Loading ...
Sorry, an error occurred while loading the content.
 

Re: AW: forcing MX lookups

Expand Messages
  • Ed W
    ... Thanks this seems like the better solution. It would seem that an incremental tweak could be to combine both solutions, rather than reject, redirect to
    Message 1 of 24 , Feb 27, 2012
      On 21/02/2012 19:26, Wietse Venema wrote:
      > Ed W:
      >> As the OP suggested, a desirable solution would be for the MTA to only
      >> check the various maps to decide a domain is local *after* having done a
      >> DNS check to see if the MX record points "to this machine". ie the end
      >> goal is if the MX record points to some other machine, then we deliver
      >> to that machine, even if it's listed in our maps as being local...
      > You can use transport_maps=tcp:host:port etc. to ask an external
      > program for the MX lookup, and to have that external program decide
      > if it should reply with a local mail delivery transport if the MX
      > record points to your machine.
      >
      > This will drop your mail delivery performance quite a lot, as there
      > is only one queue manager, and each mail delivery request will be
      > waiting for the previous transport map lookup to complete.
      >
      > A better alternative may be check_recipient_mx_access at RCPT
      > TO time.
      >
      > smtpd_recipient_restrictions =
      > # This example assumes that we are not providing mail relay service
      > # or mail submission service.
      > ...
      > reject_unauth_destination
      > check_recipient_mx_access cidr:/etc/postfix/mxnetworks
      > ...
      >
      > /etc/postfix/mxnetworks:
      > # Assuming this is your network with MX servers.
      > 1.2.3.4/24 dunno
      > # If the MX did not match, reject the request.
      > 0.0.0.0/0 reject
      >
      > This rejects mail when a recipient domain is "claimed" by one of
      > your customers, but the MX host for the domain is not local.
      >
      > This is better than doing it at queue manager time, because multiple
      > smtpd processes can do these MX lookups in parallel.
      >
      > Wietse

      Thanks this seems like the better solution.

      It would seem that an incremental tweak could be to combine both
      solutions, rather than reject, redirect to some transport map which
      forwards to some instance without local maps - this would cause the mail
      to be forwarded to the MX destination as defined by DNS.

      (Why: Most users should be fine with "reject", but for my requirements
      it's proved better to bounce invalid emails from *authorised users* vs
      rejecting at submission time. Mac Mail for example doesn't seem to
      correctly show reject error messages. Also we have users behind VERY
      slow dialup connections and bouncing works better for their submission
      process also.)

      Thanks for the solution!

      Ed W
    Your message has been successfully submitted and would be delivered to recipients shortly.