Loading ...
Sorry, an error occurred while loading the content.

3rd party message archiving configuration

Expand Messages
  • Joshua Colson
    I have postfix 2.2.5 setup with multiple virtual domains. I have a couple of customers that want to use a third-party message archiving service. My problem is
    Message 1 of 6 , Sep 28, 2006
    • 0 Attachment
      I have postfix 2.2.5 setup with multiple virtual domains. I have a
      couple of customers that want to use a third-party message archiving
      service. My problem is I need to ensure that all the email messages for
      a particular domain (actually, multiple domains) are routed via the
      third-party service. I've searched the archives for sender-based routing
      and found snippets suggesting that it might be possible with 2.3 or that
      there may be other work arounds such as using smtpd_sender_restrictions
      to filter the messages to the external system but that seems like it
      will create a loop.

      Does anyone have any idea how to accomplish this? I would greatly
      appreciate any assistance that can be provided.

      Thank you all.

      --
      Joshua Colson <jcolson@...>
    • Victor Duchovni
      ... Give the vendor a separate re-injection port where the filter is not installed. Restrict access to the port to just the vendor s machines. Use an access
      Message 2 of 6 , Sep 28, 2006
      • 0 Attachment
        On Thu, Sep 28, 2006 at 10:02:34AM -0700, Joshua Colson wrote:

        > I've searched the archives for sender-based routing
        > and found snippets suggesting that it might be possible with 2.3 or that
        > there may be other work arounds such as using smtpd_sender_restrictions
        > to filter the messages to the external system but that seems like it
        > will create a loop.

        Give the vendor a separate re-injection port where the filter is not
        installed. Restrict access to the port to just the vendor's machines.
        Use an access table or a policy service to select which messages
        are rerouted to the vendor.

        My preference for archiving is to not make the archive a part of normal
        mail delivery. Rather messages are "forked" with one copy going to
        the archive and another to the recipient(s). The forked messages are
        encapsulated with envelope information and processed via "soft_bounce=yes"
        queues with high queue lifetimes and a default transport that saves any
        mail not ultimately delivered to the archive (say bounces) to a local
        maildir.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Gary V
        ... Assuming the archive is on another host, if you have time, and are willing, I personally would be interested in seeing a practical example of (at least
        Message 3 of 6 , Sep 29, 2006
        • 0 Attachment
          >My preference for archiving is to not make the archive a part of normal
          >mail delivery. Rather messages are "forked" with one copy going to
          >the archive and another to the recipient(s). The forked messages are
          >encapsulated with envelope information and processed via "soft_bounce=yes"
          >queues with high queue lifetimes and a default transport that saves any
          >mail not ultimately delivered to the archive (say bounces) to a local
          >maildir.
          >
          >--
          > Viktor.
          >

          Assuming the archive is on another host, if you have time, and are willing,
          I personally would be interested in seeing a practical example of (at least
          some of) the settings that accomplish this.

          Thanks for your consideration Viktor.

          Gary V

          _________________________________________________________________
          Find a local pizza place, music store, museum and more�then map the best
          route! http://local.live.com
        • Victor Duchovni
          ... Archive server (receives encapsulated archive messages for forwarding to vendor). Roach-motel instance, mail either delivered to archive or to a local
          Message 4 of 6 , Sep 29, 2006
          • 0 Attachment
            On Fri, Sep 29, 2006 at 01:11:42PM -0600, Gary V wrote:

            > Assuming the archive is on another host, if you have time, and are willing,
            > I personally would be interested in seeing a practical example of (at least
            > some of) the settings that accomplish this.

            Archive server (receives encapsulated archive messages for forwarding
            to vendor). Roach-motel instance, mail either delivered to archive or
            to a local maildir. There is another instance on injecting MTAs that
            feeds encapsulated messages to the central archive queue, similar in
            spirit, with less local storage. There are encapsulating proxies that
            in parallel hand off mail for internal routing and encapsulate into the
            per-MTA archive queue (in SMTP conversation in, two out, with "." to
            archive sent before "." to output MTA). There is more of course, but
            this should get you started.

            # Non-default instance. The default instance is a null-client
            # listening on 127.0.0.1.
            #
            config_directory = /etc/postfix/archive
            inet_interfaces = $myhostname
            mail_name = archive Postfix

            # Variant of "firewall" gateway configuration, no local delivery
            #
            alias_database =
            alias_maps =
            mydestination =
            mydomain = example.com
            local_header_rewrite_clients =
            local_recipient_maps =
            local_transport = error:Mailbox unavailable
            myorigin = $mydomain
            notify_classes =
            relay_transport = virtual
            smtpd_banner = $myhostname ESMTP $mail_name $mail_version
            smtpd_client_restrictions = permit_mynetworks, reject
            smtpd_recipient_restrictions = reject_unauth_destination
            syslog_name = postfix-archive

            # CDB tables in the config directory.
            #
            default_database_type = cdb
            indexed = ${default_database_type}:$config_directory/

            # Local submission largely disabled (root and "archive" are
            # able send probes with "sendmail -bv").
            # Network submission restricted to suitable MTAs that
            # generate encapsulated archive messages.
            #
            authorized_submit_users = root, archive
            mynetworks = ${indexed}authclients

            # Tuning for large queues
            # Something other than /var/spool/postfix with plenty of space
            #
            queue_directory = ...
            default_recipient_limit = $qmgr_message_active_limit
            qmgr_message_active_limit = 1000000
            qmgr_message_recipient_limit = $qmgr_message_active_limit
            hash_queue_depth = 2
            hash_queue_names = active, deferred, defer
            default_process_limit = 500

            # Keep trying as long as possible, "no" means "maybe".
            #
            bounce_queue_lifetime = 100d
            maximal_queue_lifetime = 100d
            soft_bounce = yes

            # Message size limit larger than non-archive MTAs
            # Don't reject mail that a real MTA has accepted.
            message_size_limit = ...

            # All email to vendor uses TLS with mutual authentication.
            # Connections are not cachable. Dedicated receiving hosts
            # with up to 100 concurrent messages.
            #
            smtp_connection_cache_on_demand = no
            smtp_destination_concurrency_limit = 100

            # All SMTP mail to a single TLS peer:
            # TLS session caching limits PKI to 1 per hour per
            # peer.
            #
            smtp_tls_CAfile = /somewhere/tls/rsaroot.pem
            smtp_tls_cert_file = /somewhere/tls/cert.pem
            smtp_tls_key_file = /somewhere/tls/key.pem
            smtp_tls_mandatory_ciphers = high
            smtp_tls_secure_cert_match = vendor.example.org
            smtp_tls_security_level = secure
            smtp_tls_session_cache_database = btree:${config_directory}/smtp_scache

            # Map various internal archive recipients (1 per encapsulation format)
            # to appropriate vendor recipients, routed via SMTP to archive.
            #
            virtual_alias_domains = archive.example.com
            virtual_alias_maps = ${indexed}virtual
            transport_maps = ${indexed}transport

            # Deliver to a maildir ("misdelivered") on failure.
            #
            default_transport = virtual
            virtual_gid_maps = static:12345
            virtual_uid_maps = static:54321
            virtual_mailbox_base = /somewhere/maildir
            virtual_mailbox_domains = maildir.invalid
            virtual_mailbox_maps = ${indexed}vmbox, static:misdelivered/

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Francisco Reyes
            ... One possible way: MX for incoming set to 3rd party vendor. Create a master.cf entry with an agreed upon port.. so your archive users send through that
            Message 5 of 6 , Sep 30, 2006
            • 0 Attachment
              Joshua Colson writes:

              > I have postfix 2.2.5 setup with multiple virtual domains. I have a
              > couple of customers that want to use a third-party message archiving
              > service.

              One possible way:
              MX for incoming set to 3rd party vendor.
              Create a master.cf entry with an agreed upon port.. so your archive users
              send through that port. Set all connections to that port to go to the 3rd
              party provider like

              #### inet n - n - 20 smtpd
              -o content_filter=smtp:<providers ip>
            • Victor Duchovni
              ... No. The OPs requirements are best met with multiple Postfix instances. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please
              Message 6 of 6 , Oct 1, 2006
              • 0 Attachment
                On Sat, Sep 30, 2006 at 10:59:16PM -0400, Francisco Reyes wrote:

                > Joshua Colson writes:
                >
                > >I have postfix 2.2.5 setup with multiple virtual domains. I have a
                > >couple of customers that want to use a third-party message archiving
                > >service.
                >
                > One possible way:
                > MX for incoming set to 3rd party vendor.
                > Create a master.cf entry with an agreed upon port.. so your archive users
                > send through that port. Set all connections to that port to go to the 3rd
                > party provider like
                >
                > #### inet n - n - 20 smtpd
                > -o content_filter=smtp:<providers ip>

                No. The OPs requirements are best met with multiple Postfix instances.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              Your message has been successfully submitted and would be delivered to recipients shortly.