Loading ...
Sorry, an error occurred while loading the content.

outbound email destination based on sender's domain

Expand Messages
  • Iad Scoot
    Hi, Working on a project that I need some advice on. I need to build out a Postfix server that will act as a smart host of sorts for several internal mail
    Message 1 of 8 , Feb 27, 2009
    • 0 Attachment
      Hi,
       
      Working on a project that I need some advice on. I need to build out a Postfix server that will act as a smart host of sorts for several internal mail domains (each domain on a different server). The server will need to:
      • Relay mail directly between all of the internal mail domains (there are 5) without routing traffic to the Internet.
      • Relay mail destined for remote domains that originated from any of the 5 internal domains to edge Postfix systems.
      • When relaying to the edge Postfix systems, route to the appropriate edge system based on the sending domain.
      For example, take internal domains a.com - e.com. When a.com sends an email to anyone in domains b.com - e.com, the smart host should simply route that traffic back to the internal mail server for that domain. However, if a.com is sending email to yahoo.com, google.com, etc, then the smart host should forward that message to a.com's edge Postfix system so the traffic will exit to the Internet on a.com's WAN connection. This system will not be affected by inbound email traffic from remote domains (edge systems handle this).
       
      I've done some reading on multiple Postfix instances as a possible way of doing this but looking for someone to tell me if I'm looking in the right direction before I jump into this.
       
       
      Thanks as always...
    • Barney Desmond
      I wish I got to work with such cleanly separated systems. ... This will happen automatically if the internal servers are the designated MXes in DNS. If not, as
      Message 2 of 8 , Feb 27, 2009
      • 0 Attachment
        I wish I got to work with such cleanly separated systems.

        2009/2/28 Iad Scoot <iad.scoot@...>:
        > Relay mail directly between all of the internal mail domains (there are
        > 5) without routing traffic to the Internet.

        This will happen automatically if the internal servers are the
        designated MXes in DNS. If not, as I assume is the case, you can use
        transport maps to specify that the next-hop for a.com is
        [internal-host.a.com], or whatever you're using.

        > Relay mail destined for remote domains that originated from any of the 5
        > internal domains to edge Postfix systems.

        Assuming the internal domain servers are in mynetworks or otherwise
        appropriately configured, Postfix will accept and forward the mail as
        expected.

        > When relaying to the edge Postfix systems, route to the appropriate edge
        > system based on the sending domain.

        Sounds like you want sender_dependent_relayhost_maps:
        http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
      • Iad Scoot
        Hey thanks for the info - it looks like (from what I ve read so far) that the sender_dependent_relayhost_maps parameter is for specific users - is there any
        Message 3 of 8 , Feb 27, 2009
        • 0 Attachment
          Hey thanks for the info - it looks like (from what I've read so far) that the sender_dependent_relayhost_maps parameter is for specific users - is there any way to do this for any user (or all users) in a given domain w/o having to list their full address in the map file?
           
           
          Again, thanks a bunch for the help....

          On Fri, Feb 27, 2009 at 8:12 AM, Barney Desmond <barneydesmond@...> wrote:
          I wish I got to work with such cleanly separated systems.

          2009/2/28 Iad Scoot <iad.scoot@...>:
          > Relay mail directly between all of the internal mail domains (there are
          > 5) without routing traffic to the Internet.

          This will happen automatically if the internal servers are the
          designated MXes in DNS. If not, as I assume is the case, you can use
          transport maps to specify that the next-hop for a.com is
          [internal-host.a.com], or whatever you're using.

          > Relay mail destined for remote domains that originated from any of the 5
          > internal domains to edge Postfix systems.

          Assuming the internal domain servers are in mynetworks or otherwise
          appropriately configured, Postfix will accept and forward the mail as
          expected.

          > When relaying to the edge Postfix systems, route to the appropriate edge
          > system based on the sending domain.

          Sounds like you want sender_dependent_relayhost_maps:
          http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps

        • Barney Desmond
          ... That should work; according to the documentation, The tables are searched by the envelope sender address and @domain . I admit I haven t *actually* used
          Message 4 of 8 , Feb 27, 2009
          • 0 Attachment
            2009/2/28 Iad Scoot <iad.scoot@...>:
            > Hey thanks for the info - it looks like (from what I've read so far) that
            > the sender_dependent_relayhost_maps parameter is for specific users - is
            > there any way to do this for any user (or all users) in a given domain w/o
            > having to list their full address in the map file?

            That should work; according to the documentation, "The tables are
            searched by the envelope sender address and @domain".

            I admit I haven't *actually* used this myself, but I'm guessing you
            either use "senderdomain.com" (like a transport table) or
            "@..." (virtual-style catchall) as the key to the lookup.
            Testing will tell you in a matter of minutes.
          • Iad Scoot
            Gotcha - and after a little more research I ve found a couple of examples online. It ll be Monday before I can try but much thanks again - I will post back
            Message 5 of 8 , Feb 27, 2009
            • 0 Attachment
              Gotcha - and after a "little more" research I've found a couple of examples online. It'll be Monday before I can try but much thanks again - I will post back my outcome.
               
               - iad

              On Fri, Feb 27, 2009 at 6:33 PM, Barney Desmond <barneydesmond@...> wrote:
              2009/2/28 Iad Scoot <iad.scoot@...>:
              > Hey thanks for the info - it looks like (from what I've read so far) that
              > the sender_dependent_relayhost_maps parameter is for specific users - is
              > there any way to do this for any user (or all users) in a given domain w/o
              > having to list their full address in the map file?

              That should work; according to the documentation, "The tables are
              searched by the envelope sender address and @domain".

              I admit I haven't *actually* used this myself, but I'm guessing you
              either use "senderdomain.com" (like a transport table) or
              "@senderdomain.com" (virtual-style catchall) as the key to the lookup.
              Testing will tell you in a matter of minutes.

            • Iad Scoot
              Hi again, Still working on this - something that I didn t mention (sorry, should have) was that the Postfix gateway is multi-homed and that the other edge
              Message 6 of 8 , Mar 2, 2009
              • 0 Attachment
                Hi again,
                 
                Still working on this - something that I didn't mention (sorry, should have) was that the Postfix gateway is multi-homed and that the other edge Postfix systems (and the internal mail servers) are each on different subnets.
                 
                Example:
                a.com: internal mail server 192.168.200.1, edge proxy 192.168.201.1
                b.com: internal mail server 192.168.210.1, edge proxy 192.168.211.1
                c.com: internal mail server 192.168.220.1, edge proxy 192.168.221.1
                 
                ...and so on. The gateway system has a NIC for each pair of systems and the traffic is forwarded through a router from the internal server to the gateway and then either back to one of the other internal servers or out to the edge proxy that matches the sender's domain from the internal mail server.
                 
                How does this new info affect the previous solution that you provided?
                 
                Thanks...

                On Fri, Feb 27, 2009 at 6:50 PM, Iad Scoot <iad.scoot@...> wrote:
                Gotcha - and after a "little more" research I've found a couple of examples online. It'll be Monday before I can try but much thanks again - I will post back my outcome.
                 
                 - iad

                On Fri, Feb 27, 2009 at 6:33 PM, Barney Desmond <barneydesmond@...> wrote:
                2009/2/28 Iad Scoot <iad.scoot@...>:
                > Hey thanks for the info - it looks like (from what I've read so far) that
                > the sender_dependent_relayhost_maps parameter is for specific users - is
                > there any way to do this for any user (or all users) in a given domain w/o
                > having to list their full address in the map file?

                That should work; according to the documentation, "The tables are
                searched by the envelope sender address and @domain".

                I admit I haven't *actually* used this myself, but I'm guessing you
                either use "senderdomain.com" (like a transport table) or
                "@senderdomain.com" (virtual-style catchall) as the key to the lookup.
                Testing will tell you in a matter of minutes.


              • Barney Desmond
                ... Assuming your setup is generally sane, this shouldn t cause you any grief. You *can* bind the postfix smtp client to a given src address, but that s only
                Message 7 of 8 , Mar 2, 2009
                • 0 Attachment
                  2009/3/3 Iad Scoot <iad.scoot@...>:
                  > Still working on this - something that I didn't mention (sorry, should have)
                  > was that the Postfix gateway is multi-homed and that the other edge Postfix
                  > systems (and the internal mail servers) are each on different subnets.
                  >
                  > Example:
                  > a.com: internal mail server 192.168.200.1, edge proxy 192.168.201.1
                  > b.com: internal mail server 192.168.210.1, edge proxy 192.168.211.1
                  > c.com: internal mail server 192.168.220.1, edge proxy 192.168.221.1
                  >
                  > ...and so on. The gateway system has a NIC for each pair of systems and the
                  > traffic is forwarded through a router from the internal server to the
                  > gateway and then either back to one of the other internal servers or out to
                  > the edge proxy that matches the sender's domain from the internal mail
                  > server.
                  >
                  > How does this new info affect the previous solution that you provided?

                  Assuming your setup is generally sane, this shouldn't cause you any
                  grief. You *can* bind the postfix smtp client to a given src address,
                  but that's only useful when you're single-homed and want to use one
                  particular address of many (for policy/firewall/whatever reasons).
                  This doesn't apply to you, so that's fine.

                  Another thing people sometimes want is (the currently non-existent)
                  sender-dependent src-address. This is usually because they're trying
                  to optimise their mass-mailings of questionable legitimacy. This also
                  doesn't apply to you, which is fine.

                  Left to its own devices, Postfix will let the network stack figure out
                  how to get the packets to the destination properly. As long as your
                  routing is all working, the details you've provided won't change
                  anything (as far as I know).
                • Iad Scoot
                  Hi again, Question, even though this proxy is supposed to simply forward the remote traffic based on the sender_relay file, is it supposed to do DNS lookups on
                  Message 8 of 8 , Mar 5, 2009
                  • 0 Attachment
                    Hi again,
                     
                    Question, even though this proxy is supposed to simply forward the remote traffic based on the sender_relay file, is it supposed to do DNS lookups on the destination domain? Having some issues with DNS resolution - server is sending DNS queries but no reply comes back. Firewall rules permit such traffic so stumped on that but does this box have to do DNS?
                     
                     
                    Thanks...

                    On Mon, Mar 2, 2009 at 10:00 PM, Iad Scoot <iad.scoot@...> wrote:
                    Hey,
                     
                    Thanks again for the reply - it seems to be routing the traffic correctly (at least as far as the maillog shows) but I'm having an ISA/Exchange timeout issue on the receiving end of the traffic path. I can see the traffic leave the sending mail server, pass through the ISA server for the source network, be received and processed on the proxy (over the correct subnet), and then be routed to the receiving network on the correct subnet (for the receiving network). However, the connection is timing out and the receiving ISA server reports an "Attempted Connection Failure" on the traffic that arrives at the receiving ISA server. The proxy reports that the "server dropped connection before sending the initial SMTP greeting".
                     
                    Again, guessing that it's an ISA issue or a problem with the Exchange server talking to this particular Postfix server but at least the concept appears sound so hopefully I'll get it figured out tomorrow.
                     
                    Thanks again - will post more when successful (I hope)...

                    On Mon, Mar 2, 2009 at 5:12 PM, Barney Desmond <barneydesmond@...> wrote:
                    2009/3/3 Iad Scoot <iad.scoot@...>:
                    > Still working on this - something that I didn't mention (sorry, should have)
                    > was that the Postfix gateway is multi-homed and that the other edge Postfix
                    > systems (and the internal mail servers) are each on different subnets.
                    >
                    > Example:
                    > a.com: internal mail server 192.168.200.1, edge proxy 192.168.201.1
                    > b.com: internal mail server 192.168.210.1, edge proxy 192.168.211.1
                    > c.com: internal mail server 192.168.220.1, edge proxy 192.168.221.1
                    >
                    > ...and so on. The gateway system has a NIC for each pair of systems and the
                    > traffic is forwarded through a router from the internal server to the
                    > gateway and then either back to one of the other internal servers or out to
                    > the edge proxy that matches the sender's domain from the internal mail
                    > server.
                    >
                    > How does this new info affect the previous solution that you provided?

                    Assuming your setup is generally sane, this shouldn't cause you any
                    grief. You *can* bind the postfix smtp client to a given src address,
                    but that's only useful when you're single-homed and want to use one
                    particular address of many (for policy/firewall/whatever reasons).
                    This doesn't apply to you, so that's fine.

                    Another thing people sometimes want is (the currently non-existent)
                    sender-dependent src-address. This is usually because they're trying
                    to optimise their mass-mailings of questionable legitimacy. This also
                    doesn't apply to you, which is fine.

                    Left to its own devices, Postfix will let the network stack figure out
                    how to get the packets to the destination properly. As long as your
                    routing is all working, the details you've provided won't change
                    anything (as far as I know).


                  Your message has been successfully submitted and would be delivered to recipients shortly.