Re: Internal+external mailrelay
- Hi Wietse,
Thanks again for your nice/quick reply...2012/1/10 Wietse Venema <wietse@...>
[ Charset ISO-8859-1 unsupported, converting... ]> Hi Wietse,You need to rate-limit the clients. Use policyd or postfwd or
> thanks for your kind reply...:-) !
> You're right...
> - We currently have a setup where all mail from R&D internal->external is
> send to my mailrelay in a specific site, as our_isp_relay only allows us to
> send from there to their mailrelay - no restrictions (this is not our
> primary mail).
> - Our_isp_relay has already blacklisted my mailrelay twice, caused by
> reputation based filtering - no spamming occurred though (all known domains
> at-least...), but the number of mails was rather high...
something with similar capabilities.
All our IP's in "mynetworks" should be allowed to send mails without filtering at this stage. But this looks like a good thing to implement later on though... (at this stage, I would like to make a quick fix to the very open solution we have now)...:-)Rate limit the clients, and you won't have to keep updating whitelists.
> - We are about to send monitoring alert through my mailrelay pretty soon,
> and therefore I would like to avoid spam filtering if possible - but saw
> domain-whitelisting as a solution to limit damages to a minimum if a host
> goes hostile...
It is only to our own domain and a handfull of external vendors (systems sending support-alerts to vendors directly). This will not be a problem in my setup.
If you have PC-class systems on the network, having anti-spam/virus on the
mail server would be a good idea because some box will get infected.
PC-vlans are not in my "mynetworks", so DC vlans and some specific LAB-equipment IP's are allowed to send...
I would really like to avoid anti-spam/virus filtering (at-least in this stage), as this can potentially filter my monitoring alerts, etc.
You need to exclude the printers from the rate limit.
> - Our Printers are also on the R&D network and they need scan->email
> functionality, so I still need to allow printers to send to anyone.
This is my current configuration:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
mydomain = <MYDOMAIN>
myorigin = $mydomain
inet_interfaces = all
mydestination = localhost, localhost.localdomain, $mydomain, dfm.test.com
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, <MYVLAN1>, <MYVLAN2>, etc
relay_domains = $mydestination
relayhost = [<MYISP>] # this will be commented out when we effectuate the new config
# transport_maps = hash:/etc/postfix/transport # this will be commented in when we effectuate the new config
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
transport (everything will be commented in when we effectuate the new config):
## Relay own mail to own server
## Relay only mail to known external vendors
1. How can I exclude my printers from the "transport" whitelisting - can you give example in configfile ?
2. How can I send bounced mails to bounce@our_own_domain.com - can you give example in configfile ?
Thanks for your nice support - really appreciate it...:-) !
> - 99.96% of mail going through my mailrelay goes to our own official
> mailboxes, so my thinking was to route all this directly to our official
> mailserver and get my mailrelay whitelisted there (so no spamfiltering is
> done on mails from this IP)...
> Thanks in advance :-) !