Loading ...
Sorry, an error occurred while loading the content.

sender-based-routing challenge

Expand Messages
  • Michael Ionescu
    I have a corner case where I need to allow an emails generated at my site with certain off-site sender addresses to be routed through my MTA to the off-site
    Message 1 of 6 , May 1, 2013
    • 0 Attachment
      I have a corner case where I need to allow an emails generated at my
      site with certain off-site sender addresses to be routed through my MTA
      to the off-site smarthost officially responsible for the sender domain.

      This can be easily done using sender-based-routing. However, it becomes
      an issues as soon as the recipient is on my side and the off-site MTA
      therefore routes the email back to my MTA. A loop will be detected, due
      to my MTA seeing its own Received: header from the previous pass.

      The smtpd the email generator delivers its mail to is configured with a
      prequeue proxy virusfilter. If I understand correctly, this precludes
      rewriting the Received: header on the first pass using postfix on-board
      equipment.
      QUESTION 1: Is this correct?

      I see these work-arounds:

      A) If I receive all email from said off-site MTA on a non-standard port,
      loop-detection will not happen. The drawback is that I will have to
      depend on the off-site MTA for loop-detection.
      QUESTION 2: Is there a definitive overview of all the ways postfix
      detects loops and at what stages these are employed? (I mean aside from
      the source code.) :-)

      B) If there was a way to make the sender-based-routing conditional (i.e.
      only use sender-based-routing if recipient domain is not in my
      relay_domains, otherwise use normal transports) I could shunt emails to
      my own users to my own back-end MTA without passing through the off-site
      MTA.
      QUESTION 3: Can one make sender-based-routing conditional in this way?
      QUESTION 4: Does this also work with an smtpd configured with a
      pre-queue proxy filter?

      C) I could set up a completely separate postfix MTA (not just the smtpd)
      solely for the first pass from the generator. Then I could simply use
      the standard transports and relayhost=offsiteMTA. This is not the
      preferred solution, as it will require either a second (non-standard)
      pfx installation on the existing system or an additional system with a
      standard pfx.

      Thanks for your insight!
      Michael
    • Noel Jones
      ... C Multiple postfix instances is the preferred solution. Postfix supports multiple instances on the same machine quite well. The added overhead to the
      Message 2 of 6 , May 2, 2013
      • 0 Attachment
        On 5/2/2013 1:20 AM, Michael Ionescu wrote:
        > I have a corner case where I need to allow an emails generated at my
        > site with certain off-site sender addresses to be routed through my MTA
        > to the off-site smarthost officially responsible for the sender domain.
        >
        > This can be easily done using sender-based-routing. However, it becomes
        > an issues as soon as the recipient is on my side and the off-site MTA
        > therefore routes the email back to my MTA. A loop will be detected, due
        > to my MTA seeing its own Received: header from the previous pass.
        >
        > The smtpd the email generator delivers its mail to is configured with a
        > prequeue proxy virusfilter. If I understand correctly, this precludes
        > rewriting the Received: header on the first pass using postfix on-board
        > equipment.
        > QUESTION 1: Is this correct?
        >
        > I see these work-arounds:
        >
        > A) If I receive all email from said off-site MTA on a non-standard port,
        > loop-detection will not happen. The drawback is that I will have to
        > depend on the off-site MTA for loop-detection.
        > QUESTION 2: Is there a definitive overview of all the ways postfix
        > detects loops and at what stages these are employed? (I mean aside from
        > the source code.) :-)
        >
        > B) If there was a way to make the sender-based-routing conditional (i.e.
        > only use sender-based-routing if recipient domain is not in my
        > relay_domains, otherwise use normal transports) I could shunt emails to
        > my own users to my own back-end MTA without passing through the off-site
        > MTA.
        > QUESTION 3: Can one make sender-based-routing conditional in this way?
        > QUESTION 4: Does this also work with an smtpd configured with a
        > pre-queue proxy filter?
        >
        > C) I could set up a completely separate postfix MTA (not just the smtpd)
        > solely for the first pass from the generator. Then I could simply use
        > the standard transports and relayhost=offsiteMTA. This is not the
        > preferred solution, as it will require either a second (non-standard)
        > pfx installation on the existing system or an additional system with a
        > standard pfx.
        >
        > Thanks for your insight!
        > Michael
        >


        "C" Multiple postfix instances is the preferred solution. Postfix
        supports multiple instances on the same machine quite well. The
        added overhead to the machine is negligible. There is some extra
        administration, but the upside is you can easily do things that are
        not possible (or really ugly) in a single instance.

        http://www.postfix.org/MULTI_INSTANCE_README.html


        -- Noel Jones
      • Michael Ionescu
        ... Thanks Noel. While this may be generally correct, I come from using qmail and having to compensate its shortcomings by both extensive patching and
        Message 3 of 6 , May 2, 2013
        • 0 Attachment
          On 02.05.2013 17:57, Noel Jones wrote:
          >> [...]
          >> prequeue proxy virusfilter [...] precludes
          >> rewriting the Received: header [...]
          >> QUESTION 1: Is this correct?
          >> [...]
          >> QUESTION 2: Is there a definitive overview of all the ways postfix
          >> detects loops and at what stages these are employed? (I mean aside from
          >> the source code.) :-)
          >> [...]
          >> QUESTION 3: Can one make sender-based-routing conditional [...]?
          >> QUESTION 4: Does this also work with an smtpd configured with a
          >> pre-queue proxy filter?
          >> [...]
          >> Thanks for your insight!
          >> Michael
          >>
          >
          >
          > "C" Multiple postfix instances is the preferred solution. Postfix
          > supports multiple instances on the same machine quite well. The
          > added overhead to the machine is negligible. There is some extra
          > administration, but the upside is you can easily do things that are
          > not possible (or really ugly) in a single instance.
          >
          > http://www.postfix.org/MULTI_INSTANCE_README.html
          >
          >
          > -- Noel Jones
          >

          Thanks Noel. While this may be generally correct, I come from using
          qmail and having to compensate its shortcomings by both extensive
          patching and ultimately placing multiple installations on each machine.

          I do not want to go back to having multiple MTA installations on a
          machine because of the drawbacks in administration, even in view of
          postmulti. Therefore I am explicitly asking about the other solutions I
          have in mind and am open for ones that I have not thought of.

          Michael
        • Noel Jones
          ... Write 100 times on the blackboard: postfix is not qmail Postfix transport features are global to each instance, and are non-conditional. If you re using
          Message 4 of 6 , May 2, 2013
          • 0 Attachment
            On 5/2/2013 4:14 PM, Michael Ionescu wrote:
            >
            >
            > On 02.05.2013 17:57, Noel Jones wrote:
            >>> [...]
            >>> prequeue proxy virusfilter [...] precludes
            >>> rewriting the Received: header [...]
            >>> QUESTION 1: Is this correct?
            >>> [...]
            >>> QUESTION 2: Is there a definitive overview of all the ways postfix
            >>> detects loops and at what stages these are employed? (I mean aside from
            >>> the source code.) :-)
            >>> [...]
            >>> QUESTION 3: Can one make sender-based-routing conditional [...]?
            >>> QUESTION 4: Does this also work with an smtpd configured with a
            >>> pre-queue proxy filter?
            >>> [...]
            >>> Thanks for your insight!
            >>> Michael
            >>>
            >>
            >>
            >> "C" Multiple postfix instances is the preferred solution. Postfix
            >> supports multiple instances on the same machine quite well. The
            >> added overhead to the machine is negligible. There is some extra
            >> administration, but the upside is you can easily do things that are
            >> not possible (or really ugly) in a single instance.
            >>
            >> http://www.postfix.org/MULTI_INSTANCE_README.html
            >>
            >>
            >> -- Noel Jones
            >>
            >
            > Thanks Noel. While this may be generally correct, I come from using
            > qmail and having to compensate its shortcomings by both extensive
            > patching and ultimately placing multiple installations on each machine.
            >
            > I do not want to go back to having multiple MTA installations on a
            > machine because of the drawbacks in administration, even in view of
            > postmulti. Therefore I am explicitly asking about the other solutions I
            > have in mind and am open for ones that I have not thought of.
            >
            > Michael
            >

            Write 100 times on the blackboard: "postfix is not qmail"

            Postfix transport features are global to each instance, and are
            non-conditional. If you're using sender dependent transports, you're
            going to have a hard time without multiple instances.

            If you can use something else to correctly route the original mail,
            you have a chance of it working without multiple instances. One
            thought that comes to mind is submitting the original mail on a
            specific port that has a -o
            content_filter=smtp:[remote.smtp.server]. Another possibility is a
            policy service that examines the detects the "special" mail through
            some combination of source IP and sender, and returns FILTER
            smtp:destination when appropriate.




            -- Noel Jones
          • Reindl Harald
            ... not if you are firm with mysql-tables and queries sender/sender-domain dependent relay hosts are no problem even combined with different auth-users
            Message 5 of 6 , May 2, 2013
            • 0 Attachment
              Am 03.05.2013 00:40, schrieb Noel Jones:
              > Postfix transport features are global to each instance, and are
              > non-conditional. If you're using sender dependent transports, you're
              > going to have a hard time without multiple instances

              not if you are firm with mysql-tables and queries

              sender/sender-domain dependent relay hosts are no problem
              even combined with different auth-users
            • Viktor Dukhovni
              ... Don t confuse multiple *configuration* instances with multiple installation instances. You install Postfix just once. You edit multiple configuration
              Message 6 of 6 , May 2, 2013
              • 0 Attachment
                On Thu, May 02, 2013 at 11:14:23PM +0200, Michael Ionescu wrote:

                > > "C" Multiple postfix instances is the preferred solution. Postfix
                > > supports multiple instances on the same machine quite well. The
                > > added overhead to the machine is negligible. There is some extra
                > > administration, but the upside is you can easily do things that are
                > > not possible (or really ugly) in a single instance.
                > >
                > > http://www.postfix.org/MULTI_INSTANCE_README.html
                > >
                > >
                > > -- Noel Jones
                > >
                >
                > Thanks Noel. While this may be generally correct, I come from using
                > qmail and having to compensate its shortcomings by both extensive
                > patching and ultimately placing multiple installations on each machine.
                >
                > I do not want to go back to having multiple MTA installations on a
                > machine because of the drawbacks in administration, even in view of
                > postmulti. Therefore I am explicitly asking about the other solutions I
                > have in mind and am open for ones that I have not thought of.

                Don't confuse multiple *configuration* instances with multiple
                installation instances. You install Postfix just once. You edit
                multiple configuration files (main.cf and perhaps master.cf in each
                configuration directory), one per MTA role.

                The postmulti framework takes care of the other details. Your bias
                against multiple instances is irrational, you should be willing to
                reconsider.

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.