Loading ...
Sorry, an error occurred while loading the content.

Re: Internal+external mailrelay

Expand Messages
  • Michael Maymann
    Hi Ralf, Thanks again :-) !, If I keep relayhost there, it will still be possible to send mails to others than my whitelisted transport_maps, or will
    Message 1 of 16 , Jan 3, 2012
    • 0 Attachment
      Hi Ralf,

      Thanks again :-) !,

      If I keep relayhost there, it will still be possible to send mails to others than my "whitelisted" transport_maps, or will transport_maps make relayhost irrelevant (not working / commented out) ?

      I guess my
      <our_own_domain.com> smtp:<our_external_hosted_mailserver>
      should also be:
      <our_own_domain.com> relay:<our_external_hosted_mailserver>
      as my postfix server is not doing the mailservice for this domain, but our_external_hosted_mailserver is, so it should be relay here also right ?

      Thanks in advance :-) !
      ~maymann

      2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
      * Michael Maymann <michael@...>:
      > Hi Ralf,
      >
      > Thanks - I now have...
      > ---
      > /etc/postfix/main.cf:
      > # transport_maps = hash:/etc/postfix/transport
      > relayhost = [our_isp_mailrelay]
      >
      > /etc/postfix/transport:
      > #<our_own_domain.com> smtp:<our_external_hosted_mailserver>
      > #<servicepartner1> relay:<our_isp_mailrelay>
      > #<servicepartner2> relay:<our_isp_mailrelay>
      > #<servicepartner3> relay:<our_isp_mailrelay>
      > #<servicepartner4> relay:<our_isp_mailrelay>
      > #<servicepartner5> relay:<our_isp_mailrelay>
      > ---
      > When i put this to production, my config should be like this, right:
      > ---
      > main.cf
      > transport_maps = hash:/etc/postfix/transport
      > #relayhost = [our_isp_mailrelay]
      >
      > /etc/postfix/transport:
      > <our_own_domain.com> smtp:<our_external_hosted_mailserver>
      > <servicepartner1> relay:<our_isp_mailrelay>
      > <servicepartner2> relay:<our_isp_mailrelay>
      > <servicepartner3> relay:<our_isp_mailrelay>
      > <servicepartner4> relay:<our_isp_mailrelay>
      > <servicepartner5> relay:<our_isp_mailrelay>
      > ---
      >
      > All our mail are going through to our_isp_mailrelay today, so I no longer
      > need the "relayhost = [our_isp_mailrelay]" in main.cf when I have
      > configured transport_maps - or how does this work ?

      That looks OK.
      You can keep the relayhost line if you like; stuff found in
      transport_maps takes precedence anyway.

      --
      Ralf Hildebrandt
       Geschäftsbereich IT | Abteilung Netzwerk
       Charité - Universitätsmedizin Berlin
       Campus Benjamin Franklin
       Hindenburgdamm 30 | D-12203 Berlin
       Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
       ralf.hildebrandt@... | http://www.charite.de


    • Ralf Hildebrandt
      ... yes ... no. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30
      Message 2 of 16 , Jan 3, 2012
      • 0 Attachment
        * Michael Maymann <michael@...>:
        > Hi Ralf,
        >
        > Thanks again :-) !,
        >
        > If I keep relayhost there, it will still be possible to send mails to
        > others than my "whitelisted" transport_maps,

        yes

        > or will transport_maps make relayhost irrelevant (not working /
        > commented out) ?

        no.


        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Michael Maymann
        Hi Ralf, one additional question. I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for
        Message 3 of 16 , Jan 5, 2012
        • 0 Attachment
          Hi Ralf,

          one additional question.
          I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
          This mean I have to configure the following rules in postfix:
          1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
          2. All mail from our printers to external domains are send to our_isp_mailrelay
          3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
          4. All other mail is bounced to bounce@our_own_domain.com

          Can you help with what I need to configure to get this working as well...:-) !

          Thanks in advance :-) !
          ~maymann

          2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
          * Michael Maymann <michael@...>:
          > Hi Ralf,
          >
          > Thanks again :-) !,
          >
          > If I keep relayhost there, it will still be possible to send mails to
          > others than my "whitelisted" transport_maps,

          yes

          > or will transport_maps make relayhost irrelevant (not working /
          > commented out) ?

          no.


          --
          Ralf Hildebrandt
           Geschäftsbereich IT | Abteilung Netzwerk
           Charité - Universitätsmedizin Berlin
           Campus Benjamin Franklin
           Hindenburgdamm 30 | D-12203 Berlin
           Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
           ralf.hildebrandt@... | http://www.charite.de


        • Michael Maymann
          Hi list, please, anyone who can help me with this - would like to implement next week if possible...? Thanks in advance :-) ! ~maymann 2012/1/5 Michael Maymann
          Message 4 of 16 , Jan 8, 2012
          • 0 Attachment
            Hi list,

            please, anyone who can help me with this - would like to implement next week if possible...?

            Thanks in advance :-) !
            ~maymann

            2012/1/5 Michael Maymann <michael@...>
            Hi Ralf,

            one additional question.
            I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
            This mean I have to configure the following rules in postfix:
            1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
            2. All mail from our printers to external domains are send to our_isp_mailrelay
            3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
            4. All other mail is bounced to bounce@our_own_domain.com

            Can you help with what I need to configure to get this working as well...:-) !


            Thanks in advance :-) !
            ~maymann

            2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
            * Michael Maymann <michael@...>:
            > Hi Ralf,
            >
            > Thanks again :-) !,
            >
            > If I keep relayhost there, it will still be possible to send mails to
            > others than my "whitelisted" transport_maps,

            yes

            > or will transport_maps make relayhost irrelevant (not working /
            > commented out) ?

            no.


            --
            Ralf Hildebrandt
             Geschäftsbereich IT | Abteilung Netzwerk
             Charité - Universitätsmedizin Berlin
             Campus Benjamin Franklin
             Hindenburgdamm 30 | D-12203 Berlin
             Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
             ralf.hildebrandt@... | http://www.charite.de



          • Michael Maymann
            Please, anyone who can help me with this...:-) ! ~maymann 2012/1/8 Michael Maymann ... Please, anyone who can help me with this...:-) !
            Message 5 of 16 , Jan 10, 2012
            • 0 Attachment
              Please, anyone who can help me with this...:-) !

              ~maymann

              2012/1/8 Michael Maymann <michael@...>
              Hi list,

              please, anyone who can help me with this - would like to implement next week if possible...?


              Thanks in advance :-) !
              ~maymann

              2012/1/5 Michael Maymann <michael@...>
              Hi Ralf,

              one additional question.
              I figured that our printers perhaps should be allowed to send mails to anyone - hence I need to specifically relay mail for these to any domain.
              This mean I have to configure the following rules in postfix:
              1. All mail to our_own_domain are send to our_external_hosted_mailserver (done)
              2. All mail from our printers to external domains are send to our_isp_mailrelay
              3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (done ?)
              4. All other mail is bounced to bounce@our_own_domain.com

              Can you help with what I need to configure to get this working as well...:-) !


              Thanks in advance :-) !
              ~maymann

              2012/1/3 Ralf Hildebrandt <Ralf.Hildebrandt@...>
              * Michael Maymann <michael@...>:
              > Hi Ralf,
              >
              > Thanks again :-) !,
              >
              > If I keep relayhost there, it will still be possible to send mails to
              > others than my "whitelisted" transport_maps,

              yes

              > or will transport_maps make relayhost irrelevant (not working /
              > commented out) ?

              no.


              --
              Ralf Hildebrandt
               Geschäftsbereich IT | Abteilung Netzwerk
               Charité - Universitätsmedizin Berlin
               Campus Benjamin Franklin
               Hindenburgdamm 30 | D-12203 Berlin
               Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
               ralf.hildebrandt@... | http://www.charite.de




            • Noel Jones
              ... I don t think anyone quite knows what you re asking. Please explain your goals and current config as described here:
              Message 6 of 16 , Jan 10, 2012
              • 0 Attachment
                On 1/10/2012 3:02 PM, Michael Maymann wrote:
                > Please, anyone who can help me with this...:-) !
                >
                > ~maymann


                I don't think anyone quite knows what you're asking.

                Please explain your goals and current config as described here:
                http://www.postfix.org/DEBUG_README.html#mail







                -- Noel Jones
              • Michael Maymann
                Hi Noel, Thanks for you kind reply, and sorry for not being informative enough . I would like to configure the following rules in postfix: 1. All mail to
                Message 7 of 16 , Jan 10, 2012
                • 0 Attachment
                  Hi Noel,

                  Thanks for you kind reply, and sorry for not being informative enough
                  .
                  I would like to configure the following rules in postfix:
                  1. All mail to our_own_domain are send to our_external_hosted_mailserver (Ralf already helped me with this...)
                  2. All mail from our printers to external domains are send to our_isp_mailrelay
                  3. All mail from everything but our printers to "whitelisted" external domains are send to our_isp_mailrelay (Ralf already helped me with this, but does this need to change...?)
                  4. All other mail is bounced to bounce@our_own_domain.com

                  As I'm pretty new to Postfix, can you point out the variables/configfiles that I need to edit to achieve this - or perhaps even give config example...:-) !

                  Thanks in advance :-) !
                  ~maymann

                  2012/1/10 Noel Jones <njones@...>
                  On 1/10/2012 3:02 PM, Michael Maymann wrote:
                  > Please, anyone who can help me with this...:-) !
                  >
                  > ~maymann


                  I don't think anyone quite knows what you're asking.

                  Please explain your goals and current config as described here:
                  http://www.postfix.org/DEBUG_README.html#mail







                   -- Noel Jones

                • Wietse Venema
                  ... Printers can send mail to all destinations, but users cannot? What problem are you trying to solve by doing that? Describe the problem, instead of your
                  Message 8 of 16 , Jan 10, 2012
                  • 0 Attachment
                    Michael Maymann:
                    > Hi Noel,
                    >
                    > Thanks for you kind reply, and sorry for not being informative enough
                    > .
                    > I would like to configure the following rules in postfix:
                    > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                    > (Ralf already helped me with this...)
                    > 2. All mail from our printers to external domains are send to
                    > our_isp_mailrelay
                    > 3. All mail from everything but our printers to "whitelisted" external
                    > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                    > but does this need to change...?)

                    Printers can send mail to all destinations, but users cannot?

                    What problem are you trying to solve by doing that? Describe
                    the problem, instead of your solution above.

                    Wietse

                    > 4. All other mail is bounced to bounce@our_own_domain.com
                    >
                    > As I'm pretty new to Postfix, can you point out the variables/configfiles
                    > that I need to edit to achieve this - or perhaps even give config
                    > example...:-) !
                    >
                    > Thanks in advance :-) !
                    > ~maymann
                    >
                    > 2012/1/10 Noel Jones <njones@...>
                    >
                    > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                    > > > Please, anyone who can help me with this...:-) !
                    > > >
                    > > > ~maymann
                    > >
                    > >
                    > > I don't think anyone quite knows what you're asking.
                    > >
                    > > Please explain your goals and current config as described here:
                    > > http://www.postfix.org/DEBUG_README.html#mail
                    > >
                    > >
                    > >
                    > >
                    > >
                    > >
                    > >
                    > > -- Noel Jones
                    > >
                  • Michael Maymann
                    Hi Wietse, thanks for your kind reply...:-) ! You re right... - We currently have a setup where all mail from R&D internal- external is send to my mailrelay in
                    Message 9 of 16 , Jan 10, 2012
                    • 0 Attachment
                      Hi Wietse,

                      thanks for your kind reply...:-) !
                      You're right...

                      - We currently have a setup where all mail from R&D internal->external is send to my mailrelay in a specific site, as our_isp_relay only allows us to send from there to their mailrelay - no restrictions (this is not our primary mail).
                      - Our_isp_relay has already blacklisted my mailrelay twice, caused by reputation based filtering - no spamming occurred though (all known domains at-least...), but the number of mails was rather high...
                      - We are about to send monitoring alert through my mailrelay pretty soon, and therefore I would like to avoid spam filtering if possible - but saw domain-whitelisting as a solution to limit damages to a minimum if a host goes hostile...
                      - Our Printers are also on the R&D network and they need scan->email functionality, so I still need to allow printers to send to anyone.
                      - 99.96% of mail going through my mailrelay goes to our own official mailboxes, so my thinking was to route all this directly to our official mailserver and get my mailrelay whitelisted there (so no spamfiltering is done on mails from this IP)...

                      Thanks in advance :-) !
                      ~maymann

                      2012/1/10 Wietse Venema <wietse@...>
                      Michael Maymann:
                      > Hi Noel,
                      >
                      > Thanks for you kind reply, and sorry for not being informative enough
                      > .
                      > I would like to configure the following rules in postfix:
                      > 1. All mail to our_own_domain are send to our_external_hosted_mailserver
                      > (Ralf already helped me with this...)
                      > 2. All mail from our printers to external domains are send to
                      > our_isp_mailrelay
                      > 3. All mail from everything but our printers to "whitelisted" external
                      > domains are send to our_isp_mailrelay (Ralf already helped me with this,
                      > but does this need to change...?)

                      Printers can send mail to all destinations, but users cannot?

                      What problem are you trying to solve by doing that? Describe
                      the problem, instead of your solution above.

                             Wietse

                      > 4. All other mail is bounced to bounce@our_own_domain.com
                      >
                      > As I'm pretty new to Postfix, can you point out the variables/configfiles
                      > that I need to edit to achieve this - or perhaps even give config
                      > example...:-) !
                      >
                      > Thanks in advance :-) !
                      > ~maymann
                      >
                      > 2012/1/10 Noel Jones <njones@...>
                      >
                      > > On 1/10/2012 3:02 PM, Michael Maymann wrote:
                      > > > Please, anyone who can help me with this...:-) !
                      > > >
                      > > > ~maymann
                      > >
                      > >
                      > > I don't think anyone quite knows what you're asking.
                      > >
                      > > Please explain your goals and current config as described here:
                      > > http://www.postfix.org/DEBUG_README.html#mail
                      > >
                      > >
                      > >
                      > >
                      > >
                      > >
                      > >
                      > >  -- Noel Jones
                      > >

                    • Wietse Venema
                      Michael Maymann: [ Charset ISO-8859-1 unsupported, converting... ] ... You need to rate-limit the clients. Use policyd or postfwd or something with similar
                      Message 10 of 16 , Jan 10, 2012
                      • 0 Attachment
                        Michael Maymann:
                        [ Charset ISO-8859-1 unsupported, converting... ]
                        > Hi Wietse,
                        >
                        > thanks for your kind reply...:-) !
                        > You're right...
                        >
                        > - We currently have a setup where all mail from R&D internal->external is
                        > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                        > send from there to their mailrelay - no restrictions (this is not our
                        > primary mail).
                        > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                        > reputation based filtering - no spamming occurred though (all known domains
                        > at-least...), but the number of mails was rather high...

                        You need to rate-limit the clients. Use policyd or postfwd or
                        something with similar capabilities.

                        > - We are about to send monitoring alert through my mailrelay pretty soon,
                        > and therefore I would like to avoid spam filtering if possible - but saw
                        > domain-whitelisting as a solution to limit damages to a minimum if a host
                        > goes hostile...

                        Rate limit the clients, and you won't have to keep updating whitelists.

                        If you have PC-class systems on the network, having anti-spam/virus on the
                        mail server would be a good idea because some box will get infected.

                        > - Our Printers are also on the R&D network and they need scan->email
                        > functionality, so I still need to allow printers to send to anyone.

                        You need to exclude the printers from the rate limit.

                        Wietse
                        > - 99.96% of mail going through my mailrelay goes to our own official
                        > mailboxes, so my thinking was to route all this directly to our official
                        > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                        > done on mails from this IP)...
                        >
                        > Thanks in advance :-) !
                        > ~maymann
                      • Michael Maymann
                        Hi Wietse, Thanks again for your nice/quick reply... 2012/1/10 Wietse Venema ... All our IP s in mynetworks should be allowed to send
                        Message 11 of 16 , Jan 10, 2012
                        • 0 Attachment
                          Hi Wietse,

                          Thanks again for your nice/quick reply...
                          2012/1/10 Wietse Venema <wietse@...>
                          Michael Maymann:
                          [ Charset ISO-8859-1 unsupported, converting... ]
                          > Hi Wietse,
                          >
                          > thanks for your kind reply...:-) !
                          > You're right...
                          >
                          > - We currently have a setup where all mail from R&D internal->external is
                          > send to my mailrelay in a specific site, as our_isp_relay only allows us to
                          > send from there to their mailrelay - no restrictions (this is not our
                          > primary mail).
                          > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
                          > reputation based filtering - no spamming occurred though (all known domains
                          > at-least...), but the number of mails was rather high...

                          You need to rate-limit the clients. Use policyd or postfwd or
                          something with similar capabilities.
                           
                          All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)

                          > - We are about to send monitoring alert through my mailrelay pretty soon,
                          > and therefore I would like to avoid spam filtering if possible - but saw
                          > domain-whitelisting as a solution to limit damages to a minimum if a host
                          > goes hostile...

                          Rate limit the clients, and you won't have to keep updating whitelists.

                          It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.

                          If you have PC-class systems on the network, having anti-spam/virus on the
                          mail server would be a good idea because some box will get infected.

                          PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
                          I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
                           

                          > - Our Printers are also on the R&D network and they need scan->email
                          > functionality, so I still need to allow printers to send to anyone.

                          You need to exclude the printers from the rate limit.

                          This is my current configuration:

                          main.cf:
                          ---
                          queue_directory = /var/spool/postfix
                          command_directory = /usr/sbin
                          daemon_directory = /usr/libexec/postfix
                          mail_owner = postfix
                          mydomain = <MYDOMAIN>
                          myorigin = $mydomain
                          inet_interfaces = all
                          mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
                          local_recipient_maps = unix:passwd.byname $alias_maps
                          unknown_local_recipient_reject_code = 550
                          mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
                          relay_domains = $mydestination
                          relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
                          # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
                          alias_maps = hash:/etc/aliases
                          alias_database = hash:/etc/aliases
                          debug_peer_level = 2
                          debugger_command =
                                   PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                                   xxgdb $daemon_directory/$process_name $process_id & sleep 5
                          sendmail_path = /usr/sbin/sendmail.postfix
                          mailq_path = /usr/bin/mailq.postfix
                          setgid_group = postdrop
                          html_directory = no
                          manpage_directory = /usr/share/man
                          sample_directory = /usr/share/doc/postfix-2.3.3/samples
                          readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                          ---

                          transport (everything will be commented in when we effectuate the new config):
                          ---
                          ## Relay own mail to own server
                          #our_own_domain      relay:<OUR_OFFICIAL_MAILSERVER>
                          ## Relay only mail to known external vendors
                          #<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
                          #<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
                          #<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
                          #<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
                          #<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
                          ---

                          1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
                          2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?


                          Thanks for your nice support - really appreciate it...:-) !

                          ~maymann



                                 Wietse
                          > - 99.96% of mail going through my mailrelay goes to our own official
                          > mailboxes, so my thinking was to route all this directly to our official
                          > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
                          > done on mails from this IP)...
                          >
                          > Thanks in advance :-) !
                          > ~maymann

                        Your message has been successfully submitted and would be delivered to recipients shortly.