|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Milosz SZOT (milosz
adoc.fr)
Date: Tue Sep 25 2007 - 13:59:05 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I have two Postfix relays with amavis/spamassassin/clamav, running fine
They serve as front mail servers for an Exchange server, which is on the
internal network, and must not be accessed directly from the Internet
They relay mails from Exchange to the Internet, and they receive mails
from the Internet, which they pass to Exchange.
I’ve set SPF policies on each of my DNS domains, as this :
‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’
As I’m testing the whole thing, i’ve set my MX records to :
relay1.mydomain.com (10)
relay2.mydomain.com (20)
exchange.mydomain.com (30)
It works fine, and I am moving to the next step : to delete
exchange.mydomain.com from the MX records
So I configured Exchange to forward all the outcoming mails to the 2
relays, which works fine ; the 2 relays are forwarding the incoming
mails to the exchange server, as planned
But when I’ve deleted, for a test, exchange.mydomain.com from MX records
on one of my domains, the outcoming mails, despite being forwarded by
the relays, were refused because my recipient’s mail server did SPF
checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
authorized to send in the name of "mydomain.com". »
It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
exchange.mydomain.com
It’s the hostname I’ve assigned in Exchange options, which only appears
in the headers Postfix first inserts when forwarding the mail : «
Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
relay1.mydomain.com (Postfix) »
Because I need to supress exchange.mydomain.com from my MX records, I
need to be clean and compliant, and I don’t know which is the best
solution :
- to add exchange.mydomain.com to the spf records
- to delete all the headers referring to the internal LAN forwarding
with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
the headers my internal IP adressing either)
- to change Exchange’s configuration (the hostname needs be resolvable ;
exchange.mydomain.com gives SPF errors, changing it to
relay1.mydomain.com breaks the relays, because the mails are looping in
Postifx)
- whatever solution you have
The obvious solution is to add the exchange server to the spf records,
it will work fine on SPF enabled servers… but if i delete it from the MX
records, i don’t know how many mail servers WITHOUT spf will refuse my
mails because exchange.mydomain.com is not a MX
I’ve read a lot of how-tos about implementing postfix as a relay since
i’ve worked on this project for several weeks, followed the classic
architecture, but i’ve never heard about problems like this one
So I need your help to find the best way to fix the problem, because I
can’t afford to lose mails : all my firm’s employees mainly rely on mail
for communications between them/with business associates
Thanks a lot !
A Mr Venema’s long date fan ;-)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]