Loading ...
Sorry, an error occurred while loading the content.

Re: Internal+external mailrelay

Expand Messages
  • jeffrey j donovan
    ... greetings Check out transport maps http://www.postfix.org/postconf.5.html#transport_maps -j
    Message 1 of 16 , Jan 3, 2012
    • 0 Attachment

      On Jan 3, 2012, at 8:11 AM, Michael Maymann wrote:

      Hi List,

      I have a internal mailrelay, that I would like to provide following service:
      1. mail to our own domain is send directly to our externally hosted (outsourced) mailserver
      2. mail to external domains are relayed through ISP-mail-relay only for specific domains

      I have the following in my main.cf now (not enabled yet):
      #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
      #<servicepartner1> relay:<our_isp_mailrelay>
      #<servicepartner2> relay:<our_isp_mailrelay>
      #<servicepartner3> relay:<our_isp_mailrelay>
      #<servicepartner4> relay:<our_isp_mailrelay>
      #<servicepartner5> relay:<our_isp_mailrelay>

      My server is used primarily (99,96% are going to our_own_domain) by internal services to send notifications to our users, but also some mails are needed to a handfull external servicepartners...
      Soon we will also send critical alert from our monitoring solution, and I would therefore like to get the most secure solution without implementing a filter, that might blacklist vital alerts
      I will get my server whitelisted also in our_external_hosted_mailserver to accept all mails (no filtering) to make sure all mails are comming in and not stopped by a spamfilter there...
      It would then only be possible to send spam to our servicepartners this way - which I guess should be highly unlikely to happen...?

      1. Is this the right way to do it - or are there better alternatives ?
      2. When should I use smtp/relay in my config - does the above seem to be correct ?


      Thanks in advance :-)
      ~maymann

      greetings
      -j
    • Ralf Hildebrandt
      ... You need to put those in /etc/postfix/transport and then reference that file from main.cf using: transport_maps = hash:/etc/postfix/transport ... It s OK
      Message 2 of 16 , Jan 3, 2012
      • 0 Attachment
        * Michael Maymann <michael@...>:
        > Hi List,
        >
        > I have a internal mailrelay, that I would like to provide following service:
        > 1. mail to our own domain is send directly to our externally hosted
        > (outsourced) mailserver
        > 2. mail to external domains are relayed through ISP-mail-relay only for
        > specific domains
        >
        > I have the following in my main.cf now (not enabled yet):

        You need to put those in /etc/postfix/transport and then reference
        that file from main.cf using:

        transport_maps = hash:/etc/postfix/transport

        > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
        > #<servicepartner1> relay:<our_isp_mailrelay>
        > #<servicepartner2> relay:<our_isp_mailrelay>
        > #<servicepartner3> relay:<our_isp_mailrelay>
        > #<servicepartner4> relay:<our_isp_mailrelay>
        > #<servicepartner5> relay:<our_isp_mailrelay>
        >
        > My server is used primarily (99,96% are going to our_own_domain) by
        > internal services to send notifications to our users, but also some mails
        > are needed to a handfull external servicepartners...
        > Soon we will also send critical alert from our monitoring solution, and I
        > would therefore like to get the most secure solution without implementing a
        > filter, that might blacklist vital alerts
        > I will get my server whitelisted also in our_external_hosted_mailserver to
        > accept all mails (no filtering) to make sure all mails are comming in and
        > not stopped by a spamfilter there...
        > It would then only be possible to send spam to our servicepartners this way
        > - which I guess should be highly unlikely to happen...?
        >
        > 1. Is this the right way to do it - or are there better alternatives ?
        It's OK

        > 2. When should I use smtp/relay in my config - does the above seem to be
        > correct ?

        If it's relaying, use relay:

        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Michael Maymann
        Hi Ralf, Thanks - I now have... ... /etc/postfix/main.cf: # transport_maps = hash:/etc/postfix/transport relayhost = [our_isp_mailrelay]
        Message 3 of 16 , Jan 3, 2012
        • 0 Attachment
          Hi Ralf,

          Thanks - I now have...
          ---
          /etc/postfix/main.cf:
          # transport_maps = hash:/etc/postfix/transport
          relayhost = [our_isp_mailrelay]

          /etc/postfix/transport:
          #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
          #<servicepartner1> relay:<our_isp_mailrelay>
          #<servicepartner2> relay:<our_isp_mailrelay>
          #<servicepartner3> relay:<our_isp_mailrelay>
          #<servicepartner4> relay:<our_isp_mailrelay>
          #<servicepartner5> relay:<our_isp_mailrelay>
          ---
          When i put this to production, my config should be like this, right:
          ---
          main.cf
          transport_maps = hash:/etc/postfix/transport
          #relayhost = [our_isp_mailrelay]

          /etc/postfix/transport:
          <our_own_domain.com> smtp:<our_external_hosted_mailserver>
          <servicepartner1> relay:<our_isp_mailrelay>
          <servicepartner2> relay:<our_isp_mailrelay>
          <servicepartner3> relay:<our_isp_mailrelay>
          <servicepartner4> relay:<our_isp_mailrelay>
          <servicepartner5> relay:<our_isp_mailrelay>
          ---

          All our mail are going through to our_isp_mailrelay today, so I no longer need the "relayhost = [our_isp_mailrelay]" in main.cf when I have configured transport_maps - or how does this work ?

          Thanks in advance :-)
          ~maymann


          2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
          * Michael Maymann <michael@...>:
          > Hi List,
          >
          > I have a internal mailrelay, that I would like to provide following service:
          > 1. mail to our own domain is send directly to our externally hosted
          > (outsourced) mailserver
          > 2. mail to external domains are relayed through ISP-mail-relay only for
          > specific domains
          >
          > I have the following in my main.cf now (not enabled yet):

          You need to put those in /etc/postfix/transport and then reference
          that file from main.cf using:

          transport_maps = hash:/etc/postfix/transport

          > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
          > #<servicepartner1> relay:<our_isp_mailrelay>
          > #<servicepartner2> relay:<our_isp_mailrelay>
          > #<servicepartner3> relay:<our_isp_mailrelay>
          > #<servicepartner4> relay:<our_isp_mailrelay>
          > #<servicepartner5> relay:<our_isp_mailrelay>
          >
          > My server is used primarily (99,96% are going to our_own_domain) by
          > internal services to send notifications to our users, but also some mails
          > are needed to a handfull external servicepartners...
          > Soon we will also send critical alert from our monitoring solution, and I
          > would therefore like to get the most secure solution without implementing a
          > filter, that might blacklist vital alerts
          > I will get my server whitelisted also in our_external_hosted_mailserver to
          > accept all mails (no filtering) to make sure all mails are comming in and
          > not stopped by a spamfilter there...
          > It would then only be possible to send spam to our servicepartners this way
          > - which I guess should be highly unlikely to happen...?
          >
          > 1. Is this the right way to do it - or are there better alternatives ?
          It's OK

          > 2. When should I use smtp/relay in my config - does the above seem to be
          > correct ?

          If it's relaying, use relay:

          --
          Ralf Hildebrandt
           Geschäftsbereich IT | Abteilung Netzwerk
           Charité - Universitätsmedizin Berlin
           Campus Benjamin Franklin
           Hindenburgdamm 30 | D-12203 Berlin
           Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
           ralf.hildebrandt@... | http://www.charite.de


        • Ralf Hildebrandt
          ... That looks OK. You can keep the relayhost line if you like; stuff found in transport_maps takes precedence anyway. -- Ralf Hildebrandt Geschäftsbereich IT
          Message 4 of 16 , Jan 3, 2012
          • 0 Attachment
            * Michael Maymann <michael@...>:
            > Hi Ralf,
            >
            > Thanks - I now have...
            > ---
            > /etc/postfix/main.cf:
            > # transport_maps = hash:/etc/postfix/transport
            > relayhost = [our_isp_mailrelay]
            >
            > /etc/postfix/transport:
            > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
            > #<servicepartner1> relay:<our_isp_mailrelay>
            > #<servicepartner2> relay:<our_isp_mailrelay>
            > #<servicepartner3> relay:<our_isp_mailrelay>
            > #<servicepartner4> relay:<our_isp_mailrelay>
            > #<servicepartner5> relay:<our_isp_mailrelay>
            > ---
            > When i put this to production, my config should be like this, right:
            > ---
            > main.cf
            > transport_maps = hash:/etc/postfix/transport
            > #relayhost = [our_isp_mailrelay]
            >
            > /etc/postfix/transport:
            > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
            > <servicepartner1> relay:<our_isp_mailrelay>
            > <servicepartner2> relay:<our_isp_mailrelay>
            > <servicepartner3> relay:<our_isp_mailrelay>
            > <servicepartner4> relay:<our_isp_mailrelay>
            > <servicepartner5> relay:<our_isp_mailrelay>
            > ---
            >
            > All our mail are going through to our_isp_mailrelay today, so I no longer
            > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
            > configured transport_maps - or how does this work ?

            That looks OK.
            You can keep the relayhost line if you like; stuff found in
            transport_maps takes precedence anyway.

            --
            Ralf Hildebrandt
            Geschäftsbereich IT | Abteilung Netzwerk
            Charité - Universitätsmedizin Berlin
            Campus Benjamin Franklin
            Hindenburgdamm 30 | D-12203 Berlin
            Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
            ralf.hildebrandt@... | http://www.charite.de
          • Michael Maymann
            Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, or will
            Message 5 of 16 , Jan 3, 2012
            • 0 Attachment
              Hi Ralf,

              Thanks again :-) !,

              If I keep relayhost there, it will still be possible to send mails to others than my "whitelisted" transport_maps, or will transport_maps make relayhost irrelevant (not working / commented out) ?

              I guess my
              <our_own_domain.com> smtp:<our_external_hosted_mailserver>
              should also be:
              <our_own_domain.com> relay:<our_external_hosted_mailserver>
              as my postfix server is not doing the mailservice for this domain, but our_external_hosted_mailserver is, so it should be relay here also right ?

              Thanks in advance :-) !
              ~maymann

              2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
              * Michael Maymann <michael@...>:
              > Hi Ralf,
              >
              > Thanks - I now have...
              > ---
              > /etc/postfix/main.cf:
              > # transport_maps = hash:/etc/postfix/transport
              > relayhost = [our_isp_mailrelay]
              >
              > /etc/postfix/transport:
              > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
              > #<servicepartner1> relay:<our_isp_mailrelay>
              > #<servicepartner2> relay:<our_isp_mailrelay>
              > #<servicepartner3> relay:<our_isp_mailrelay>
              > #<servicepartner4> relay:<our_isp_mailrelay>
              > #<servicepartner5> relay:<our_isp_mailrelay>
              > ---
              > When i put this to production, my config should be like this, right:
              > ---
              > main.cf
              > transport_maps = hash:/etc/postfix/transport
              > #relayhost = [our_isp_mailrelay]
              >
              > /etc/postfix/transport:
              > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
              > <servicepartner1> relay:<our_isp_mailrelay>
              > <servicepartner2> relay:<our_isp_mailrelay>
              > <servicepartner3> relay:<our_isp_mailrelay>
              > <servicepartner4> relay:<our_isp_mailrelay>
              > <servicepartner5> relay:<our_isp_mailrelay>
              > ---
              >
              > All our mail are going through to our_isp_mailrelay today, so I no longer
              > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
              > configured transport_maps - or how does this work ?

              That looks OK.
              You can keep the relayhost line if you like; stuff found in
              transport_maps takes precedence anyway.

              --
              Ralf Hildebrandt
               Geschäftsbereich IT | Abteilung Netzwerk
               Charité - Universitätsmedizin Berlin
               Campus Benjamin Franklin
               Hindenburgdamm 30 | D-12203 Berlin
               Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
               ralf.hildebrandt@... | http://www.charite.de


            • Ralf Hildebrandt
              ... yes ... no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30
              Message 6 of 16 , Jan 3, 2012
              • 0 Attachment
                * Michael Maymann <michael@...>:
                > Hi Ralf,
                >
                > Thanks again :-) !,
                >
                > If I keep relayhost there, it will still be possible to send mails to
                > others than my "whitelisted" transport_maps,

                yes

                > or will transport_maps make relayhost irrelevant (not working /
                > commented out) ?

                no.


                --
                Ralf Hildebrandt
                Geschäftsbereich IT | Abteilung Netzwerk
                Charité - Universitätsmedizin Berlin
                Campus Benjamin Franklin
                Hindenburgdamm 30 | D-12203 Berlin
                Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                ralf.hildebrandt@... | http://www.charite.de
              • Michael Maymann
                Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for
                Message 7 of 16 , Jan 5, 2012
                • 0 Attachment
                  Hi Ralf,

                  one additional question.
                  I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                  This mean I have to configure the following rules in postfix:
                  1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                  2. All mail from our printers to external domains are send to our_isp_mailrelay
                  3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                  4. All other mail is bounced to bounce@our_own_domain.com

                  Can you help with what I need to configure to get this working as well...:-) !

                  Thanks in advance :-) !
                  ~maymann

                  2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                  * Michael Maymann <michael@...>:
                  > Hi Ralf,
                  >
                  > Thanks again :-) !,
                  >
                  > If I keep relayhost there, it will still be possible to send mails to
                  > others than my "whitelisted" transport_maps,

                  yes

                  > or will transport_maps make relayhost irrelevant (not working /
                  > commented out) ?

                  no.


                  --
                  Ralf Hildebrandt
                   Geschäftsbereich IT | Abteilung Netzwerk
                   Charité - Universitätsmedizin Berlin
                   Campus Benjamin Franklin
                   Hindenburgdamm 30 | D-12203 Berlin
                   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                   ralf.hildebrandt@... | http://www.charite.de


                • Michael Maymann
                  Hi list, please, anyone who can help me with this - would like to implement next week if possible...? Thanks in advance :-) ! ~maymann 2012/1/5 Michael Maymann
                  Message 8 of 16 , Jan 8, 2012
                  • 0 Attachment
                    Hi list,

                    please, anyone who can help me with this - would like to implement next week if possible...?

                    Thanks in advance :-) !
                    ~maymann

                    2012/1/5 Michael Maymann <michael@...>
                    Hi Ralf,

                    one additional question.
                    I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                    This mean I have to configure the following rules in postfix:
                    1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                    2. All mail from our printers to external domains are send to our_isp_mailrelay
                    3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                    4. All other mail is bounced to bounce@our_own_domain.com

                    Can you help with what I need to configure to get this working as well...:-) !


                    Thanks in advance :-) !
                    ~maymann

                    2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                    * Michael Maymann <michael@...>:
                    > Hi Ralf,
                    >
                    > Thanks again :-) !,
                    >
                    > If I keep relayhost there, it will still be possible to send mails to
                    > others than my "whitelisted" transport_maps,

                    yes

                    > or will transport_maps make relayhost irrelevant (not working /
                    > commented out) ?

                    no.


                    --
                    Ralf Hildebrandt
                     Geschäftsbereich IT | Abteilung Netzwerk
                     Charité - Universitätsmedizin Berlin
                     Campus Benjamin Franklin
                     Hindenburgdamm 30 | D-12203 Berlin
                     Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                     ralf.hildebrandt@... | http://www.charite.de



                  • Michael Maymann
                    Please, anyone who can help me with this...:-) ! ~maymann 2012/1/8 Michael Maymann ... Please, anyone who can help me with this...:-) !
                    Message 9 of 16 , Jan 10, 2012
                    • 0 Attachment
                      Please, anyone who can help me with this...:-) !

                      ~maymann

                      2012/1/8 Michael Maymann <michael@...>
                      Hi list,

                      please, anyone who can help me with this - would like to implement next week if possible...?


                      Thanks in advance :-) !
                      ~maymann

                      2012/1/5 Michael Maymann <michael@...>
                      Hi Ralf,

                      one additional question.
                      I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                      This mean I have to configure the following rules in postfix:
                      1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                      2. All mail from our printers to external domains are send to our_isp_mailrelay
                      3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                      4. All other mail is bounced to bounce@our_own_domain.com

                      Can you help with what I need to configure to get this working as well...:-) !


                      Thanks in advance :-) !
                      ~maymann

                      2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                      * Michael Maymann <michael@...>:
                      > Hi Ralf,
                      >
                      > Thanks again :-) !,
                      >
                      > If I keep relayhost there, it will still be possible to send mails to
                      > others than my "whitelisted" transport_maps,

                      yes

                      > or will transport_maps make relayhost irrelevant (not working /
                      > commented out) ?

                      no.


                      --
                      Ralf Hildebrandt
                       Geschäftsbereich IT | Abteilung Netzwerk
                       Charité - Universitätsmedizin Berlin
                       Campus Benjamin Franklin
                       Hindenburgdamm 30 | D-12203 Berlin
                       Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                       ralf.hildebrandt@... | http://www.charite.de




                    • Noel Jones
                      ... I don t think anyone quite knows what you re asking. Please explain your goals and current config as described here:
                      Message 10 of 16 , Jan 10, 2012
                      • 0 Attachment
                        On 1/10/2012 3:02 PM, Michael Maymann wrote:
                        > Please, anyone who can help me with this...:-) !
                        >
                        > ~maymann


                        I don't think anyone quite knows what you're asking.

                        Please explain your goals and current config as described here:
                        http://www.postfix.org/DEBUG_README.html#mail







                        -- Noel Jones
                      • Michael Maymann
                        Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to
                        Message 11 of 16 , Jan 10, 2012
                        • 0 Attachment
                          Hi Noel,

                          Thanks for you kind reply, and sorry for not being informative enough
                          .
                          I would like to configure the following rules in postfix:
                          1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...)
                          2. All mail from our printers to external domains are send to our_isp_mailrelay
                          3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?)
                          4. All other mail is bounced to bounce@our_own_domain.com

                          As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) !

                          Thanks in advance :-) !
                          ~maymann

                          2012/1/10 Noel Jones <njones@...>
                          On 1/10/2012 3:02 PM, Michael Maymann wrote:
                          > Please, anyone who can help me with this...:-) !
                          >
                          > ~maymann


                          I don't think anyone quite knows what you're asking.

                          Please explain your goals and current config as described here:
                          http://www.postfix.org/DEBUG_README.html#mail







                           -- Noel Jones

                        • Wietse Venema
                          ... Printers can send mail to all destinations, but users cannot? What problem are you trying to solve by doing that? Describe the problem, instead of your
                          Message 12 of 16 , Jan 10, 2012
                          • 0 Attachment
                            Michael Maymann:
                            > Hi Noel,
                            >
                            > Thanks for you kind reply, and sorry for not being informative enough
                            > .
                            > I would like to configure the following rules in postfix:
                            > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                            > (Ralf already helped me with this...)
                            > 2. All mail from our printers to external domains are send to
                            > our_isp_mailrelay
                            > 3. All mail from everything but our printers to "whitelisted" external
                            > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                            > but does this need to change...?)

                            Printers can send mail to all destinations, but users cannot?

                            What problem are you trying to solve by doing that? Describe
                            the problem, instead of your solution above.

                            Wietse

                            > 4. All other mail is bounced to bounce@our_own_domain.com
                            >
                            > As I'm pretty new to Postfix, can you point out the variables/configfiles
                            > that I need to edit to achieve this - or perhaps even give config
                            > example...:-) !
                            >
                            > Thanks in advance :-) !
                            > ~maymann
                            >
                            > 2012/1/10 Noel Jones <njones@...>
                            >
                            > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                            > > > Please, anyone who can help me with this...:-) !
                            > > >
                            > > > ~maymann
                            > >
                            > >
                            > > I don't think anyone quite knows what you're asking.
                            > >
                            > > Please explain your goals and current config as described here:
                            > > http://www.postfix.org/DEBUG_README.html#mail
                            > >
                            > >
                            > >
                            > >
                            > >
                            > >
                            > >
                            > > -- Noel Jones
                            > >
                          • Michael Maymann
                            Hi Wietse, thanks for your kind reply...:-) ! You re right... - We currently have a setup where all mail from R&D internal- external is send to my mailrelay in
                            Message 13 of 16 , Jan 10, 2012
                            • 0 Attachment
                              Hi Wietse,

                              thanks for your kind reply...:-) !
                              You're right...

                              - We currently have a setup where all mail from R&D internal->external is send to my mailrelay in a specific site, as our_isp_relay only allows us to send from there to their mailrelay - no restrictions (this is not our primary mail).
                              - Our_isp_relay has already blacklisted my mailrelay twice, caused by reputation based filtering - no spamming occurred though (all known domains at-least...), but the number of mails was rather high...
                              - We are about to send monitoring alert through my mailrelay pretty soon, and therefore I would like to avoid spam filtering if possible - but saw domain-whitelisting as a solution to limit damages to a minimum if a host goes hostile...
                              - Our Printers are also on the R&D network and they need scan->email functionality, so I still need to allow printers to send to anyone.
                              - 99.96% of mail going through my mailrelay goes to our own official mailboxes, so my thinking was to route all this directly to our official mailserver and get my mailrelay whitelisted there (so no spamfiltering is done on mails from this IP)...

                              Thanks in advance :-) !
                              ~maymann

                              2012/1/10 Wietse Venema <wietse@...>
                              Michael Maymann:
                              > Hi Noel,
                              >
                              > Thanks for you kind reply, and sorry for not being informative enough
                              > .
                              > I would like to configure the following rules in postfix:
                              > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                              > (Ralf already helped me with this...)
                              > 2. All mail from our printers to external domains are send to
                              > our_isp_mailrelay
                              > 3. All mail from everything but our printers to "whitelisted" external
                              > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                              > but does this need to change...?)

                              Printers can send mail to all destinations, but users cannot?

                              What problem are you trying to solve by doing that? Describe
                              the problem, instead of your solution above.

                                     Wietse

                              > 4. All other mail is bounced to bounce@our_own_domain.com
                              >
                              > As I'm pretty new to Postfix, can you point out the variables/configfiles
                              > that I need to edit to achieve this - or perhaps even give config
                              > example...:-) !
                              >
                              > Thanks in advance :-) !
                              > ~maymann
                              >
                              > 2012/1/10 Noel Jones <njones@...>
                              >
                              > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                              > > > Please, anyone who can help me with this...:-) !
                              > > >
                              > > > ~maymann
                              > >
                              > >
                              > > I don't think anyone quite knows what you're asking.
                              > >
                              > > Please explain your goals and current config as described here:
                              > > http://www.postfix.org/DEBUG_README.html#mail
                              > >
                              > >
                              > >
                              > >
                              > >
                              > >
                              > >
                              > >  -- Noel Jones
                              > >

                            • Wietse Venema
                              Michael Maymann: [ Charset ISO-8859-1 unsupported, converting... ] ... You need to rate-limit the clients. Use policyd or postfwd or something with similar
                              Message 14 of 16 , Jan 10, 2012
                              • 0 Attachment
                                Michael Maymann:
                                [ Charset ISO-8859-1 unsupported, converting... ]
                                > Hi Wietse,
                                >
                                > thanks for your kind reply...:-) !
                                > You're right...
                                >
                                > - We currently have a setup where all mail from R&D internal->external is
                                > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                                > send from there to their mailrelay - no restrictions (this is not our
                                > primary mail).
                                > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                                > reputation based filtering - no spamming occurred though (all known domains
                                > at-least...), but the number of mails was rather high...

                                You need to rate-limit the clients. Use policyd or postfwd or
                                something with similar capabilities.

                                > - We are about to send monitoring alert through my mailrelay pretty soon,
                                > and therefore I would like to avoid spam filtering if possible - but saw
                                > domain-whitelisting as a solution to limit damages to a minimum if a host
                                > goes hostile...

                                Rate limit the clients, and you won't have to keep updating whitelists.

                                If you have PC-class systems on the network, having anti-spam/virus on the
                                mail server would be a good idea because some box will get infected.

                                > - Our Printers are also on the R&D network and they need scan->email
                                > functionality, so I still need to allow printers to send to anyone.

                                You need to exclude the printers from the rate limit.

                                Wietse
                                > - 99.96% of mail going through my mailrelay goes to our own official
                                > mailboxes, so my thinking was to route all this directly to our official
                                > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                                > done on mails from this IP)...
                                >
                                > Thanks in advance :-) !
                                > ~maymann
                              • Michael Maymann
                                Hi Wietse, Thanks again for your nice/quick reply... 2012/1/10 Wietse Venema ... All our IP s in mynetworks should be allowed to send
                                Message 15 of 16 , Jan 10, 2012
                                • 0 Attachment
                                  Hi Wietse,

                                  Thanks again for your nice/quick reply...
                                  2012/1/10 Wietse Venema <wietse@...>
                                  Michael Maymann:
                                  [ Charset ISO-8859-1 unsupported, converting... ]
                                  > Hi Wietse,
                                  >
                                  > thanks for your kind reply...:-) !
                                  > You're right...
                                  >
                                  > - We currently have a setup where all mail from R&D internal->external is
                                  > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                                  > send from there to their mailrelay - no restrictions (this is not our
                                  > primary mail).
                                  > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                                  > reputation based filtering - no spamming occurred though (all known domains
                                  > at-least...), but the number of mails was rather high...

                                  You need to rate-limit the clients. Use policyd or postfwd or
                                  something with similar capabilities.
                                   
                                  All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)

                                  > - We are about to send monitoring alert through my mailrelay pretty soon,
                                  > and therefore I would like to avoid spam filtering if possible - but saw
                                  > domain-whitelisting as a solution to limit damages to a minimum if a host
                                  > goes hostile...

                                  Rate limit the clients, and you won't have to keep updating whitelists.

                                  It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.

                                  If you have PC-class systems on the network, having anti-spam/virus on the
                                  mail server would be a good idea because some box will get infected.

                                  PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
                                  I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
                                   

                                  > - Our Printers are also on the R&D network and they need scan->email
                                  > functionality, so I still need to allow printers to send to anyone.

                                  You need to exclude the printers from the rate limit.

                                  This is my current configuration:

                                  main.cf:
                                  ---
                                  queue_directory = /var/spool/postfix
                                  command_directory = /usr/sbin
                                  daemon_directory = /usr/libexec/postfix
                                  mail_owner = postfix
                                  mydomain = <MYDOMAIN>
                                  myorigin = $mydomain
                                  inet_interfaces = all
                                  mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
                                  local_recipient_maps = unix:passwd.byname $alias_maps
                                  unknown_local_recipient_reject_code = 550
                                  mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
                                  relay_domains = $mydestination
                                  relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
                                  # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
                                  alias_maps = hash:/etc/aliases
                                  alias_database = hash:/etc/aliases
                                  debug_peer_level = 2
                                  debugger_command =
                                           PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                                           xxgdb $daemon_directory/$process_name $process_id & sleep 5
                                  sendmail_path = /usr/sbin/sendmail.postfix
                                  mailq_path = /usr/bin/mailq.postfix
                                  setgid_group = postdrop
                                  html_directory = no
                                  manpage_directory = /usr/share/man
                                  sample_directory = /usr/share/doc/postfix-2.3.3/samples
                                  readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                                  ---

                                  transport (everything will be commented in when we effectuate the new config):
                                  ---
                                  ## Relay own mail to own server
                                  #our_own_domain      relay:<OUR_OFFICIAL_MAILSERVER>
                                  ## Relay only mail to known external vendors
                                  #<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
                                  #<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
                                  #<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
                                  #<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
                                  #<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
                                  ---

                                  1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
                                  2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?


                                  Thanks for your nice support - really appreciate it...:-) !

                                  ~maymann



                                         Wietse
                                  > - 99.96% of mail going through my mailrelay goes to our own official
                                  > mailboxes, so my thinking was to route all this directly to our official
                                  > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                                  > done on mails from this IP)...
                                  >
                                  > Thanks in advance :-) !
                                  > ~maymann

                                Your message has been successfully submitted and would be delivered to recipients shortly.