Re: AW: forcing MX lookups
- On 21/02/2012 19:26, Wietse Venema wrote:
> Ed W:Thanks this seems like the better solution.
>> As the OP suggested, a desirable solution would be for the MTA to only
>> check the various maps to decide a domain is local *after* having done a
>> DNS check to see if the MX record points "to this machine". ie the end
>> goal is if the MX record points to some other machine, then we deliver
>> to that machine, even if it's listed in our maps as being local...
> You can use transport_maps=tcp:host:port etc. to ask an external
> program for the MX lookup, and to have that external program decide
> if it should reply with a local mail delivery transport if the MX
> record points to your machine.
> This will drop your mail delivery performance quite a lot, as there
> is only one queue manager, and each mail delivery request will be
> waiting for the previous transport map lookup to complete.
> A better alternative may be check_recipient_mx_access at RCPT
> TO time.
> smtpd_recipient_restrictions =
> # This example assumes that we are not providing mail relay service
> # or mail submission service.
> check_recipient_mx_access cidr:/etc/postfix/mxnetworks
> # Assuming this is your network with MX servers.
> 188.8.131.52/24 dunno
> # If the MX did not match, reject the request.
> 0.0.0.0/0 reject
> This rejects mail when a recipient domain is "claimed" by one of
> your customers, but the MX host for the domain is not local.
> This is better than doing it at queue manager time, because multiple
> smtpd processes can do these MX lookups in parallel.
It would seem that an incremental tweak could be to combine both
solutions, rather than reject, redirect to some transport map which
forwards to some instance without local maps - this would cause the mail
to be forwarded to the MX destination as defined by DNS.
(Why: Most users should be fine with "reject", but for my requirements
it's proved better to bounce invalid emails from *authorised users* vs
rejecting at submission time. Mac Mail for example doesn't seem to
correctly show reject error messages. Also we have users behind VERY
slow dialup connections and bouncing works better for their submission
Thanks for the solution!