Loading ...
Sorry, an error occurred while loading the content.

Re: Internal+external mailrelay

Expand Messages
  • Michael Maymann
    Hi Wietse, Thanks again for your nice/quick reply... 2012/1/10 Wietse Venema ... All our IP s in mynetworks should be allowed to send
    Message 1 of 16 , Jan 10, 2012
    • 0 Attachment
      Hi Wietse,

      Thanks again for your nice/quick reply...
      2012/1/10 Wietse Venema <wietse@...>
      Michael Maymann:
      [ Charset ISO-8859-1 unsupported, converting... ]
      > Hi Wietse,
      >
      > thanks for your kind reply...:-) !
      > You're right...
      >
      > - We currently have a setup where all mail from R&D internal->external is
      > send to my mailrelay in a specific site, as our_isp_relay only allows us to
      > send from there to their mailrelay - no restrictions (this is not our
      > primary mail).
      > - Our_isp_relay has already blacklisted my mailrelay twice, caused by
      > reputation based filtering - no spamming occurred though (all known domains
      > at-least...), but the number of mails was rather high...

      You need to rate-limit the clients. Use policyd or postfwd or
      something with similar capabilities.
       
      All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)

      > - We are about to send monitoring alert through my mailrelay pretty soon,
      > and therefore I would like to avoid spam filtering if possible - but saw
      > domain-whitelisting as a solution to limit damages to a minimum if a host
      > goes hostile...

      Rate limit the clients, and you won't have to keep updating whitelists.

      It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.

      If you have PC-class systems on the network, having anti-spam/virus on the
      mail server would be a good idea because some box will get infected.

      PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
      I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
       

      > - Our Printers are also on the R&D network and they need scan->email
      > functionality, so I still need to allow printers to send to anyone.

      You need to exclude the printers from the rate limit.

      This is my current configuration:

      main.cf:
      ---
      queue_directory = /var/spool/postfix
      command_directory = /usr/sbin
      daemon_directory = /usr/libexec/postfix
      mail_owner = postfix
      mydomain = <MYDOMAIN>
      myorigin = $mydomain
      inet_interfaces = all
      mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
      local_recipient_maps = unix:passwd.byname $alias_maps
      unknown_local_recipient_reject_code = 550
      mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
      relay_domains = $mydestination
      relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
      # transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
      alias_maps = hash:/etc/aliases
      alias_database = hash:/etc/aliases
      debug_peer_level = 2
      debugger_command =
               PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
               xxgdb $daemon_directory/$process_name $process_id & sleep 5
      sendmail_path = /usr/sbin/sendmail.postfix
      mailq_path = /usr/bin/mailq.postfix
      setgid_group = postdrop
      html_directory = no
      manpage_directory = /usr/share/man
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      ---

      transport (everything will be commented in when we effectuate the new config):
      ---
      ## Relay own mail to own server
      #our_own_domain      relay:<OUR_OFFICIAL_MAILSERVER>
      ## Relay only mail to known external vendors
      #<MY_VENDOR1> relay:<OUR_ISP_MAILRELAY>
      #<MY_VENDOR2> relay:<OUR_ISP_MAILRELAY>
      #<MY_VENDOR3> relay:<OUR_ISP_MAILRELAY>
      #<MY_VENDOR4> relay:<OUR_ISP_MAILRELAY>
      #<MY_VENDOR5> relay:<OUR_ISP_MAILRELAY>
      ---

      1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
      2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?


      Thanks for your nice support - really appreciate it...:-) !

      ~maymann



             Wietse
      > - 99.96% of mail going through my mailrelay goes to our own official
      > mailboxes, so my thinking was to route all this directly to our official
      > mailserver and get my mailrelay whitelisted there (so no spamfiltering is
      > done on mails from this IP)...
      >
      > Thanks in advance :-) !
      > ~maymann

    Your message has been successfully submitted and would be delivered to recipients shortly.