NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-06

MX records in transport(5) (was: Transport Map - Routing to a specific port)

From: /dev/rob0 (rob0gmx.co.uk)
Date: Wed Jun 07 2006 - 21:38:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 2006-June-07 18:07, mouss wrote:
> > For my personal relayhost from home I publish a "relayhost" MX
> > record, so your way is how I do it. An advantage of this is that
> > priorities can be specified.
>
> Rob, What do you mean by this?

Home is Comcast cable, blacklisted; relayhost is at a commercial site
with custom rDNS, clean in RBLs. It's connected to my home network via
openvpn. My purpose was to ensure that:
    1. Mail can go regardless of the status of the VPN; and
    2. All mail transfer would be encrypted all the time; and
    3. TLS would not be used through the already-encrypted VPN.

#3 is a lesser concern but wanted because the relayhost is a sorry old
piece of junk (hence the name!) I didn't want to overburden it with
having to establish TLS connections when not necessary.

Note, this example is not $transport_maps per se, but of course
$relayhost uses the same syntax.

These records exist in my local DNS:
relayhost.rob0. 38400 IN MX 10 sorryvpn.rob0.
relayhost.rob0. 38400 IN MX 20 sorry.no-ip-here.net.
sorryvpn.rob0. 38400 IN A 192.168.6.55

The 192.168.6.55 address is routed via the VPN. Interesting postconf
settings on the server at home:

relayhost = relayhost.rob0
smtp_discard_ehlo_keyword_address_maps =
cidr:$config_directory/ehlo_maps
smtpd_discard_ehlo_keyword_address_maps =
cidr:$config_directory/ehlo_maps
smtp_tls_per_site = hash:$config_directory/tls_site_maps

ehlo_maps contains only this:
192.168.6.0/24 starttls,silent-discard

And tls_site_maps includes these:
[sorry.no-ip-here.net] MUST_NOPEERMATCH
[sorryvpn.rob0] NONE
There are similar tls_site_maps and ehlo_maps at the relayhost.

The VPN is an always-on thing, but of course sometimes the connection
varies. I have seen in logs where the server falls back to using TLS a
few times.

The only thing that remains is to get my application for the .rob0 sTLD
approved by IANA. If they'll go for .museum, why not? :)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]