servers dies. Clients will still try to send mails to it as they are DNS RR'ed, but would get no response ofcause if they hit the dead one. (How) Do I handle this ? or will I just have to live with the time-loss, clients connecting to dead postfix server, gives me when it has to retry ? I can compensate a bit by setting low DNS TTL (like 15 minutes) and remove dead DNS entry manually when our monitoring system alerts about port not responding - but would like to implement a real redundant system if at all possible... How do I do this - any howto I might have missed... ? Thanks in advance :) ! ~maymann 2012/3/13 Stan Hoeppner s...@hardwarefreak.com On 3/12/2012 1:29 PM, Michael Maymann wrote: Hi, Stan: thanks for your reply. I was talking about NIC bonding: http://www.howtoforge.com/nic_bonding But if that is not the way to go, then that won't matter anymore... and no need for RedHat support either... NIC bonding isn't applicable to your dual relay host scenario. I'm a simple SMTP/PostFix beginner and just trying to learn as I go along - thought the mailinglist would be a good offset to get some initial answers so I can start looking in the right places - first things first... :) ! You have it backwards. The Postfix mailing list is a last resort resource and is meant more for troubleshooting that system design assistance or education. You are expected to read all applicable Postfix and RFC/BCP documentation and troubleshoot issues until you are sure you cannot resolve them on your own. *Then* post a help query on the Postfix list. It is not a teaching resource. Please don't treat it as such. If RR DNS is the way forward, then I guess I would need to configure: ; zone file fragment IN MX 10 mail.example.com. mailIN A 192.168.0.4 IN A 192.168.0.5 and point all my MUA's to mail.example.com Just to try and understand better how this communication would be working: 1. Does the MUAs then just retry if it doesn't get answer from one of the MTAs ? 2. If so, will this then always generate a new nslookup / will it use a cache / do I need to configure this on the MUA's ? 3. Is there a default number of retries (and does this differentiate from MUA to MUA) or are they just queued forever on the MUAs until properly delivered to a responsive MTA ? See the bind manual, or the manual of whichever DNS server daemon you happen to be using, and other applicable guides to round robin DNS. -- Stan
Re: LoadShared Failover
Hi, Stan: My question is not how I setup the solution, but how I *BEST* (best practice) setup the loadshared/failover postfix solution I described earlier. If there isn't a nice howto already, I guess I can figure this out myself - bonding is easy, if this is the prefered solution for a postfix install like mine - but if it is: how do you cope with the question I asked earlier: - How do I solve client-server communication, when requests will not get answered from same IP - or can it be - and if so: how do I do this, is there a how-to on setting this up on RHEL6 ? Would just like to hear the lists opinion before going in any specific direction, and figuring out that was the wrong one...:) ! Best regards ~maymann 2012/3/12 Stan Hoeppner s...@hardwarefreak.com On 3/10/2012 8:30 AM, Michael Maymann wrote: How do I best setup a loadshared failover postfix mailrelay solution for this on RHEL6 ? You consult the RHEL6 documentation. If you don't find the answer there, you contact Red Hat support who will point you in the right direction. Isn't this why you use a paid commercial Linux distro? -- Stan
Re: LoadShared Failover
If RoundRobin is best practise/preferred solution, should I then do: ; zone file fragment IN MX 10 mail.example.com. mailIN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6 or ; zone file fragment IN MX 10 mail.example.com. IN MX 10 mail1.example.com. IN MX 10 mail2.example.com. mail IN A 192.168.0.4 mail1 IN A 192.168.0.5 mail2 IN A 192.168.0.6 I think I would prefer the first solution - as a single hostname can be distributed to endusers. Will this automatically interfere with our corporate mail on the same domain - is there anything DHCP/DNS MX-to-clients update-wise I should be aware of ? Thanks in advance :) ! ~maymann 2012/3/10 Michael Maymann mich...@maymann.org Hi List, I would like to setup a LoadShared Failover internal mail-relay solution (only for sending mail internal-external). My thoughts: - Setup virtual+physical server in same VLAN (different physical locations) with same OS+Postfix+config - Configure DNS RoundRobin - Have logging from both servers pointing to same NFS-dir and have awstats create statistics from there Internal traffic: - Requests would all be received on RoundRobin_IP, and therefore LoadShared between the servers - Answers would all be send through Server_IP External traffic: - All traffic is done through Server_IP 1. Are the clients ok with answers coming from different IP than send-to ... or how do I prevent this from disrupting client-server communication - some PostFix/other magic ?) 2. What happens if one of my servers dies. Will RoundRobin still try to send traffic to it, and if so how will clients react on this ? 3. Would Bonding be a better solution for my purpose ? 4. Is there already a RHEL6 howto somewhere, that you can recommend ? 5. What is best practice ? Thanks in advance :-) ! ~maymann
Re: LoadShared Failover
Hi, Wietse: thanks for your quick reply :) ! We have the following internal clients: - RD Linux sendmail clients - some special_home_brew websolutions that endusers maintain - NetApp storage systems - etc. Mail path: Internal_clients-my_postfix_mailrelay(s)-external_receiving_mailserver We're not receiving any external mails...! How do I best setup a loadshared failover postfix mailrelay solution for this on RHEL6 ? thanks in advance :-) ! ~maymann 2012/3/10 Wietse Venema wie...@porcupine.org Michael Maymann: If RoundRobin is best practise/preferred solution, should I then do: ; zone file fragment IN MX 10 mail.example.com. mailIN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6 or ; zone file fragment IN MX 10 mail.example.com. IN MX 10 mail1.example.com. IN MX 10 mail2.example.com. mail IN A 192.168.0.4 mail1 IN A 192.168.0.5 mail2 IN A 192.168.0.6 I think I would prefer the first solution - as a single hostname can be distributed to endusers. MX lookups are for MTAs, end-user mail clients should connect to the A record on port 587. Wietse
Re: LoadShared Failover
Hi, Wietse: always nice with a bit of humor... :) ! I guess I then only need A records, as this will be our only mailserver inhouse for RD. Benny: I guess this is not needed then, but just out of curiosity: for a internal sending-only mailrelay why can't I use RFC1918 IPs ? 1. Is best practice to set this up with bonding then ? 2. How do I solve client-server communication, when requests will not get answered from same IP - or can it be - and if so: how do I do this, is there a how-to on setting this up on RHEL6 ? Thanks in advance :-) ! ~maymann 2012/3/10 Benny Pedersen m...@junc.org Den 2012-03-10 09:47, Michael Maymann skrev: ; zone file fragment IN MX 10 mail.example.com. mail IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6 dont list rfc1918 ip in mx, but if its just a question on model, go for this solution
LDAP email-address translation
Hi List, I have setup a mailrelay (outgoing mail only), and I would like to enable LDAP, so that all users localmail (maymann) on all my servers is send to my mailrelay and converted into globally-valid-addresses ( michael.maym...@globaldomain.com) and we can read it from our standard globally-used-mailserver. This is my current configuration: main.cf: --- queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix mydomain = MYDOMAIN myorigin = $mydomain inet_interfaces = all mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com local_recipient_maps = unix:passwd.byname $alias_maps unknown_local_recipient_ reject_code = 550 mynetworks = 127.0.0.0/8, MYVLAN1, MYVLAN2, etc relay_domains = $mydestination relayhost = [MYISP] # this will be commented out when we effectuate the new config # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/sbin/sendmail.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES --- transport (everything will be commented in when we effectuate the new config): --- ## Relay own mail to own server #our_own_domain relay:OUR_OFFICIAL_MAILSERVER ## Relay only mail to known external vendors #MY_VENDOR1 relay:OUR_ISP_MAILRELAY #MY_VENDOR2 relay:OUR_ISP_MAILRELAY #MY_VENDOR3 relay:OUR_ISP_MAILRELAY #MY_VENDOR4 relay:OUR_ISP_MAILRELAY #MY_VENDOR5 relay:OUR_ISP_MAILRELAY --- Anyone who knows what is needed on my mailrelay for this to work ? Thanks in advance :-) ! ~maymann
Re: Send bouncing to specific bounce-account
Hi Noel, Thanks for your kind reply...:-) ! This is for incoming mails (perhaps it is not called bouncing then...?)... :-o When I am about to reject an incoming mail - can I first forward this mail to a external mailbox and then reject afterwards... or shouldn't I be doing this... is this considered bad behaviour...? How can this be done - please provide examples if possible. Thanks in advance :-) ! ~maymann 2012/1/5 Noel Jones njo...@megan.vbhcs.org On 1/5/2012 8:04 AM, Michael Maymann wrote: Hi List, I have a mailrelay (internal-external), that I'm trying to harden by allowing only certain external domains. Is it possible to send bouncing mails to a specific bou...@mydomain.com mailto:bou...@mydomain.com account, so I can keep an extra eye on what is being bounced when I do the switch, and perhaps some weeks after...? Thanks in advance :-) ! ~maymann When you send the original mail, set the envelope sender to the bounce address, and all bounces will be returned to that address automatically. The From: header can still be set to whatever you wish. -- Noel Jones
Re: Send bouncing to specific bounce-account
Hi Reindl, thanks for you reply...:-) ! this is a mailrelay for internal hosts sending to Internet... not accessible/receiving mails from Internet. The bou...@mydomain.com mailbox is externally hosted and has filtering processes configured. If I thought of doing this - how can this be done in the configuration (would it be better/more secure to create a bounce-account locally on my mailrelay instead of on our official externally hosted mailserver) ? Thanks in advance :-) ! ~maymann 2012/1/12 Reindl Harald h.rei...@thelounge.net you really will not do this because you would open a door for a DOS-attack - imagine someone does not love you and starts sending mails you are rejecting in a loop to your server until your disk is full best practice is send as less as possible generated mails and that is why you normally should reject the delivering server is in this case responsible for creating bounce-massages or not Am 12.01.2012 19:04, schrieb Michael Maymann: Hi Noel, Thanks for your kind reply...:-) ! This is for incoming mails (perhaps it is not called bouncing then...?)... :-o When I am about to reject an incoming mail - can I first forward this mail to a external mailbox and then reject afterwards... or shouldn't I be doing this... is this considered bad behaviour...? How can this be done - please provide examples if possible. Thanks in advance :-) ! ~maymann 2012/1/5 Noel Jones njo...@megan.vbhcs.org mailto: njo...@megan.vbhcs.org On 1/5/2012 8:04 AM, Michael Maymann wrote: Hi List, I have a mailrelay (internal-external), that I'm trying to harden by allowing only certain external domains. Is it possible to send bouncing mails to a specific bou...@mydomain.com mailto:bou...@mydomain.com mailto: bou...@mydomain.com mailto:bou...@mydomain.com account, so I can keep an extra eye on what is being bounced when I do the switch, and perhaps some weeks after...? Thanks in advance :-) ! ~maymann When you send the original mail, set the envelope sender to the bounce address, and all bounces will be returned to that address automatically. The From: header can still be set to whatever you wish. -- Noel Jones -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm
Re: Send bouncing to specific bounce-account
Hi Reindl, thanks...:-) ! point taken... case dropped...:-) ! ~maymann 2012/1/12 Reindl Harald h.rei...@thelounge.net normally you should not even consider this the sender is resposible for the return-path he puts in the mail-header and this is the bounce-address since this is a do not i never thought how it would be possible to set up Am 12.01.2012 19:30, schrieb Michael Maymann: thanks for you reply...:-) ! this is a mailrelay for internal hosts sending to Internet... not accessible/receiving mails from Internet. The bou...@mydomain.com mailto:bou...@mydomain.com mailbox is externally hosted and has filtering processes configured. If I thought of doing this - how can this be done in the configuration (would it be better/more secure to create a bounce-account locally on my mailrelay instead of on our official externally hosted mailserver) ? 2012/1/12 Reindl Harald h.rei...@thelounge.net mailto: h.rei...@thelounge.net you really will not do this because you would open a door for a DOS-attack - imagine someone does not love you and starts sending mails you are rejecting in a loop to your server until your disk is full best practice is send as less as possible generated mails and that is why you normally should reject the delivering server is in this case responsible for creating bounce-massages or not Am 12.01.2012 19:04, schrieb Michael Maymann: Hi Noel, Thanks for your kind reply...:-) ! This is for incoming mails (perhaps it is not called bouncing then...?)... :-o When I am about to reject an incoming mail - can I first forward this mail to a external mailbox and then reject afterwards... or shouldn't I be doing this... is this considered bad behaviour...? How can this be done - please provide examples if possible. Thanks in advance :-) ! ~maymann 2012/1/5 Noel Jones njo...@megan.vbhcs.org mailto: njo...@megan.vbhcs.org mailto:njo...@megan.vbhcs.org mailto:njo...@megan.vbhcs.org On 1/5/2012 8:04 AM, Michael Maymann wrote: Hi List, I have a mailrelay (internal-external), that I'm trying to harden by allowing only certain external domains. Is it possible to send bouncing mails to a specific bou...@mydomain.com mailto:bou...@mydomain.com mailto: bou...@mydomain.com mailto:bou...@mydomain.com mailto:bou...@mydomain.com mailto: bou...@mydomain.com mailto:bou...@mydomain.com mailto:bou...@mydomain.com account, so I can keep an extra eye on what is being bounced when I do the switch, and perhaps some weeks after...? Thanks in advance :-) ! ~maymann When you send the original mail, set the envelope sender to the bounce address, and all bounces will be returned to that address automatically. The From: header can still be set to whatever you wish. -- Noel Jones -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33 tel:%2B43%20%281%29%20595%203999%2033, m: +43 (676) 40 221 40 tel:%2B43%20%28676%29%2040%20221%2040 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm
Re: Internal+external mailrelay
Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...) 2. All mail from our printers to external domains are send to our_isp_mailrelay 3. All mail from everything but our printers to whitelisted external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?) 4. All other mail is bounced to bounce@our_own_domain.com As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) ! Thanks in advance :-) ! ~maymann 2012/1/10 Noel Jones njo...@megan.vbhcs.org On 1/10/2012 3:02 PM, Michael Maymann wrote: Please, anyone who can help me with this...:-) ! ~maymann I don't think anyone quite knows what you're asking. Please explain your goals and current config as described here: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: Internal+external mailrelay
Hi Wietse, thanks for your kind reply...:-) ! You're right... - We currently have a setup where all mail from RD internal-external is send to my mailrelay in a specific site, as our_isp_relay only allows us to send from there to their mailrelay - no restrictions (this is not our primary mail). - Our_isp_relay has already blacklisted my mailrelay twice, caused by reputation based filtering - no spamming occurred though (all known domains at-least...), but the number of mails was rather high... - We are about to send monitoring alert through my mailrelay pretty soon, and therefore I would like to avoid spam filtering if possible - but saw domain-whitelisting as a solution to limit damages to a minimum if a host goes hostile... - Our Printers are also on the RD network and they need scan-email functionality, so I still need to allow printers to send to anyone. - 99.96% of mail going through my mailrelay goes to our own official mailboxes, so my thinking was to route all this directly to our official mailserver and get my mailrelay whitelisted there (so no spamfiltering is done on mails from this IP)... Thanks in advance :-) ! ~maymann 2012/1/10 Wietse Venema wie...@porcupine.org Michael Maymann: Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...) 2. All mail from our printers to external domains are send to our_isp_mailrelay 3. All mail from everything but our printers to whitelisted external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?) Printers can send mail to all destinations, but users cannot? What problem are you trying to solve by doing that? Describe the problem, instead of your solution above. Wietse 4. All other mail is bounced to bounce@our_own_domain.com As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) ! Thanks in advance :-) ! ~maymann 2012/1/10 Noel Jones njo...@megan.vbhcs.org On 1/10/2012 3:02 PM, Michael Maymann wrote: Please, anyone who can help me with this...:-) ! ~maymann I don't think anyone quite knows what you're asking. Please explain your goals and current config as described here: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: Internal+external mailrelay
Hi list, please, anyone who can help me with this - would like to implement next week if possible...? Thanks in advance :-) ! ~maymann 2012/1/5 Michael Maymann mich...@maymann.org Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain. This mean I have to configure the following rules in postfix: 1. All mail to our_own_domain are send to our_external_hosted_mailserver (done) 2. All mail from our printers to external domains are send to our_isp_mailrelay 3. All mail from everything but our printers to whitelisted external domains are send to our_isp_mailrelay (done ?) 4. All other mail is bounced to bounce@our_own_domain.com Can you help with what I need to configure to get this working as well...:-) ! Thanks in advance :-) ! ~maymann 2012/1/3 Ralf Hildebrandt ralf.hildebra...@charite.de * Michael Maymann mich...@maymann.org: Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, yes or will transport_maps make relayhost irrelevant (not working / commented out) ? no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Internal+external mailrelay
Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain. This mean I have to configure the following rules in postfix: 1. All mail to our_own_domain are send to our_external_hosted_mailserver (done) 2. All mail from our printers to external domains are send to our_isp_mailrelay 3. All mail from everything but our printers to whitelisted external domains are send to our_isp_mailrelay (done ?) 4. All other mail is bounced to bounce@our_own_domain.com Can you help with what I need to configure to get this working as well...:-) ! Thanks in advance :-) ! ~maymann 2012/1/3 Ralf Hildebrandt ralf.hildebra...@charite.de * Michael Maymann mich...@maymann.org: Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, yes or will transport_maps make relayhost irrelevant (not working / commented out) ? no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Mail statistics
Hi List, would like to setup some statistics on my postfix server. I know of these solutions: web: http://mailgraph.schweikert.ch shell: qshape All recommendations are welcome. Thanks in advance :-) ~maymann
Internal+external mailrelay
Hi List, I have a internal mailrelay, that I would like to provide following service: 1. mail to our own domain is send directly to our externally hosted (outsourced) mailserver 2. mail to external domains are relayed through ISP-mail-relay only for specific domains I have the following in my main.cf now (not enabled yet): #our_own_domain.com smtp:our_external_hosted_mailserver #servicepartner1 relay:our_isp_mailrelay #servicepartner2 relay:our_isp_mailrelay #servicepartner3 relay:our_isp_mailrelay #servicepartner4 relay:our_isp_mailrelay #servicepartner5 relay:our_isp_mailrelay My server is used primarily (99,96% are going to our_own_domain) by internal services to send notifications to our users, but also some mails are needed to a handfull external servicepartners... Soon we will also send critical alert from our monitoring solution, and I would therefore like to get the most secure solution without implementing a filter, that might blacklist vital alerts I will get my server whitelisted also in our_external_hosted_mailserver to accept all mails (no filtering) to make sure all mails are comming in and not stopped by a spamfilter there... It would then only be possible to send spam to our servicepartners this way - which I guess should be highly unlikely to happen...? 1. Is this the right way to do it - or are there better alternatives ? 2. When should I use smtp/relay in my config - does the above seem to be correct ? Thanks in advance :-) ~maymann
Re: Internal+external mailrelay
Hi Ralf, Thanks - I now have... --- /etc/postfix/main.cf: # transport_maps = hash:/etc/postfix/transport relayhost = [our_isp_mailrelay] /etc/postfix/transport: #our_own_domain.com smtp:our_external_hosted_mailserver #servicepartner1 relay:our_isp_mailrelay #servicepartner2 relay:our_isp_mailrelay #servicepartner3 relay:our_isp_mailrelay #servicepartner4 relay:our_isp_mailrelay #servicepartner5 relay:our_isp_mailrelay --- When i put this to production, my config should be like this, right: --- main.cf transport_maps = hash:/etc/postfix/transport #relayhost = [our_isp_mailrelay] /etc/postfix/transport: our_own_domain.com smtp:our_external_hosted_mailserver servicepartner1 relay:our_isp_mailrelay servicepartner2 relay:our_isp_mailrelay servicepartner3 relay:our_isp_mailrelay servicepartner4 relay:our_isp_mailrelay servicepartner5 relay:our_isp_mailrelay --- All our mail are going through to our_isp_mailrelay today, so I no longer need the relayhost = [our_isp_mailrelay] in main.cf when I have configured transport_maps - or how does this work ? Thanks in advance :-) ~maymann 2012/1/3 Ralf Hildebrandt ralf.hildebra...@charite.de * Michael Maymann mich...@maymann.org: Hi List, I have a internal mailrelay, that I would like to provide following service: 1. mail to our own domain is send directly to our externally hosted (outsourced) mailserver 2. mail to external domains are relayed through ISP-mail-relay only for specific domains I have the following in my main.cf now (not enabled yet): You need to put those in /etc/postfix/transport and then reference that file from main.cf using: transport_maps = hash:/etc/postfix/transport #our_own_domain.com smtp:our_external_hosted_mailserver #servicepartner1 relay:our_isp_mailrelay #servicepartner2 relay:our_isp_mailrelay #servicepartner3 relay:our_isp_mailrelay #servicepartner4 relay:our_isp_mailrelay #servicepartner5 relay:our_isp_mailrelay My server is used primarily (99,96% are going to our_own_domain) by internal services to send notifications to our users, but also some mails are needed to a handfull external servicepartners... Soon we will also send critical alert from our monitoring solution, and I would therefore like to get the most secure solution without implementing a filter, that might blacklist vital alerts I will get my server whitelisted also in our_external_hosted_mailserver to accept all mails (no filtering) to make sure all mails are comming in and not stopped by a spamfilter there... It would then only be possible to send spam to our servicepartners this way - which I guess should be highly unlikely to happen...? 1. Is this the right way to do it - or are there better alternatives ? It's OK 2. When should I use smtp/relay in my config - does the above seem to be correct ? If it's relaying, use relay: -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Internal+external mailrelay
Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, or will transport_maps make relayhost irrelevant (not working / commented out) ? I guess my our_own_domain.com smtp:our_external_hosted_mailserver should also be: our_own_domain.com relay:our_external_hosted_mailserver as my postfix server is not doing the mailservice for this domain, but our_external_hosted_mailserver is, so it should be relay here also right ? Thanks in advance :-) ! ~maymann 2012/1/3 Ralf Hildebrandt ralf.hildebra...@charite.de * Michael Maymann mich...@maymann.org: Hi Ralf, Thanks - I now have... --- /etc/postfix/main.cf: # transport_maps = hash:/etc/postfix/transport relayhost = [our_isp_mailrelay] /etc/postfix/transport: #our_own_domain.com smtp:our_external_hosted_mailserver #servicepartner1 relay:our_isp_mailrelay #servicepartner2 relay:our_isp_mailrelay #servicepartner3 relay:our_isp_mailrelay #servicepartner4 relay:our_isp_mailrelay #servicepartner5 relay:our_isp_mailrelay --- When i put this to production, my config should be like this, right: --- main.cf transport_maps = hash:/etc/postfix/transport #relayhost = [our_isp_mailrelay] /etc/postfix/transport: our_own_domain.com smtp:our_external_hosted_mailserver servicepartner1 relay:our_isp_mailrelay servicepartner2 relay:our_isp_mailrelay servicepartner3 relay:our_isp_mailrelay servicepartner4 relay:our_isp_mailrelay servicepartner5 relay:our_isp_mailrelay --- All our mail are going through to our_isp_mailrelay today, so I no longer need the relayhost = [our_isp_mailrelay] in main.cf when I have configured transport_maps - or how does this work ? That looks OK. You can keep the relayhost line if you like; stuff found in transport_maps takes precedence anyway. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Loadbalancing+failover solution
Hi all, Reindl: Thanks for your reply. I guess this is for sending mails from postfix... my setup is regarding linux server-postfix (so receiving mails, seen from postfix point-of-view). - how many retries total/per day ? - what is the difference if I do it DNS RR/MX equal value, do you know ? Thanks in advance :-) ! ~maymann 2011/12/27 Reindl Harald h.rei...@thelounge.net Am 27.12.2011 18:12, schrieb Michael Maymann: But if one postfix servers goes down, will all DNS replies then be only for alive-postfix or will there also be dead-postfix replies that needs to timeout, before it retries (and for how many times?) and potentially end up dropping the mail if it is so unlucky to get replies for dead-postfix on all retries ? normally a mailserver tries up to five days to deliver a message
Re: Loadbalancing+failover solution
Hi all, Thanks Peter, for you kind reply - some setup you have there... sounds very nice indeed...:-) ! - If i have a lower budget, can this then be achieved without the loadbalancers and still have same redundancy/flexibility (using e.g. DNS RR/MX with equal value) - if so what is for/against/preferred ?: DNS RR: so just have like load-sharing (mail1-postfix1, mail2-postfix2, mail3-postfix1, etc.). But if one postfix servers goes down, will all DNS replies then be only for alive-postfix - or will there also be dead-postfix replies that needs to timeout, before it retries (and for how many times?) and potentially end up dropping the mail if it is so unlucky to get replies for dead-postfix on all retries ? MX with equal value: is this handling differently? does a request load all MX records for the domain, and then sort them by value and then alphabetically, ending up with: if one postfix is down it will automatically try the next one in the sorted list...? Thanks in advance :-) ! ~maymann Den 27. dec. 2011 10.29 skrev Peter Sørensen mas...@sdu.dk: Hi Michael, ** ** We use a solution with 2 loadbalancers in front of 3+ postfix servers All MX records ( for around 100 domains ) are directed to the same address – the address of the loadbalancers. Based on statistics for each server the mail is redirected to one of the 3-6 postfix servers we have running. Statistics for each server is written to Our Mysql Backend cluster where all postfix related files are located ** ** As long as just one postfix server is running - mail is in function. We are able to add more servers on the fly depending on load. ** ** Best regards ** ** ** ** Peter Sørensen/Univ.Of.South.Denmark/email:mas...@sdu.dk * * *Fra:* owner-postfix-us...@postfix.org [mailto: owner-postfix-us...@postfix.org] *På vegne af *Michael Maymann *Sendt:* 27. december 2011 08:47 *Til:* Postfix users *Emne:* Re: Loadbalancing+failover solution ** ** Hi All, Wietse: thanks for your replies - and sorry for not really knowing what I'm asking...:-) I guess my question is regarding receiving mail to PostFix: Linux servers-PostFix. is DNS RoundRobin or MX record with equal value preferred thanks in advance :-) ! ~maymann 2011/12/23 Wietse Venema wie...@porcupine.org Wietse: According to these: http://www.postfix.org/postconf.5.html#smtp_mx_address_limit http://www.postfix.org/postconf.5.html#smtp_mx_session_limit The Postfix SMTP client will try at least five IP addresses or two SMTP sessions, When it reaches either limit, Postfix will try another delivery later for several days. The retry schedule behaves as documented at: http://www.postfix.org/TUNING_README.html#hammer Michael Maymann: Hi Wietse, thanks for your nice comments. I guess what you mention is valid for my internal postfix relay server-ISP mailserver - or am I mistaken ? What I write is valid for the Postfix SMTP client, whether it sends mail to your ISP, or to your internal mail server. Wietse ** **
Re: Loadbalancing+failover solution
Hi Lorens, thanks for your kind reply...:-) ! yes this is exactly the case... and my internal local-mailers consist on standard RHEL5+6 servers and NetApp's. Our ISP is restricting mail from only 1 of our sites, so we need to relay all our internal mail globally through this site. We can't prevent non-mail applications, as we don't have 100% control of all hosts (LAB equipment etc.), so I guess it makes sense to still keep local-mailer, at-least just to keep consistency. Thanks for clarifying...:-) Do you have a howto for this setup laying around somewhere (local-mailer - HA postfix relay) ?: Thanks in advance :-) ! ~maymann 2011/12/27 Lorens Kockum postfix-users-4...@tagged.lorens.org On Tue, Dec 27, 2011 at 06:12:12PM +0100, Michael Maymann wrote: Hi all, Thanks Peter, for you kind reply - some setup you have there... sounds very nice indeed...:-) ! - If i have a lower budget, can this then be achieved without the loadbalancers and still have same redundancy/flexibility (using e.g. DNS RR/MX with equal value) - if so what is for/against/preferred ?: I looked over the rest of the thread and I suspect people are talking about different things. If I understand correctly, you want a relay. You have a lot of servers with a primary function that is not sending mail, but which do send mail, and you want to relay all the mail out through a set of controlled dedicated mail servers. Am I right? If so, the basic question is *how* the servers send mail. Either the applications send mail directly to a hostname (Java Mail or PHP for example), or they use the local mailer, which would be postfix, I suppose, with a default smarthost configuration pointing to your dedicated mail servers. Pros and Cons: - Not using local mailer wil permit loadbalancing mail sent from a single host over several postfix instances. - Using local mailer will always work for all applications (since applications that send to a hostname can send to 127.0.0.1) - Using local mailer forces you to monitor the daemon and the queues on all the machines, and takes up (probable negligable) system resources - Using local mailers will give you the UID of the sending process in the headers - Using local mailer protects you from a short outage of the dedicated servers or some part of the network. Mail will be spooled locally until the dedicated machines come back on line. - Conversely, not using a local mailer will protect you from local failures such as full disks or postfix not running, but expose you more to network problems and availability problems. That will cause you to look at redundant load balancers. - Using a load balancer will probably require you to mask source IPs. That doesn't matter if you trust your servers or if you run local firewalls forcing mail to run through the local mailer. If you worry about client-written forms being exploited to send spam you need to think about that. DNS RR: so just have like load-sharing (mail1-postfix1, mail2-postfix2, mail3-postfix1, etc.). But if one postfix servers goes down, will all DNS replies then be only for alive-postfix - or will there also be dead-postfix replies that needs to timeout, before it retries (and for how many times?) and potentially end up dropping the mail if it is so unlucky to get replies for dead-postfix on all retries ? MX with equal value: is this handling differently? does a request load all MX records for the domain, and then sort them by value and then alphabetically, ending up with: if one postfix is down it will automatically try the next one in the sorted list...? If you use a redundant load balancer, it will take care of all that and always reply. Unless the network goes down, of course. If you do not, then there will be timeouts if something goes down. You can specify relayhosts with or without brackets; the brackets stop MX lookups. I seem to remember that in postfix a relayhost that resolves to several IP addresses will be handled more or less the same as a relayhost the has several MX records. I think that wondering about which is more efficient is not very useful since the difference is certainly vanishingly small. Using MX permits you to specify main servers and backup servers, but that's about it. However, non-mail applications that send mail directly will probably not be able to handle anything else than a single host/IP correctly. So . . . is there a unique answer . . . probably not, need more info on your situation and needs :-)
Re: Loadbalancing+failover solution
Hi All, Wietse: thanks for your replies - and sorry for not really knowing what I'm asking...:-) I guess my question is regarding receiving mail to PostFix: Linux servers-PostFix. is DNS RoundRobin or MX record with equal value preferred thanks in advance :-) ! ~maymann 2011/12/23 Wietse Venema wie...@porcupine.org Wietse: According to these: http://www.postfix.org/postconf.5.html#smtp_mx_address_limit http://www.postfix.org/postconf.5.html#smtp_mx_session_limit The Postfix SMTP client will try at least five IP addresses or two SMTP sessions, When it reaches either limit, Postfix will try another delivery later for several days. The retry schedule behaves as documented at: http://www.postfix.org/TUNING_README.html#hammer Michael Maymann: Hi Wietse, thanks for your nice comments. I guess what you mention is valid for my internal postfix relay server-ISP mailserver - or am I mistaken ? What I write is valid for the Postfix SMTP client, whether it sends mail to your ISP, or to your internal mail server. Wietse
Re: Loadbalancing+failover solution
Hi list, Robert: thanks for your quick reply. Sorry for being vague - This is for internal outgoing mail only (my linux servers-my postfix relay server-ISP mailserver). I would like loadsharing (maybe real balancing is not needed for me...) between my linux server-my postfix relay server. My guess is I could do this (atleast) 2 ways: 1. DNS RoundRobin 2. MX with equal weight Any thoughts: e.g. will mail actually retry delivery for all IP's listed in DNS RR if one is not responding, or will it just directly return to sender=local linux user without trying any of the other IP's...) ? Thanks in advance :-) ! ~maymann 2011/12/22 Robert Schetterer rob...@schetterer.org Am 22.12.2011 19:01, schrieb Michael Maymann: Hi List, I would like to setup a stable and reliable mailrelay solution based on PostFix, that is both redundant and could share the load between 2 physical servers. How is this done best...? thoughts/documentation/howtos are very welcome...:-) Thanks in advance :-) ! ~maymann the cheap way ,have 2 equal weight mx records, i ve seen this outside, not sure if you may run in problems with that, better way, use some loadbalancers before postfix, search the list archive about it as in real world , there is no best, there is only a best what fits to your needs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Deviding relay for internal and external mail
Hi List, I have a postfix server currently relaying all mails to our ISP mailsserver. As we had a crash in one of our big services, our ISP mailserver saw this extensivated traffic as spam (due to reputaions based filtering) and blacklisted my postfix relayhost...:-(! I have double-checked that we are not spamming, and we are only sending to internal or known vendor emails. As 99,96% of all our mail is to internal users (*@internal_mail.com), I would like to relay these directly to our official mailserver, and still keep relaying external mails (anything but *@internal_mail.com) to our ISP mailserver. Is it possible to do this in postfix, or can I only have 1 relayhost configured at a time ? If possible - how can this be done. Thanks in advance :-) ! ~maymann
Loadbalancing+failover solution
Hi List, I would like to setup a stable and reliable mailrelay solution based on PostFix, that is both redundant and could share the load between 2 physical servers. How is this done best...? thoughts/documentation/howtos are very welcome...:-) Thanks in advance :-) ! ~maymann
Howto forward local mail from all my LDAP-users on all my linuxboxes to their outlook email-accounts
Hi List, I also would like to forward local mail from all my LDAP-users (e.g. maymann) on all my linuxboxes to their outlook email-accounts (e.g michael.maym...@domain.com). Anyone with a working howto for this? Thanks in advance :-) ~Maymann
