0

I'd like to deploy a new (postfix) email service for my domain (example.com) to:

  1. allow sending email to ANY domain ONLY if the sender (our cloud applications instances) is authenticated (e.g. by SMTP password)
  2. allow our users to reply to received emails at: support@example.com
  3. allow us to be notified of undeliverable email: mailerrors@example.com
  4. relay email addressed to *@example.com to our Google Apps email host (which must also be able to directly receive email destined for example.com)

... in order to avoid daily sending limits for our Google Apps email host.

Is it possible to configure both authenticated and unauthenticated access to a postfix server?

Or should I use postmulti?

Ideas:

My thinking was, configure postfix so that,

  • if a password is provided email, new mail is sent directly to the destination.
  • if a password is not provided:
    • relay any messages addressed to example.com to our Google service
    • reject all other messages.
  • (and also: register the server in the example.com's MX record, in addition to the Google Apps servers, so that our sent mail with *@example.com From/ReplyTo header fields are accepted by destination spambots.)

From what I see, postfix configuration for the above case is straightforward if I have two postfix servers:

  • A: password required SMTP server to
  • B: passwordless relay that sends example.com address mail to our Google Apps service

However, I think these need to be co-hosted (since destination servers match the IP address of the sending server with the MX record, but the MX record must also point to B).

Sould I use postmulti to co-host these differently configured servers and block access to the "A" server behind within a firewall and on a non-standard port?

Or is there some other postfix config magic to do what I want?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
user14645
  • 1,530
  • 2
  • 12
  • 17
  • Umm... I'm not sure what do you want. You should breakdown the problem one by one. (1) Where does **MX record for example.com** will be point to? postfix or GApps? (2) Where is the **final destination** for email intended example.com? postfix or GApps? – masegaloeh Dec 10 '14 at 05:27
  • The final destination is GApps. The postfix server needs to forward mail to the GApps server. Both GApps and the postfix server can send mail from example.com. As a result I think I need to register both servers in the MX record. Although the postfix server is not the desired destination for incoming mail, I believe it needs to be registered in the MX record so that servers it sends mail to can verify that the *@example.com From and ReplyTo header match the senders IP in the MX records for example.com. Its possible to register multiple MX records, correct? – user14645 Dec 10 '14 at 17:09
  • `I believe it needs to be registered in the MX record so that servers it sends mail to can verify that the *@example.com`. NO. MX record just needed for **incoming email**. The activity that you described was **outgoing email**. For outgoing one you should [setup SPF record](http://serverfault.com/q/369460/218590). – masegaloeh Dec 12 '14 at 02:45
  • "To verify that the sending server is an authorized email server, the receiving email server tries to find an MX record that correlates to the sender’s domain. If it cannot find one, it assumes that the email is spam and rejects it." http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/multiwan/mx_record_c.html – user14645 Dec 12 '14 at 23:38
  • You should set MX record that point to GApps only. No need to set MX record that point to postfix – masegaloeh Dec 13 '14 at 00:15
  • How then does the receiving email server verify that email From:xxx@example.com is actually from the owner of example.com. If email comes from some IP address and the IP address doesn't match the resolved IP address of example.com's MX record then the email is rejected by the sending server. This is the behavior I see in practice, and it seems reasonable and prevent spoofing the To field of emails. – user14645 Dec 18 '14 at 22:36
  • 1
    They will use SPF record to determine that an IP Address was authorized to sending email behalf on a domain. For example if spf record of example.com is 192.168.1.1 and 192.168.1.99, then both IP was trusted – masegaloeh Dec 18 '14 at 22:53
  • Thank you -- this was the missing puzzle piece. It looks like I can generally send email without configuring the SPF record -- so I guess many mail servers fallback to checking the MX is the SPF record is missing. – user14645 Dec 18 '14 at 23:05
  • You guess wrong. If no authentication hints are present for a domain (strong SPF record, DMARC, etc.) then nothing prevents anyone from sending emails claiming to be from that domain. – MadHatter Dec 25 '14 at 13:20

1 Answers1

2

Based on the comments above, looks like you confused about the MX record. Usually, MX record was used to determine where I (mail server) should send outgoing email intended to particular domain.

When a remote server receive an email, they would perform sender identification. For example server would check SPF record of sender domain to determine that an IP address authorized to send behalf of a domain.

So, you don't need point MX server to all IP address of outgoing mail server. Many big providers do this.

  • They have several IP address to handle outgoing email. You can view it in their SPF record
  • They have several IP address to handle incoming email. You can view it in their MX record

And yes, they have different IP address to handle incoming and outgoing email.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104