postfix - relay for domains (MX Server) / host

最後更新: 2017-04-05

目錄

 

 


Per-domain MX Relay Server

 

# mx server setting

main.cf

relay_domains = hash:/etc/postfix/relaydomains.cf

# $relay_domains are delivered with the $relay_transport mail delivery transport.
transport_maps = hash:/etc/postfix/transport.cf

# 設定成 20M (因為 Default value 太小了)
message_size_limit = 20480000

# retry & life
maximal_queue_lifetime = 3d
bounce_queue_lifetime = 900s
queue_run_delay = 180
minimal_backoff_time = 300

postfix reload

# Per-domain Setting

/etc/postfix/relaydomains.cf

datahunter.org datahunter.org

/etc/postfix/transport.cf

datahunter.org smtp:[mail.datahunter.org]:25

# postmap route file

postmap hash:/etc/postfix/relaydomains

postmap hash:/etc/postfix/transport

 * postmap 後不用 reload postfix

Doc

http://www.postfix.org/transport.5.html

 


relay your mails per-domain or per-user

 

設定為什麼 Domain 做 relay:

relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf

query = SELECT domain FROM relay_domains WHERE domain='%s' AND active='y'

DB 結構:   | domain | active | remark |

recipient:

relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipients.cf

query = SELECT email FROM relay_recipients WHERE email='%s' AND active='y'

DB 結構:   | email | active | remark |

設定 relay 去那裡:

transport_maps = mysql:/etc/postfix/mysql_transport_maps.cf

query = SELECT relay FROM transport WHERE pattern='%s' AND active='y'

DB 結構:   | pattern | relay ( Defalt: smtp:[domain]:port ) | active |

 


為某 IP relay 信

 

# master.cf

3025      inet  n       -       n       -       -       smtpd
 -o strict_rfc821_envelopes=no
 -o content_filter=
 -o mynetworks_style=host
 -o mynetworks=hash:/etc/postfix/free2relay.cf
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

 * 不加 smtpd_client_restrictions 會有以下 Error

Mar 28 11:11:48 mail postfix/smtpd[22970]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]:
554 5.7.1 <a@b>: Recipient address rejected: Access denied;
from=<a@b> to=<c@d> proto=SMTP helo=<h.h>

 * Default 的 mynetworks_style 是 subnet

 * strict_rfc821_envelopes

Postfix requires envelope addresses to be within angle brackets (<>)

# /etc/postfix/free2relay.cf

# Server IP         Remark
R.R.R.R             must_has_remark

 


Backend Server Setting

 

master.cf

# 開一個新 port 去接 MX Server 的信. 它不 check RBL, bypass filter 及 header/body check

# For mx & sf server
2025  inet  n  -  -  -  -  smtpd
    -o syslog_name=postfix/2025
    -o content_filter=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8,R1.R1.R1.R1,R2.R2.R2.R2
    -o smtpd_tls_security_level=may
    -o smtpd_restriction_classes=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
    -o receive_override_options=no_header_body_checks

P.S.

receive_override_options 不可以加 no_address_mappings, 否則 forward 會失敗 !!

如果 main.cf 有 setting "smtpd_tls_security_level=encrypt" 那 MX Server 會有以下 Error

... dsn=5.7.0, status=bounced (host BACKEND_SERVER[r.r.r.r]
 said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))

 


Setting

 

 

smtp_defer_if_no_mx_address_found=yes   (default = no)

Defer mail delivery when no MX record resolves to an IP address.

The default (no) is to return the mail as undeliverable.

smtp_mx_session_limit = 5   (default = 2)

The  maximal  number  of  SMTP  sessions per delivery request before giving up or delivering to a fall-back relay  host)

relayhost (default: empty)

relayhost = [gateway.example.com]

ignore_mx_lookup_error (default: no) 

"no" (default) => tries again after some delay
"yes" => to force a DNS A record lookup instead

 

smtp_dns_support_level (default: empty)

disabled

No MX lookups are performed and hostname to address lookups are unconditionally "native"

enabled

Nexthop destination domains not enclosed in "[]" will be subject to MX lookups.

If "dns" and "native" are included in the "smtp_host_lookup" parameter value,

DNS will be queried first to resolve MX-host A records, followed by "native" lookups if no answer is found in DNS.

dnssec

Enable DNSSEC lookups.

smtp_host_lookup (default: dns)

dns               # Hosts can be found in the DNS (preferred).
native           # Use the native naming service only (nsswitch.conf)
dns, native    # Use the native service for hosts not found in the DNS.

Notes:

nsswitch.conf

hosts:      files dns myhostname
...

smtpd_recipient_restriction 裡 reject_unknown_recipient_domain

Reject the request when Postfix is not final destination for the recipient domain,

and the RCPT TO domain has no DNS A or MX record,

or when it  has  a malformed  MX  record  such as a record with a zero-length MX hostname (Postfix version 2.3 and later).

i.e.

telnet localhost 25 時有

450 4.1.2 <x@y>: Recipient address rejected: Domain not found

原因

smtpd_recipient_restrictions = reject_unknown_recipient_domain,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 permit_mynetworks,
 permit_sasl_authenticated,
 check_client_access hash:/etc/postfix/relay_ip,
 check_sender_access regexp:/etc/postfix/check_sender,
 reject_unauth_destination

unknown_address_reject_code

specifies the  numerical response code for rejected requests(default: 450). 

The response is always 450 in  case of a temporary DNS error.

unknown_address_tempfail_action

specifies the action after a temporary DNS error (default: defer_if_permit).

 


Backend Server

 

[方法1]

mynetworks_style = host
mynetworks = 127.0.0.0/8 MX1-IP MX2-IP

smtpd_sender_restrictions =
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
 reject_unlisted_sender,
 check_sasl_access pcre:/etc/postfix/per_user_filter.cf,
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated

[方法2]

smtpd_sender_restrictions =
 reject_unknown_sender_domain,
 reject_non_fqdn_sender,
 reject_unlisted_sender,
 check_sasl_access pcre:/etc/postfix/per_user_filter.cf,
 permit_mynetworks,
 check_client_access hash:/etc/postfix/mxserver.cf,
 reject_sender_login_mismatch,
 permit_sasl_authenticated

/etc/postfix/mxserver.cf

# mx1
x.x.x.x         OK
# mx2
y.y.y.y         OK

 


 

Creative Commons license icon Creative Commons license icon Creative Commons license icon