Hi, I am a noob on Postfix as I have used Exim for like 20 years or so. Because mail delivery to gmail.com and hotmail.com and other domains is sometimes sucky (either mail gets send to spam or gets accepted and goes nowhere) I use smtp2go for some domain names on Exim. But how can I do this with Postfix? There is a howto on smtp2go site for all mail (https://www.smtp2go.com/setupguide/postfix/) but not for some domain names. I read about rerouting some domains by using /etc/postfix/transport but I do not get how this works for smtp2go (as you need to use login credentials for this service)
Transports are probably the right way to go. You can add transports in ISPconfig. See Mail > Email routing
Thank you for pointing me in the right direction. So I did this: Added @gmail.com to the relay recipients Added gmail.com to the Email routing with destination mail.smtp2go.com:2525 And changed main.cf with: Code: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords smtp_sasl_security_options = noanonymous smtp_tls_security_level = may Contents of relay_passwords is: Code: mail.smtp2go.com username:password postmap /etc/postfix/relay_password And restart postfix And that seems to work. It uses login credentials for mail.smt2pgo.com and routes all but gmail.com to the MX in the DNS. And gmail goes to mail.smtp2go.com. Perhaps this is tutorial worthy if there are no mistakes in my config?
Hey @iqpascal - even though it has been a few years, this is still very valuable, thank you! A question for you and @till - does adding @gmail as a relay recipient make you an open relay for that domain? What I mean is, could a spammer (say) connect to your server and spam a whole lot of Gmail addresses, and your server happily gets it all delivered through smtp2go? I guess what worries me is this sentence from the manual: Thanks
I think when both adding the email routing and adding that whole domain in relay recipients, you very well might be an open relay for that relayed domain; probably not a big deal for customer domains (and in fact is required by the typical use case), but something like gmail.com which makes a large appearance on any spammer's list might well take down your server's reputation. But take a couple minutes to test it out and let us know what you find.
Confirmed: having a domain in Relay Recipients will make your server an open relay for anything sent to that domain. No auth required, any server can send messages to any address on that domain. And so I must wonder: why is the Relay Recipients entry necessary? On page 133 where the manual talks about Email Routing, it says (in red): But in this use case why is it necessary to allow relaying for the domain? It seems to me that the email messages are already in the server and being handled, so if all that is required is to use a certain route when delivering to a certain domain, would the Email Routing entry be enough on its own?
It's not, you only need to add relay recipients when you are relaying mail through your server to the destination. Yes, that is what you should do if you're not relaying mail for the domain (as mentioned in #2)
It seems that the entry in Relay Recipients is indeed necessary for this to work. Here are the results of my testing: Email Routing + Relay Recipient Domain configured in ISPConfig is example.com (not the real domain). MX records point to ISPConfig server. Email Forward: [email protected] points to [email protected]. Email Routing set up for hotmail.com to relay through smtp2go. Relay Recipient is set up for hotmail.com. When email is sent to [email protected], it gets relayed by smtp2go and ends up in [email protected]. However ISPConfig server is now an OPEN RELAY and will handle any email bound for any hotmail.com address, without needing any auth or sender verification. Email from [email protected] to [email protected] gets accepted. Email Routing without Relay Recipient Domain configured in ISPConfig is example.com (not the real domain). MX records point to ISPConfig server. Email Forward: [email protected] points to [email protected]. Email Routing set up for hotmail.com to relay through smtp2go. Relay Recipient is NOT set up for hotmail.com. When email is sent to [email protected], it gets relayed by smtp2go and ends up in [email protected]. ISPConfig server is not an open relay and normal auth and sender verification applies to inbound mail. Email from [email protected] to [email protected] gets REJECTED. I'm a bit stuck here and not sure what to do. It looks like if I want to route mail for certain domains through a smarthost, then I have to make my server an open relay! Any suggestions in this regard? Maybe there is another way to achieve this? Many thanks.
This is an extract from the bounce message sent to the Hotmail account ([email protected]) when it tried to email a real email address on my ISPConfig server, which receives email from everyone else: Code: my-ispconfig-server.com gave this error: <[email protected]>: Sender address rejected: User unknown in relay recipient table
I'll look into that, right off it looks like source of the issue is that the same mail_transport table is used for both transport_maps and relay_domains, with no way to distinguish one vs the other. In this case we only want the transport_maps result. But there may be more to it, I'll check later.
Hi @Jesse Norell , just checking in to see how you are going? Unfortunately I've just been booted off the smtp.com service which will be a big impact to my clients. I suspect it was due to this issue, which makes ISPConfig into an open relay for senders on any of the domains listed in Relay Recipients. I also wanted to ask if there's a way I could look at this problem myself? My PHP is good, though I know nothing about the inner dev workings of the ISPConfig code base. But if I knew where to look, maybe I could be of some help? Another possibility is that we could offer a bug bounty to get this sorted out. We don't have much budget, but maybe it can cover a few hours of dev. Just a thought. Please let me know what you think. Many thanks.
Taking some notes to try to keep things straight in my head. The domain in a transport does need to be in relay_domains, I don't think there's a problem here. The "sender address rejected" is smtpd_sender_restrictions, specifically the reject_unlisted_sender: Code: smtpd_sender_restrictions = check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf, {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re We need to move reject_unlisted_sender after tag_as_foreign.re, and create a bypass for reject_unlisted_sender for relayed domains (specifically those in mail_transport, without any entries in mail_relay_recipient, because if they've been added to mail_relay_recipients, we have configured known recipients for the domain, so hitting reject_unlisted_sender is correct). @gbe, try adding this to /usr/local/ispconfig/server/conf-custom/install/postfix_custom.cf.master then reconfigure ISPConfig (or manually change your entry in main.cf accordingly): Code: smtpd_sender_restrictions = check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf, {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_transports_senders.cf, reject_unlisted_sender And create /etc/postfix/mysql-virtual_transports_senders.cf with: Code: user = {mysql_server_ispconfig_user} password = {mysql_server_ispconfig_password} dbname = {mysql_server_database} hosts = {mysql_server_ip} query = SELECT 'OK' FROM mail_transport WHERE domain = '%s' AND active = 'y' AND server_id = {server_id} AND NOT EXISTS (SELECT access FROM mail_relay_recipient WHERE source LIKE '%%@%s' AND active = 'y' AND server_id = {server_id}) (Fill in the variables matching one of the other mysql-virtual_*.cf files.)
Thanks very much for that @Jesse Norell . I have broken some ribs so it might be a while, but I have put this into my TODO and will let you know how the testing turns out. Many thanks.
Ouch, sorry to hear that. No worries though, I'll setup a test scenario here, it's just nice to have "real world" testing when available.
In a little testing, the above config works for smtpd_sender_restrictions, but that is insufficient, as I also encountered reject_unverified_recipient in smtpd_recipient_restrictions (which passed for the lookup of my initial recipient, but triggered recipient verification for the lookup of the forwarded gmail address, which is not ideal/wanted, and we should not automatically add domains to relay_domains just because we added a transport for them. I'll work on fixing this, but if you want to test it'd be easier to pull the branch from !1511 and test from that.
My thinking/research circled back to my initial thoughts in May, and I just added support for a separate transports table and relay domains table in !1511, and this will probably work for you as it is there. I'm not completely happy/done with it yet, as the a recipient verification is being triggered for the forwarded address ([email protected] in your example) by the mysql-verify_recipients.cf - this almost seems like a bug in postfix. I'll keep looking into that and maybe hit up their user list if needed.
