Loading ...
Sorry, an error occurred while loading the content.

Re: Internal+external mailrelay

Expand Messages
  • Ralf Hildebrandt
    ... You need to put those in /etc/postfix/transport and then reference that file from main.cf using: transport_maps = hash:/etc/postfix/transport ... It s OK
    Message 1 of 16 , Jan 3, 2012
    • 0 Attachment
      * Michael Maymann <michael@...>:
      > Hi List,
      >
      > I have a internal mailrelay, that I would like to provide following service:
      > 1. mail to our own domain is send directly to our externally hosted
      > (outsourced) mailserver
      > 2. mail to external domains are relayed through ISP-mail-relay only for
      > specific domains
      >
      > I have the following in my main.cf now (not enabled yet):

      You need to put those in /etc/postfix/transport and then reference
      that file from main.cf using:

      transport_maps = hash:/etc/postfix/transport

      > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
      > #<servicepartner1> relay:<our_isp_mailrelay>
      > #<servicepartner2> relay:<our_isp_mailrelay>
      > #<servicepartner3> relay:<our_isp_mailrelay>
      > #<servicepartner4> relay:<our_isp_mailrelay>
      > #<servicepartner5> relay:<our_isp_mailrelay>
      >
      > My server is used primarily (99,96% are going to our_own_domain) by
      > internal services to send notifications to our users, but also some mails
      > are needed to a handfull external servicepartners...
      > Soon we will also send critical alert from our monitoring solution, and I
      > would therefore like to get the most secure solution without implementing a
      > filter, that might blacklist vital alerts
      > I will get my server whitelisted also in our_external_hosted_mailserver to
      > accept all mails (no filtering) to make sure all mails are comming in and
      > not stopped by a spamfilter there...
      > It would then only be possible to send spam to our servicepartners this way
      > - which I guess should be highly unlikely to happen...?
      >
      > 1. Is this the right way to do it - or are there better alternatives ?
      It's OK

      > 2. When should I use smtp/relay in my config - does the above seem to be
      > correct ?

      If it's relaying, use relay:

      --
      Ralf Hildebrandt
      Geschäftsbereich IT | Abteilung Netzwerk
      Charité - Universitätsmedizin Berlin
      Campus Benjamin Franklin
      Hindenburgdamm 30 | D-12203 Berlin
      Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
      ralf.hildebrandt@... | http://www.charite.de
    • Michael Maymann
      Hi Ralf, Thanks - I now have... ... /etc/postfix/main.cf: # transport_maps = hash:/etc/postfix/transport relayhost = [our_isp_mailrelay]
      Message 2 of 16 , Jan 3, 2012
      • 0 Attachment
        Hi Ralf,

        Thanks - I now have...
        ---
        /etc/postfix/main.cf:
        # transport_maps = hash:/etc/postfix/transport
        relayhost = [our_isp_mailrelay]

        /etc/postfix/transport:
        #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
        #<servicepartner1> relay:<our_isp_mailrelay>
        #<servicepartner2> relay:<our_isp_mailrelay>
        #<servicepartner3> relay:<our_isp_mailrelay>
        #<servicepartner4> relay:<our_isp_mailrelay>
        #<servicepartner5> relay:<our_isp_mailrelay>
        ---
        When i put this to production, my config should be like this, right:
        ---
        main.cf
        transport_maps = hash:/etc/postfix/transport
        #relayhost = [our_isp_mailrelay]

        /etc/postfix/transport:
        <our_own_domain.com> smtp:<our_external_hosted_mailserver>
        <servicepartner1> relay:<our_isp_mailrelay>
        <servicepartner2> relay:<our_isp_mailrelay>
        <servicepartner3> relay:<our_isp_mailrelay>
        <servicepartner4> relay:<our_isp_mailrelay>
        <servicepartner5> relay:<our_isp_mailrelay>
        ---

        All our mail are going through to our_isp_mailrelay today, so I no longer need the "relayhost = [our_isp_mailrelay]" in main.cf when I have configured transport_maps - or how does this work ?

        Thanks in advance :-)
        ~maymann


        2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
        * Michael Maymann <michael@...>:
        > Hi List,
        >
        > I have a internal mailrelay, that I would like to provide following service:
        > 1. mail to our own domain is send directly to our externally hosted
        > (outsourced) mailserver
        > 2. mail to external domains are relayed through ISP-mail-relay only for
        > specific domains
        >
        > I have the following in my main.cf now (not enabled yet):

        You need to put those in /etc/postfix/transport and then reference
        that file from main.cf using:

        transport_maps = hash:/etc/postfix/transport

        > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
        > #<servicepartner1> relay:<our_isp_mailrelay>
        > #<servicepartner2> relay:<our_isp_mailrelay>
        > #<servicepartner3> relay:<our_isp_mailrelay>
        > #<servicepartner4> relay:<our_isp_mailrelay>
        > #<servicepartner5> relay:<our_isp_mailrelay>
        >
        > My server is used primarily (99,96% are going to our_own_domain) by
        > internal services to send notifications to our users, but also some mails
        > are needed to a handfull external servicepartners...
        > Soon we will also send critical alert from our monitoring solution, and I
        > would therefore like to get the most secure solution without implementing a
        > filter, that might blacklist vital alerts
        > I will get my server whitelisted also in our_external_hosted_mailserver to
        > accept all mails (no filtering) to make sure all mails are comming in and
        > not stopped by a spamfilter there...
        > It would then only be possible to send spam to our servicepartners this way
        > - which I guess should be highly unlikely to happen...?
        >
        > 1. Is this the right way to do it - or are there better alternatives ?
        It's OK

        > 2. When should I use smtp/relay in my config - does the above seem to be
        > correct ?

        If it's relaying, use relay:

        --
        Ralf Hildebrandt
         Geschäftsbereich IT | Abteilung Netzwerk
         Charité - Universitätsmedizin Berlin
         Campus Benjamin Franklin
         Hindenburgdamm 30 | D-12203 Berlin
         Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
         ralf.hildebrandt@... | http://www.charite.de


      • Ralf Hildebrandt
        ... That looks OK. You can keep the relayhost line if you like; stuff found in transport_maps takes precedence anyway. -- Ralf Hildebrandt Geschäftsbereich IT
        Message 3 of 16 , Jan 3, 2012
        • 0 Attachment
          * Michael Maymann <michael@...>:
          > Hi Ralf,
          >
          > Thanks - I now have...
          > ---
          > /etc/postfix/main.cf:
          > # transport_maps = hash:/etc/postfix/transport
          > relayhost = [our_isp_mailrelay]
          >
          > /etc/postfix/transport:
          > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
          > #<servicepartner1> relay:<our_isp_mailrelay>
          > #<servicepartner2> relay:<our_isp_mailrelay>
          > #<servicepartner3> relay:<our_isp_mailrelay>
          > #<servicepartner4> relay:<our_isp_mailrelay>
          > #<servicepartner5> relay:<our_isp_mailrelay>
          > ---
          > When i put this to production, my config should be like this, right:
          > ---
          > main.cf
          > transport_maps = hash:/etc/postfix/transport
          > #relayhost = [our_isp_mailrelay]
          >
          > /etc/postfix/transport:
          > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
          > <servicepartner1> relay:<our_isp_mailrelay>
          > <servicepartner2> relay:<our_isp_mailrelay>
          > <servicepartner3> relay:<our_isp_mailrelay>
          > <servicepartner4> relay:<our_isp_mailrelay>
          > <servicepartner5> relay:<our_isp_mailrelay>
          > ---
          >
          > All our mail are going through to our_isp_mailrelay today, so I no longer
          > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
          > configured transport_maps - or how does this work ?

          That looks OK.
          You can keep the relayhost line if you like; stuff found in
          transport_maps takes precedence anyway.

          --
          Ralf Hildebrandt
          Geschäftsbereich IT | Abteilung Netzwerk
          Charité - Universitätsmedizin Berlin
          Campus Benjamin Franklin
          Hindenburgdamm 30 | D-12203 Berlin
          Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
          ralf.hildebrandt@... | http://www.charite.de
        • Michael Maymann
          Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, or will
          Message 4 of 16 , Jan 3, 2012
          • 0 Attachment
            Hi Ralf,

            Thanks again :-) !,

            If I keep relayhost there, it will still be possible to send mails to others than my "whitelisted" transport_maps, or will transport_maps make relayhost irrelevant (not working / commented out) ?

            I guess my
            <our_own_domain.com> smtp:<our_external_hosted_mailserver>
            should also be:
            <our_own_domain.com> relay:<our_external_hosted_mailserver>
            as my postfix server is not doing the mailservice for this domain, but our_external_hosted_mailserver is, so it should be relay here also right ?

            Thanks in advance :-) !
            ~maymann

            2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
            * Michael Maymann <michael@...>:
            > Hi Ralf,
            >
            > Thanks - I now have...
            > ---
            > /etc/postfix/main.cf:
            > # transport_maps = hash:/etc/postfix/transport
            > relayhost = [our_isp_mailrelay]
            >
            > /etc/postfix/transport:
            > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
            > #<servicepartner1> relay:<our_isp_mailrelay>
            > #<servicepartner2> relay:<our_isp_mailrelay>
            > #<servicepartner3> relay:<our_isp_mailrelay>
            > #<servicepartner4> relay:<our_isp_mailrelay>
            > #<servicepartner5> relay:<our_isp_mailrelay>
            > ---
            > When i put this to production, my config should be like this, right:
            > ---
            > main.cf
            > transport_maps = hash:/etc/postfix/transport
            > #relayhost = [our_isp_mailrelay]
            >
            > /etc/postfix/transport:
            > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
            > <servicepartner1> relay:<our_isp_mailrelay>
            > <servicepartner2> relay:<our_isp_mailrelay>
            > <servicepartner3> relay:<our_isp_mailrelay>
            > <servicepartner4> relay:<our_isp_mailrelay>
            > <servicepartner5> relay:<our_isp_mailrelay>
            > ---
            >
            > All our mail are going through to our_isp_mailrelay today, so I no longer
            > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
            > configured transport_maps - or how does this work ?

            That looks OK.
            You can keep the relayhost line if you like; stuff found in
            transport_maps takes precedence anyway.

            --
            Ralf Hildebrandt
             Geschäftsbereich IT | Abteilung Netzwerk
             Charité - Universitätsmedizin Berlin
             Campus Benjamin Franklin
             Hindenburgdamm 30 | D-12203 Berlin
             Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
             ralf.hildebrandt@... | http://www.charite.de


          • Ralf Hildebrandt
            ... yes ... no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30
            Message 5 of 16 , Jan 3, 2012
            • 0 Attachment
              * Michael Maymann <michael@...>:
              > Hi Ralf,
              >
              > Thanks again :-) !,
              >
              > If I keep relayhost there, it will still be possible to send mails to
              > others than my "whitelisted" transport_maps,

              yes

              > or will transport_maps make relayhost irrelevant (not working /
              > commented out) ?

              no.


              --
              Ralf Hildebrandt
              Geschäftsbereich IT | Abteilung Netzwerk
              Charité - Universitätsmedizin Berlin
              Campus Benjamin Franklin
              Hindenburgdamm 30 | D-12203 Berlin
              Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
              ralf.hildebrandt@... | http://www.charite.de
            • Michael Maymann
              Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for
              Message 6 of 16 , Jan 5, 2012
              • 0 Attachment
                Hi Ralf,

                one additional question.
                I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                This mean I have to configure the following rules in postfix:
                1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                2. All mail from our printers to external domains are send to our_isp_mailrelay
                3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                4. All other mail is bounced to bounce@our_own_domain.com

                Can you help with what I need to configure to get this working as well...:-) !

                Thanks in advance :-) !
                ~maymann

                2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                * Michael Maymann <michael@...>:
                > Hi Ralf,
                >
                > Thanks again :-) !,
                >
                > If I keep relayhost there, it will still be possible to send mails to
                > others than my "whitelisted" transport_maps,

                yes

                > or will transport_maps make relayhost irrelevant (not working /
                > commented out) ?

                no.


                --
                Ralf Hildebrandt
                 Geschäftsbereich IT | Abteilung Netzwerk
                 Charité - Universitätsmedizin Berlin
                 Campus Benjamin Franklin
                 Hindenburgdamm 30 | D-12203 Berlin
                 Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                 ralf.hildebrandt@... | http://www.charite.de


              • Michael Maymann
                Hi list, please, anyone who can help me with this - would like to implement next week if possible...? Thanks in advance :-) ! ~maymann 2012/1/5 Michael Maymann
                Message 7 of 16 , Jan 8, 2012
                • 0 Attachment
                  Hi list,

                  please, anyone who can help me with this - would like to implement next week if possible...?

                  Thanks in advance :-) !
                  ~maymann

                  2012/1/5 Michael Maymann <michael@...>
                  Hi Ralf,

                  one additional question.
                  I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                  This mean I have to configure the following rules in postfix:
                  1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                  2. All mail from our printers to external domains are send to our_isp_mailrelay
                  3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                  4. All other mail is bounced to bounce@our_own_domain.com

                  Can you help with what I need to configure to get this working as well...:-) !


                  Thanks in advance :-) !
                  ~maymann

                  2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                  * Michael Maymann <michael@...>:
                  > Hi Ralf,
                  >
                  > Thanks again :-) !,
                  >
                  > If I keep relayhost there, it will still be possible to send mails to
                  > others than my "whitelisted" transport_maps,

                  yes

                  > or will transport_maps make relayhost irrelevant (not working /
                  > commented out) ?

                  no.


                  --
                  Ralf Hildebrandt
                   Geschäftsbereich IT | Abteilung Netzwerk
                   Charité - Universitätsmedizin Berlin
                   Campus Benjamin Franklin
                   Hindenburgdamm 30 | D-12203 Berlin
                   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                   ralf.hildebrandt@... | http://www.charite.de



                • Michael Maymann
                  Please, anyone who can help me with this...:-) ! ~maymann 2012/1/8 Michael Maymann ... Please, anyone who can help me with this...:-) !
                  Message 8 of 16 , Jan 10, 2012
                  • 0 Attachment
                    Please, anyone who can help me with this...:-) !

                    ~maymann

                    2012/1/8 Michael Maymann <michael@...>
                    Hi list,

                    please, anyone who can help me with this - would like to implement next week if possible...?


                    Thanks in advance :-) !
                    ~maymann

                    2012/1/5 Michael Maymann <michael@...>
                    Hi Ralf,

                    one additional question.
                    I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                    This mean I have to configure the following rules in postfix:
                    1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                    2. All mail from our printers to external domains are send to our_isp_mailrelay
                    3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                    4. All other mail is bounced to bounce@our_own_domain.com

                    Can you help with what I need to configure to get this working as well...:-) !


                    Thanks in advance :-) !
                    ~maymann

                    2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                    * Michael Maymann <michael@...>:
                    > Hi Ralf,
                    >
                    > Thanks again :-) !,
                    >
                    > If I keep relayhost there, it will still be possible to send mails to
                    > others than my "whitelisted" transport_maps,

                    yes

                    > or will transport_maps make relayhost irrelevant (not working /
                    > commented out) ?

                    no.


                    --
                    Ralf Hildebrandt
                     Geschäftsbereich IT | Abteilung Netzwerk
                     Charité - Universitätsmedizin Berlin
                     Campus Benjamin Franklin
                     Hindenburgdamm 30 | D-12203 Berlin
                     Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                     ralf.hildebrandt@... | http://www.charite.de




                  • Noel Jones
                    ... I don t think anyone quite knows what you re asking. Please explain your goals and current config as described here:
                    Message 9 of 16 , Jan 10, 2012
                    • 0 Attachment
                      On 1/10/2012 3:02 PM, Michael Maymann wrote:
                      > Please, anyone who can help me with this...:-) !
                      >
                      > ~maymann


                      I don't think anyone quite knows what you're asking.

                      Please explain your goals and current config as described here:
                      http://www.postfix.org/DEBUG_README.html#mail







                      -- Noel Jones
                    • Michael Maymann
                      Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to
                      Message 10 of 16 , Jan 10, 2012
                      • 0 Attachment
                        Hi Noel,

                        Thanks for you kind reply, and sorry for not being informative enough
                        .
                        I would like to configure the following rules in postfix:
                        1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...)
                        2. All mail from our printers to external domains are send to our_isp_mailrelay
                        3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?)
                        4. All other mail is bounced to bounce@our_own_domain.com

                        As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) !

                        Thanks in advance :-) !
                        ~maymann

                        2012/1/10 Noel Jones <njones@...>
                        On 1/10/2012 3:02 PM, Michael Maymann wrote:
                        > Please, anyone who can help me with this...:-) !
                        >
                        > ~maymann


                        I don't think anyone quite knows what you're asking.

                        Please explain your goals and current config as described here:
                        http://www.postfix.org/DEBUG_README.html#mail







                         -- Noel Jones

                      • Wietse Venema
                        ... Printers can send mail to all destinations, but users cannot? What problem are you trying to solve by doing that? Describe the problem, instead of your
                        Message 11 of 16 , Jan 10, 2012
                        • 0 Attachment
                          Michael Maymann:
                          > Hi Noel,
                          >
                          > Thanks for you kind reply, and sorry for not being informative enough
                          > .
                          > I would like to configure the following rules in postfix:
                          > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                          > (Ralf already helped me with this...)
                          > 2. All mail from our printers to external domains are send to
                          > our_isp_mailrelay
                          > 3. All mail from everything but our printers to "whitelisted" external
                          > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                          > but does this need to change...?)

                          Printers can send mail to all destinations, but users cannot?

                          What problem are you trying to solve by doing that? Describe
                          the problem, instead of your solution above.

                          Wietse

                          > 4. All other mail is bounced to bounce@our_own_domain.com
                          >
                          > As I'm pretty new to Postfix, can you point out the variables/configfiles
                          > that I need to edit to achieve this - or perhaps even give config
                          > example...:-) !
                          >
                          > Thanks in advance :-) !
                          > ~maymann
                          >
                          > 2012/1/10 Noel Jones <njones@...>
                          >
                          > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                          > > > Please, anyone who can help me with this...:-) !
                          > > >
                          > > > ~maymann
                          > >
                          > >
                          > > I don't think anyone quite knows what you're asking.
                          > >
                          > > Please explain your goals and current config as described here:
                          > > http://www.postfix.org/DEBUG_README.html#mail
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >
                          > > -- Noel Jones
                          > >
                        • Michael Maymann
                          Hi Wietse, thanks for your kind reply...:-) ! You re right... - We currently have a setup where all mail from R&D internal- external is send to my mailrelay in
                          Message 12 of 16 , Jan 10, 2012
                          • 0 Attachment
                            Hi Wietse,

                            thanks for your kind reply...:-) !
                            You're right...

                            - We currently have a setup where all mail from R&D internal->external is send to my mailrelay in a specific site, as our_isp_relay only allows us to send from there to their mailrelay - no restrictions (this is not our primary mail).
                            - Our_isp_relay has already blacklisted my mailrelay twice, caused by reputation based filtering - no spamming occurred though (all known domains at-least...), but the number of mails was rather high...
                            - We are about to send monitoring alert through my mailrelay pretty soon, and therefore I would like to avoid spam filtering if possible - but saw domain-whitelisting as a solution to limit damages to a minimum if a host goes hostile...
                            - Our Printers are also on the R&D network and they need scan->email functionality, so I still need to allow printers to send to anyone.
                            - 99.96% of mail going through my mailrelay goes to our own official mailboxes, so my thinking was to route all this directly to our official mailserver and get my mailrelay whitelisted there (so no spamfiltering is done on mails from this IP)...

                            Thanks in advance :-) !
                            ~maymann

                            2012/1/10 Wietse Venema <wietse@...>
                            Michael Maymann:
                            > Hi Noel,
                            >
                            > Thanks for you kind reply, and sorry for not being informative enough
                            > .
                            > I would like to configure the following rules in postfix:
                            > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                            > (Ralf already helped me with this...)
                            > 2. All mail from our printers to external domains are send to
                            > our_isp_mailrelay
                            > 3. All mail from everything but our printers to "whitelisted" external
                            > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                            > but does this need to change...?)

                            Printers can send mail to all destinations, but users cannot?

                            What problem are you trying to solve by doing that? Describe
                            the problem, instead of your solution above.

                                   Wietse

                            > 4. All other mail is bounced to bounce@our_own_domain.com
                            >
                            > As I'm pretty new to Postfix, can you point out the variables/configfiles
                            > that I need to edit to achieve this - or perhaps even give config
                            > example...:-) !
                            >
                            > Thanks in advance :-) !
                            > ~maymann
                            >
                            > 2012/1/10 Noel Jones <njones@...>
                            >
                            > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                            > > > Please, anyone who can help me with this...:-) !
                            > > >
                            > > > ~maymann
                            > >
                            > >
                            > > I don't think anyone quite knows what you're asking.
                            > >
                            > > Please explain your goals and current config as described here:
                            > > http://www.postfix.org/DEBUG_README.html#mail
                            > >
                            > >
                            > >
                            > >
                            > >
                            > >
                            > >
                            > >  -- Noel Jones
                            > >

                          • Wietse Venema
                            Michael Maymann: [ Charset ISO-8859-1 unsupported, converting... ] ... You need to rate-limit the clients. Use policyd or postfwd or something with similar
                            Message 13 of 16 , Jan 10, 2012
                            • 0 Attachment
                              Michael Maymann:
                              [ Charset ISO-8859-1 unsupported, converting... ]
                              > Hi Wietse,
                              >
                              > thanks for your kind reply...:-) !
                              > You're right...
                              >
                              > - We currently have a setup where all mail from R&D internal->external is
                              > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                              > send from there to their mailrelay - no restrictions (this is not our
                              > primary mail).
                              > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                              > reputation based filtering - no spamming occurred though (all known domains
                              > at-least...), but the number of mails was rather high...

                              You need to rate-limit the clients. Use policyd or postfwd or
                              something with similar capabilities.

                              > - We are about to send monitoring alert through my mailrelay pretty soon,
                              > and therefore I would like to avoid spam filtering if possible - but saw
                              > domain-whitelisting as a solution to limit damages to a minimum if a host
                              > goes hostile...

                              Rate limit the clients, and you won't have to keep updating whitelists.

                              If you have PC-class systems on the network, having anti-spam/virus on the
                              mail server would be a good idea because some box will get infected.

                              > - Our Printers are also on the R&D network and they need scan->email
                              > functionality, so I still need to allow printers to send to anyone.

                              You need to exclude the printers from the rate limit.

                              Wietse
                              > - 99.96% of mail going through my mailrelay goes to our own official
                              > mailboxes, so my thinking was to route all this directly to our official
                              > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                              > done on mails from this IP)...
                              >
                              > Thanks in advance :-) !
                              > ~maymann
                            • Michael Maymann
                              Hi Wietse, Thanks again for your nice/quick reply... 2012/1/10 Wietse Venema ... All our IP s in mynetworks should be allowed to send
                              Message 14 of 16 , Jan 10, 2012
                              • 0 Attachment
                                Hi Wietse,

                                Thanks again for your nice/quick reply...
                                2012/1/10 Wietse Venema <wietse@...>
                                Michael Maymann:
                                [ Charset ISO-8859-1 unsupported, converting... ]
                                > Hi Wietse,
                                >
                                > thanks for your kind reply...:-) !
                                > You're right...
                                >
                                > - We currently have a setup where all mail from R&D internal->external is
                                > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                                > send from there to their mailrelay - no restrictions (this is not our
                                > primary mail).
                                > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                                > reputation based filtering - no spamming occurred though (all known domains
                                > at-least...), but the number of mails was rather high...

                                You need to rate-limit the clients. Use policyd or postfwd or
                                something with similar capabilities.
                                 
                                All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)

                                > - We are about to send monitoring alert through my mailrelay pretty soon,
                                > and therefore I would like to avoid spam filtering if possible - but saw
                                > domain-whitelisting as a solution to limit damages to a minimum if a host
                                > goes hostile...

                                Rate limit the clients, and you won't have to keep updating whitelists.

                                It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.

                                If you have PC-class systems on the network, having anti-spam/virus on the
                                mail server would be a good idea because some box will get infected.

                                PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
                                I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
                                 

                                > - Our Printers are also on the R&D network and they need scan->email
                                > functionality, so I still need to allow printers to send to anyone.

                                You need to exclude the printers from the rate limit.

                                This is my current configuration:

                                main.cf:
                                ---
                                queue_directory = /var/spool/postfix
                                command_directory = /usr/sbin
                                daemon_directory = /usr/libexec/postfix
                                mail_owner = postfix
                                mydomain = <MYDOMAIN>
                                myorigin = $mydomain
                                inet_interfaces = all
                                mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
                                local_recipient_maps = unix:passwd.byname $alias_maps
                                unknown_local_recipient_reject_code = 550
                                mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
                                relay_domains = $mydestination
                                relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
                                # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
                                alias_maps = hash:/etc/aliases
                                alias_database = hash:/etc/aliases
                                debug_peer_level = 2
                                debugger_command =
                                         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                                         xxgdb $daemon_directory/$process_name $process_id & sleep 5
                                sendmail_path = /usr/sbin/sendmail.postfix
                                mailq_path = /usr/bin/mailq.postfix
                                setgid_group = postdrop
                                html_directory = no
                                manpage_directory = /usr/share/man
                                sample_directory = /usr/share/doc/postfix-2.3.3/samples
                                readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                                ---

                                transport (everything will be commented in when we effectuate the new config):
                                ---
                                ## Relay own mail to own server
                                #our_own_domain      relay:<OUR_OFFICIAL_MAILSERVER>
                                ## Relay only mail to known external vendors
                                #<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
                                #<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
                                #<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
                                #<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
                                #<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
                                ---

                                1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
                                2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?


                                Thanks for your nice support - really appreciate it...:-) !

                                ~maymann



                                       Wietse
                                > - 99.96% of mail going through my mailrelay goes to our own official
                                > mailboxes, so my thinking was to route all this directly to our official
                                > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                                > done on mails from this IP)...
                                >
                                > Thanks in advance :-) !
                                > ~maymann

                              Your message has been successfully submitted and would be delivered to recipients shortly.