|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
A more robust configuration
From: David Jonas (djonas
vitalwerks.com)
Date: Thu Dec 07 2006 - 12:15:20 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Everyone,
I have a working postfix 2.3.4 installation that seems overly complex. I
was hoping the knowledgeable users around here might be able to help me
trim up my system or present some ideas on how to optimize it. A full
reconstruction is not out of the question. Here is the important
information:
Roles:
1. Delivery to local storage MTA (I'll call this local mail)
2. Forwards to remote domains and local ones
3. Backup MX spooling for offsite domains
4. Mail redirection (deliver to offsite MTA on alternate port)
Requirements:
1. All mail is virus scanned. Viruses are dropped. (I'm using clamav)
2. All local mail and forwards receive an X-Original-To header.
(forwards currently done through virtual_alias_maps)
3. All local mail is scanned with spamassassin with per user settings
from MySQL.
These seem like fairly modest requirements, but the config quickly
ballooned. Roles 3 and 4 are trivial, but I included them to be
complete. Here is a diagram of the current setup:
http://www.splitretina.com/temp/postfix/layout.png Each box color is a
seperate postfix instance, red lines are ethernet connections, green are
local tcp loops, and gray are internal postfix connections (real or
imagined... .)
Postconf -n and master.cf of the main (orange) and filtering (green)
instances are below.
Here is a description of the most complex route, delivery of local mail.
1. Mail is received via SMTP from the Internet and
content_filter=avcheck:dummy is triggered.
2. Mail is reinjected on port 10025 after avcheck. That port has an
smtpd_recipient_restrictions item that triggers "FILTER
smtp:[127.0.0.1]:4425" for any domain that is local or forwarding.
3. The message is received on port 4425 by a second postfix instance.
Recipients are expanded via virtual_alias_maps and sent to a pipe
transport with destination_recipient_limit of 1 which gives it the
X-Original-To header, then reinjects the message to that same instance
on 4525.
4. The message is received on 4525. transport_maps says to either
deliver the message through a pipe transport to spamc or default to
sending it back to the main instance. The spamc transport sends the
message back to the main instance when it is done with the message, both
via port 9925.
5. The message is received on port 9925 from the filtering instance.
transport_maps say to which local storage MTA (blue instance) to deliver to.
6. The message is received by the local storage MTA and is delivered to
appropriate box.
The obvious problem with this configuration is that only mail arriving
on port 25 will be routed correctly for local mail, that is, anything
that needs to be expanded via virtual_alias_maps must come in on port
25, not pickup, or it may bounce.
Any help on this would be most appreciated. I hope I got it all, but I'm
more than happy to provide any other needed information on the set up.
Thanks,
David
postconf -n | nl (main instance, lightly edited for relevance.)
--------------------------
1 alias_maps = hash:/etc/postfix/aliases
2 default_destination_concurrency_limit = 20
3 hopcount_limit = 100
4 local_recipient_maps =
5 mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
6 mydomain = xx-xx.com
7 myhostname = xxxxx.xx-xx.com
8 mynetworks = 127.0.0.1, 192.168.15.0/24, dd.dd.dd.0/24,
ddd.dd.dd.dd/32, dd.dd.dd.ddd/28
9 myorigin = $myhostname
10 parent_domain_matches_subdomains =
11 propagate_unmatched_extensions = canonical
12 proxy_interfaces = ddd.dd.ddd.ddd
13 recipient_delimiter = -
14 relay_domains = hash:/etc/postfix/relay_domains
15 smtpd_authorized_xclient_hosts = $mynetworks
16 smtpd_banner = $myhostname ESMTP
17 smtpd_client_connection_count_limit = 10
18 smtpd_data_restrictions = reject_unauth_pipelining,
check_policy_service unix:private/smtpquota
19 smtpd_error_sleep_time = 0
20 smtpd_etrn_restrictions = permit_mynetworks, reject
21 smtpd_helo_required = yes
22 smtpd_helo_restrictions = permit_mynetworks,
regexp:/etc/postfix/helo_rejects.regexp, permit
23 smtpd_recipient_limit = 50
24 smtpd_recipient_overshoot_limit = 25
25 smtpd_recipient_restrictions =
# Line below rejects invalid recipients and senders that are over quota
27 check_policy_service unix:private/smtpquota,
28 permit_mynetworks,
29 reject_non_fqdn_sender,
30 permit_sasl_authenticated,
31 reject_unauth_destination,
32 check_client_access cidr:/etc/postfix/access_white.cidr,
33 ... rbl checks ...
34 permit
35 smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/senders
36 soft_bounce = no
# transport_rda is maps to the local storage MTAs. transport is for
redirection of offsite domains to other ports.
37 transport_maps = hash:/etc/postfix/transport_static,
hash:/etc/postfix/transport_rda, hash:/etc/postfix/transport
38 virtual_alias_maps =
master.cf (main instance, relevant entries)
--------------------------
1 smtp inet n - n - 400 smtpd
2 -o content_filter=avcheck:dummy
3 -o receive_override_options=no_address_mappings
4 9925 inet n - n - - smtpd
5 -o content_filter=
6 -o mynetworks=192.168.15.0/24,127.0.0.0/8
7 -o smtpd_client_restictions=permit_mynetworks,reject
8 -o smtpd_helo_restrictions=
9 -o smtpd_recipient_restrictions=permit_mynetworks,reject
10 -o smtpd_data_restrictions=
11 -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
12 10025 inet n - n - - smtpd
13 -o content_filter=
14 -o smtpd_restriction_classes=
15 -o smtpd_client_restrictions=
16 -o smtpd_helo_restrictions=
17 -o smtpd_sender_restrictions=
18 -o smtpd_data_restrictions=
19 -o mynetworks=127.0.0.0/8,192.168.15.0/24
postconf -c /etc/postfix/filtering -n | nl (filtering instance)
--------------------------
1 alias_maps = hash:/etc/postfix/aliases
2 default_destination_recipient_limit = 1
3 message_size_limit = 36700160
4 mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
5 mydomain = xxxxx.com
6 myhostname = xxxxx.xxxxx.com
7 mynetworks = 127.0.0.0/8, 192.168.15.0/24
8 myorigin = $myhostname
9 parent_domain_matches_subdomains =
10 propagate_unmatched_extensions =
11 queue_directory = /var/spool/postfix-filtering
12 recipient_delimiter = -
13 relay_domains = hash:/etc/postfix/relay_domains
14 smtpd_authorized_xclient_hosts = $mynetworks
15 smtpd_authorized_xforward_hosts = $mynetworks
16 smtpd_client_restrictions = permit_mynetworks, reject
17 soft_bounce = no
18 syslog_name = postfix-filtering
19 transport_maps = hash:/etc/postfix/transport_spamc
20 virtual_alias_maps = hash:/etc/postfix/virtual_alias
master.cf (main instance, relevant entries)
--------------------------
1 4425 inet n - n - - smtpd
2 -o content_filter=xorig
3 4525 inet n - n - - smtpd
4 -o content_filter=
5 xorig unix - n n - - pipe
6 flags=Ohuq user=nobody argv=/usr/bin/smtpclient
7 --with-headers -S 127.0.0.1 -P 4525 -f ${sender} -- ${recipient}
8 spamc unix - n n - 30 pipe
9 flags=huq user=nobody argv=/usr/bin/spamc -u ${nexthop}-${mailbox}
10 -e /usr/bin/smtpclient --with-headers -S 127.0.0.1 -P 9925 -f
${sender} -- ${recipient}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]