OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Is this possible with postfix?
From: Wietse Venema (wietseporcupine.org)
Date: Fri Mar 03 2000 - 18:28:53 CST

     1 Parkhaev Vladimir:
> On Fri, 3 Mar 2000, Wietse Venema wrote:
>
> > Parkhaev Vladimir:
> > > On Fri, 3 Mar 2000, Wietse Venema wrote:
> > >
> > > > Have the MX record point to the external host.
> > > >
> > > > my.domain IN MX 10 external.my.domain
> > > >
> > > > On the external host, use a transport map
> > > >
> > > > /etc/postfix/transport:
> > > > my.domain internal.my.domain
> >
> > Should be: my.domain smtp:internal.my.domain
> >
> > > > /etc/postfix/main.cf:
> > > > relay_domains = my.domain
> > > >
> > > > On the internal host,
> > > >
> > > > /etc/postfix/main.cf:
> > > > relayhost = external.my.domain
> > > > mydestination = my.domain, internal.my.domain localhost.my.domain ....
> > > >
> > > > People with firewalls do this all the time.
> > > >
> > > > Wietse
> > > >
> > >
> > > Hm, if I am not mistaken, with MX record pointing to external host,
> > > the flow of traffic will be as follows:
> > >
> > >
> > > +--------+ +----------+ +----------+
> > > Internet ---->| Public |---->| Internal |-------> | Internal |
> > > <----| SMTP |<----| SMTP | ------ | Client |
> > > +--------+ +----------+ | +----------+
> > > ^ |
> > > |_______________________|
> >
> > That depends on how internal clients are set up. If you have a
> > router between external and internal host, then you can prevent
> > internal hosts from going to the external machine.
> >
> > In order to make this work smoothly you use a split DNS setup.
> >
> > - The internal host runs the internal DNS with an MX record that
> > points to the internal host, and forwards other queries to the name
> > server on the external host which talks to the internet.
> >
> > - The external host runs the external DNS with an MX record that
> > points to the external host. The external host may have a resolv.conf
> > file that points to the internal machine, in which case you can
> > avoid the use of a transport table in the example above.
> >
> > This is a standard example in firewalls books.
>
> I have the following setup (just as you describe):

>[on the internal host]
> and aliases hash with user:userserver.my.domain entries.

There's your problem.

> Internal host bounces undelivered mail messages directly outside.

That's because you haven't configured Postfix to give the mail
to the external host.

> As soon as I add:
> relayhost = external.my.domain
> on internal host, all mail is sent back to external (loop).

Mail that is aliased user:userserver.my.domain will go to $relayhost.

The simplest fix for this is to ditch the relayhost entry and
to use a regexp-style transport map:

   /etc/postfix/transport.regexp:
        /([^]*\.my\.domain)$/ smtp:$1
        /./ smtp:relayhost

this delivers internal mail directly, and everything else via
the relayhost. If you have done the evil thing of setting up
a wild-card MX record for my.domain, then you must specify
the host in [] on the right-hand side of the transport map.

        Wietse