Loading ...
Sorry, an error occurred while loading the content.

Re: Internal+external mailrelay

Expand Messages
  • Michael Maymann
    Hi Ralf, Thanks - I now have... ... /etc/postfix/main.cf: # transport_maps = hash:/etc/postfix/transport relayhost = [our_isp_mailrelay]
    Message 1 of 16 , Jan 3, 2012
    • 0 Attachment
      Hi Ralf,

      Thanks - I now have...
      ---
      /etc/postfix/main.cf:
      # transport_maps = hash:/etc/postfix/transport
      relayhost = [our_isp_mailrelay]

      /etc/postfix/transport:
      #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
      #<servicepartner1> relay:<our_isp_mailrelay>
      #<servicepartner2> relay:<our_isp_mailrelay>
      #<servicepartner3> relay:<our_isp_mailrelay>
      #<servicepartner4> relay:<our_isp_mailrelay>
      #<servicepartner5> relay:<our_isp_mailrelay>
      ---
      When i put this to production, my config should be like this, right:
      ---
      main.cf
      transport_maps = hash:/etc/postfix/transport
      #relayhost = [our_isp_mailrelay]

      /etc/postfix/transport:
      <our_own_domain.com> smtp:<our_external_hosted_mailserver>
      <servicepartner1> relay:<our_isp_mailrelay>
      <servicepartner2> relay:<our_isp_mailrelay>
      <servicepartner3> relay:<our_isp_mailrelay>
      <servicepartner4> relay:<our_isp_mailrelay>
      <servicepartner5> relay:<our_isp_mailrelay>
      ---

      All our mail are going through to our_isp_mailrelay today, so I no longer need the "relayhost = [our_isp_mailrelay]" in main.cf when I have configured transport_maps - or how does this work ?

      Thanks in advance :-)
      ~maymann


      2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
      * Michael Maymann <michael@...>:
      > Hi List,
      >
      > I have a internal mailrelay, that I would like to provide following service:
      > 1. mail to our own domain is send directly to our externally hosted
      > (outsourced) mailserver
      > 2. mail to external domains are relayed through ISP-mail-relay only for
      > specific domains
      >
      > I have the following in my main.cf now (not enabled yet):

      You need to put those in /etc/postfix/transport and then reference
      that file from main.cf using:

      transport_maps = hash:/etc/postfix/transport

      > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
      > #<servicepartner1> relay:<our_isp_mailrelay>
      > #<servicepartner2> relay:<our_isp_mailrelay>
      > #<servicepartner3> relay:<our_isp_mailrelay>
      > #<servicepartner4> relay:<our_isp_mailrelay>
      > #<servicepartner5> relay:<our_isp_mailrelay>
      >
      > My server is used primarily (99,96% are going to our_own_domain) by
      > internal services to send notifications to our users, but also some mails
      > are needed to a handfull external servicepartners...
      > Soon we will also send critical alert from our monitoring solution, and I
      > would therefore like to get the most secure solution without implementing a
      > filter, that might blacklist vital alerts
      > I will get my server whitelisted also in our_external_hosted_mailserver to
      > accept all mails (no filtering) to make sure all mails are comming in and
      > not stopped by a spamfilter there...
      > It would then only be possible to send spam to our servicepartners this way
      > - which I guess should be highly unlikely to happen...?
      >
      > 1. Is this the right way to do it - or are there better alternatives ?
      It's OK

      > 2. When should I use smtp/relay in my config - does the above seem to be
      > correct ?

      If it's relaying, use relay:

      --
      Ralf Hildebrandt
       Geschäftsbereich IT | Abteilung Netzwerk
       Charité - Universitätsmedizin Berlin
       Campus Benjamin Franklin
       Hindenburgdamm 30 | D-12203 Berlin
       Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
       ralf.hildebrandt@... | http://www.charite.de


    • Ralf Hildebrandt
      ... That looks OK. You can keep the relayhost line if you like; stuff found in transport_maps takes precedence anyway. -- Ralf Hildebrandt Geschäftsbereich IT
      Message 2 of 16 , Jan 3, 2012
      • 0 Attachment
        * Michael Maymann <michael@...>:
        > Hi Ralf,
        >
        > Thanks - I now have...
        > ---
        > /etc/postfix/main.cf:
        > # transport_maps = hash:/etc/postfix/transport
        > relayhost = [our_isp_mailrelay]
        >
        > /etc/postfix/transport:
        > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
        > #<servicepartner1> relay:<our_isp_mailrelay>
        > #<servicepartner2> relay:<our_isp_mailrelay>
        > #<servicepartner3> relay:<our_isp_mailrelay>
        > #<servicepartner4> relay:<our_isp_mailrelay>
        > #<servicepartner5> relay:<our_isp_mailrelay>
        > ---
        > When i put this to production, my config should be like this, right:
        > ---
        > main.cf
        > transport_maps = hash:/etc/postfix/transport
        > #relayhost = [our_isp_mailrelay]
        >
        > /etc/postfix/transport:
        > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
        > <servicepartner1> relay:<our_isp_mailrelay>
        > <servicepartner2> relay:<our_isp_mailrelay>
        > <servicepartner3> relay:<our_isp_mailrelay>
        > <servicepartner4> relay:<our_isp_mailrelay>
        > <servicepartner5> relay:<our_isp_mailrelay>
        > ---
        >
        > All our mail are going through to our_isp_mailrelay today, so I no longer
        > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
        > configured transport_maps - or how does this work ?

        That looks OK.
        You can keep the relayhost line if you like; stuff found in
        transport_maps takes precedence anyway.

        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Michael Maymann
        Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, or will
        Message 3 of 16 , Jan 3, 2012
        • 0 Attachment
          Hi Ralf,

          Thanks again :-) !,

          If I keep relayhost there, it will still be possible to send mails to others than my "whitelisted" transport_maps, or will transport_maps make relayhost irrelevant (not working / commented out) ?

          I guess my
          <our_own_domain.com> smtp:<our_external_hosted_mailserver>
          should also be:
          <our_own_domain.com> relay:<our_external_hosted_mailserver>
          as my postfix server is not doing the mailservice for this domain, but our_external_hosted_mailserver is, so it should be relay here also right ?

          Thanks in advance :-) !
          ~maymann

          2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
          * Michael Maymann <michael@...>:
          > Hi Ralf,
          >
          > Thanks - I now have...
          > ---
          > /etc/postfix/main.cf:
          > # transport_maps = hash:/etc/postfix/transport
          > relayhost = [our_isp_mailrelay]
          >
          > /etc/postfix/transport:
          > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
          > #<servicepartner1> relay:<our_isp_mailrelay>
          > #<servicepartner2> relay:<our_isp_mailrelay>
          > #<servicepartner3> relay:<our_isp_mailrelay>
          > #<servicepartner4> relay:<our_isp_mailrelay>
          > #<servicepartner5> relay:<our_isp_mailrelay>
          > ---
          > When i put this to production, my config should be like this, right:
          > ---
          > main.cf
          > transport_maps = hash:/etc/postfix/transport
          > #relayhost = [our_isp_mailrelay]
          >
          > /etc/postfix/transport:
          > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
          > <servicepartner1> relay:<our_isp_mailrelay>
          > <servicepartner2> relay:<our_isp_mailrelay>
          > <servicepartner3> relay:<our_isp_mailrelay>
          > <servicepartner4> relay:<our_isp_mailrelay>
          > <servicepartner5> relay:<our_isp_mailrelay>
          > ---
          >
          > All our mail are going through to our_isp_mailrelay today, so I no longer
          > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
          > configured transport_maps - or how does this work ?

          That looks OK.
          You can keep the relayhost line if you like; stuff found in
          transport_maps takes precedence anyway.

          --
          Ralf Hildebrandt
           Geschäftsbereich IT | Abteilung Netzwerk
           Charité - Universitätsmedizin Berlin
           Campus Benjamin Franklin
           Hindenburgdamm 30 | D-12203 Berlin
           Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
           ralf.hildebrandt@... | http://www.charite.de


        • Ralf Hildebrandt
          ... yes ... no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30
          Message 4 of 16 , Jan 3, 2012
          • 0 Attachment
            * Michael Maymann <michael@...>:
            > Hi Ralf,
            >
            > Thanks again :-) !,
            >
            > If I keep relayhost there, it will still be possible to send mails to
            > others than my "whitelisted" transport_maps,

            yes

            > or will transport_maps make relayhost irrelevant (not working /
            > commented out) ?

            no.


            --
            Ralf Hildebrandt
            Geschäftsbereich IT | Abteilung Netzwerk
            Charité - Universitätsmedizin Berlin
            Campus Benjamin Franklin
            Hindenburgdamm 30 | D-12203 Berlin
            Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
            ralf.hildebrandt@... | http://www.charite.de
          • Michael Maymann
            Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for
            Message 5 of 16 , Jan 5, 2012
            • 0 Attachment
              Hi Ralf,

              one additional question.
              I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
              This mean I have to configure the following rules in postfix:
              1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
              2. All mail from our printers to external domains are send to our_isp_mailrelay
              3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
              4. All other mail is bounced to bounce@our_own_domain.com

              Can you help with what I need to configure to get this working as well...:-) !

              Thanks in advance :-) !
              ~maymann

              2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
              * Michael Maymann <michael@...>:
              > Hi Ralf,
              >
              > Thanks again :-) !,
              >
              > If I keep relayhost there, it will still be possible to send mails to
              > others than my "whitelisted" transport_maps,

              yes

              > or will transport_maps make relayhost irrelevant (not working /
              > commented out) ?

              no.


              --
              Ralf Hildebrandt
               Geschäftsbereich IT | Abteilung Netzwerk
               Charité - Universitätsmedizin Berlin
               Campus Benjamin Franklin
               Hindenburgdamm 30 | D-12203 Berlin
               Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
               ralf.hildebrandt@... | http://www.charite.de


            • Michael Maymann
              Hi list, please, anyone who can help me with this - would like to implement next week if possible...? Thanks in advance :-) ! ~maymann 2012/1/5 Michael Maymann
              Message 6 of 16 , Jan 8, 2012
              • 0 Attachment
                Hi list,

                please, anyone who can help me with this - would like to implement next week if possible...?

                Thanks in advance :-) !
                ~maymann

                2012/1/5 Michael Maymann <michael@...>
                Hi Ralf,

                one additional question.
                I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                This mean I have to configure the following rules in postfix:
                1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                2. All mail from our printers to external domains are send to our_isp_mailrelay
                3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                4. All other mail is bounced to bounce@our_own_domain.com

                Can you help with what I need to configure to get this working as well...:-) !


                Thanks in advance :-) !
                ~maymann

                2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                * Michael Maymann <michael@...>:
                > Hi Ralf,
                >
                > Thanks again :-) !,
                >
                > If I keep relayhost there, it will still be possible to send mails to
                > others than my "whitelisted" transport_maps,

                yes

                > or will transport_maps make relayhost irrelevant (not working /
                > commented out) ?

                no.


                --
                Ralf Hildebrandt
                 Geschäftsbereich IT | Abteilung Netzwerk
                 Charité - Universitätsmedizin Berlin
                 Campus Benjamin Franklin
                 Hindenburgdamm 30 | D-12203 Berlin
                 Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                 ralf.hildebrandt@... | http://www.charite.de



              • Michael Maymann
                Please, anyone who can help me with this...:-) ! ~maymann 2012/1/8 Michael Maymann ... Please, anyone who can help me with this...:-) !
                Message 7 of 16 , Jan 10, 2012
                • 0 Attachment
                  Please, anyone who can help me with this...:-) !

                  ~maymann

                  2012/1/8 Michael Maymann <michael@...>
                  Hi list,

                  please, anyone who can help me with this - would like to implement next week if possible...?


                  Thanks in advance :-) !
                  ~maymann

                  2012/1/5 Michael Maymann <michael@...>
                  Hi Ralf,

                  one additional question.
                  I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
                  This mean I have to configure the following rules in postfix:
                  1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
                  2. All mail from our printers to external domains are send to our_isp_mailrelay
                  3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
                  4. All other mail is bounced to bounce@our_own_domain.com

                  Can you help with what I need to configure to get this working as well...:-) !


                  Thanks in advance :-) !
                  ~maymann

                  2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
                  * Michael Maymann <michael@...>:
                  > Hi Ralf,
                  >
                  > Thanks again :-) !,
                  >
                  > If I keep relayhost there, it will still be possible to send mails to
                  > others than my "whitelisted" transport_maps,

                  yes

                  > or will transport_maps make relayhost irrelevant (not working /
                  > commented out) ?

                  no.


                  --
                  Ralf Hildebrandt
                   Geschäftsbereich IT | Abteilung Netzwerk
                   Charité - Universitätsmedizin Berlin
                   Campus Benjamin Franklin
                   Hindenburgdamm 30 | D-12203 Berlin
                   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                   ralf.hildebrandt@... | http://www.charite.de




                • Noel Jones
                  ... I don t think anyone quite knows what you re asking. Please explain your goals and current config as described here:
                  Message 8 of 16 , Jan 10, 2012
                  • 0 Attachment
                    On 1/10/2012 3:02 PM, Michael Maymann wrote:
                    > Please, anyone who can help me with this...:-) !
                    >
                    > ~maymann


                    I don't think anyone quite knows what you're asking.

                    Please explain your goals and current config as described here:
                    http://www.postfix.org/DEBUG_README.html#mail







                    -- Noel Jones
                  • Michael Maymann
                    Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to
                    Message 9 of 16 , Jan 10, 2012
                    • 0 Attachment
                      Hi Noel,

                      Thanks for you kind reply, and sorry for not being informative enough
                      .
                      I would like to configure the following rules in postfix:
                      1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...)
                      2. All mail from our printers to external domains are send to our_isp_mailrelay
                      3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?)
                      4. All other mail is bounced to bounce@our_own_domain.com

                      As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) !

                      Thanks in advance :-) !
                      ~maymann

                      2012/1/10 Noel Jones <njones@...>
                      On 1/10/2012 3:02 PM, Michael Maymann wrote:
                      > Please, anyone who can help me with this...:-) !
                      >
                      > ~maymann


                      I don't think anyone quite knows what you're asking.

                      Please explain your goals and current config as described here:
                      http://www.postfix.org/DEBUG_README.html#mail







                       -- Noel Jones

                    • Wietse Venema
                      ... Printers can send mail to all destinations, but users cannot? What problem are you trying to solve by doing that? Describe the problem, instead of your
                      Message 10 of 16 , Jan 10, 2012
                      • 0 Attachment
                        Michael Maymann:
                        > Hi Noel,
                        >
                        > Thanks for you kind reply, and sorry for not being informative enough
                        > .
                        > I would like to configure the following rules in postfix:
                        > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                        > (Ralf already helped me with this...)
                        > 2. All mail from our printers to external domains are send to
                        > our_isp_mailrelay
                        > 3. All mail from everything but our printers to "whitelisted" external
                        > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                        > but does this need to change...?)

                        Printers can send mail to all destinations, but users cannot?

                        What problem are you trying to solve by doing that? Describe
                        the problem, instead of your solution above.

                        Wietse

                        > 4. All other mail is bounced to bounce@our_own_domain.com
                        >
                        > As I'm pretty new to Postfix, can you point out the variables/configfiles
                        > that I need to edit to achieve this - or perhaps even give config
                        > example...:-) !
                        >
                        > Thanks in advance :-) !
                        > ~maymann
                        >
                        > 2012/1/10 Noel Jones <njones@...>
                        >
                        > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                        > > > Please, anyone who can help me with this...:-) !
                        > > >
                        > > > ~maymann
                        > >
                        > >
                        > > I don't think anyone quite knows what you're asking.
                        > >
                        > > Please explain your goals and current config as described here:
                        > > http://www.postfix.org/DEBUG_README.html#mail
                        > >
                        > >
                        > >
                        > >
                        > >
                        > >
                        > >
                        > > -- Noel Jones
                        > >
                      • Michael Maymann
                        Hi Wietse, thanks for your kind reply...:-) ! You re right... - We currently have a setup where all mail from R&D internal- external is send to my mailrelay in
                        Message 11 of 16 , Jan 10, 2012
                        • 0 Attachment
                          Hi Wietse,

                          thanks for your kind reply...:-) !
                          You're right...

                          - We currently have a setup where all mail from R&D internal->external is send to my mailrelay in a specific site, as our_isp_relay only allows us to send from there to their mailrelay - no restrictions (this is not our primary mail).
                          - Our_isp_relay has already blacklisted my mailrelay twice, caused by reputation based filtering - no spamming occurred though (all known domains at-least...), but the number of mails was rather high...
                          - We are about to send monitoring alert through my mailrelay pretty soon, and therefore I would like to avoid spam filtering if possible - but saw domain-whitelisting as a solution to limit damages to a minimum if a host goes hostile...
                          - Our Printers are also on the R&D network and they need scan->email functionality, so I still need to allow printers to send to anyone.
                          - 99.96% of mail going through my mailrelay goes to our own official mailboxes, so my thinking was to route all this directly to our official mailserver and get my mailrelay whitelisted there (so no spamfiltering is done on mails from this IP)...

                          Thanks in advance :-) !
                          ~maymann

                          2012/1/10 Wietse Venema <wietse@...>
                          Michael Maymann:
                          > Hi Noel,
                          >
                          > Thanks for you kind reply, and sorry for not being informative enough
                          > .
                          > I would like to configure the following rules in postfix:
                          > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                          > (Ralf already helped me with this...)
                          > 2. All mail from our printers to external domains are send to
                          > our_isp_mailrelay
                          > 3. All mail from everything but our printers to "whitelisted" external
                          > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                          > but does this need to change...?)

                          Printers can send mail to all destinations, but users cannot?

                          What problem are you trying to solve by doing that? Describe
                          the problem, instead of your solution above.

                                 Wietse

                          > 4. All other mail is bounced to bounce@our_own_domain.com
                          >
                          > As I'm pretty new to Postfix, can you point out the variables/configfiles
                          > that I need to edit to achieve this - or perhaps even give config
                          > example...:-) !
                          >
                          > Thanks in advance :-) !
                          > ~maymann
                          >
                          > 2012/1/10 Noel Jones <njones@...>
                          >
                          > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                          > > > Please, anyone who can help me with this...:-) !
                          > > >
                          > > > ~maymann
                          > >
                          > >
                          > > I don't think anyone quite knows what you're asking.
                          > >
                          > > Please explain your goals and current config as described here:
                          > > http://www.postfix.org/DEBUG_README.html#mail
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >  -- Noel Jones
                          > >

                        • Wietse Venema
                          Michael Maymann: [ Charset ISO-8859-1 unsupported, converting... ] ... You need to rate-limit the clients. Use policyd or postfwd or something with similar
                          Message 12 of 16 , Jan 10, 2012
                          • 0 Attachment
                            Michael Maymann:
                            [ Charset ISO-8859-1 unsupported, converting... ]
                            > Hi Wietse,
                            >
                            > thanks for your kind reply...:-) !
                            > You're right...
                            >
                            > - We currently have a setup where all mail from R&D internal->external is
                            > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                            > send from there to their mailrelay - no restrictions (this is not our
                            > primary mail).
                            > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                            > reputation based filtering - no spamming occurred though (all known domains
                            > at-least...), but the number of mails was rather high...

                            You need to rate-limit the clients. Use policyd or postfwd or
                            something with similar capabilities.

                            > - We are about to send monitoring alert through my mailrelay pretty soon,
                            > and therefore I would like to avoid spam filtering if possible - but saw
                            > domain-whitelisting as a solution to limit damages to a minimum if a host
                            > goes hostile...

                            Rate limit the clients, and you won't have to keep updating whitelists.

                            If you have PC-class systems on the network, having anti-spam/virus on the
                            mail server would be a good idea because some box will get infected.

                            > - Our Printers are also on the R&D network and they need scan->email
                            > functionality, so I still need to allow printers to send to anyone.

                            You need to exclude the printers from the rate limit.

                            Wietse
                            > - 99.96% of mail going through my mailrelay goes to our own official
                            > mailboxes, so my thinking was to route all this directly to our official
                            > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                            > done on mails from this IP)...
                            >
                            > Thanks in advance :-) !
                            > ~maymann
                          • Michael Maymann
                            Hi Wietse, Thanks again for your nice/quick reply... 2012/1/10 Wietse Venema ... All our IP s in mynetworks should be allowed to send
                            Message 13 of 16 , Jan 10, 2012
                            • 0 Attachment
                              Hi Wietse,

                              Thanks again for your nice/quick reply...
                              2012/1/10 Wietse Venema <wietse@...>
                              Michael Maymann:
                              [ Charset ISO-8859-1 unsupported, converting... ]
                              > Hi Wietse,
                              >
                              > thanks for your kind reply...:-) !
                              > You're right...
                              >
                              > - We currently have a setup where all mail from R&D internal->external is
                              > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                              > send from there to their mailrelay - no restrictions (this is not our
                              > primary mail).
                              > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                              > reputation based filtering - no spamming occurred though (all known domains
                              > at-least...), but the number of mails was rather high...

                              You need to rate-limit the clients. Use policyd or postfwd or
                              something with similar capabilities.
                               
                              All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)

                              > - We are about to send monitoring alert through my mailrelay pretty soon,
                              > and therefore I would like to avoid spam filtering if possible - but saw
                              > domain-whitelisting as a solution to limit damages to a minimum if a host
                              > goes hostile...

                              Rate limit the clients, and you won't have to keep updating whitelists.

                              It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.

                              If you have PC-class systems on the network, having anti-spam/virus on the
                              mail server would be a good idea because some box will get infected.

                              PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
                              I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
                               

                              > - Our Printers are also on the R&D network and they need scan->email
                              > functionality, so I still need to allow printers to send to anyone.

                              You need to exclude the printers from the rate limit.

                              This is my current configuration:

                              main.cf:
                              ---
                              queue_directory = /var/spool/postfix
                              command_directory = /usr/sbin
                              daemon_directory = /usr/libexec/postfix
                              mail_owner = postfix
                              mydomain = <MYDOMAIN>
                              myorigin = $mydomain
                              inet_interfaces = all
                              mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
                              local_recipient_maps = unix:passwd.byname $alias_maps
                              unknown_local_recipient_reject_code = 550
                              mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
                              relay_domains = $mydestination
                              relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
                              # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
                              alias_maps = hash:/etc/aliases
                              alias_database = hash:/etc/aliases
                              debug_peer_level = 2
                              debugger_command =
                                       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                                       xxgdb $daemon_directory/$process_name $process_id & sleep 5
                              sendmail_path = /usr/sbin/sendmail.postfix
                              mailq_path = /usr/bin/mailq.postfix
                              setgid_group = postdrop
                              html_directory = no
                              manpage_directory = /usr/share/man
                              sample_directory = /usr/share/doc/postfix-2.3.3/samples
                              readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                              ---

                              transport (everything will be commented in when we effectuate the new config):
                              ---
                              ## Relay own mail to own server
                              #our_own_domain      relay:<OUR_OFFICIAL_MAILSERVER>
                              ## Relay only mail to known external vendors
                              #<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
                              #<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
                              #<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
                              #<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
                              #<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
                              ---

                              1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
                              2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?


                              Thanks for your nice support - really appreciate it...:-) !

                              ~maymann



                                     Wietse
                              > - 99.96% of mail going through my mailrelay goes to our own official
                              > mailboxes, so my thinking was to route all this directly to our official
                              > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                              > done on mails from this IP)...
                              >
                              > Thanks in advance :-) !
                              > ~maymann

                            Your message has been successfully submitted and would be delivered to recipients shortly.