Use smarthost for some domains

Discussion in 'Tips/Tricks/Mods' started by iqpascal, Apr 13, 2018.

  1. iqpascal

    iqpascal Member

    Hi,
    I am a noob on Postfix as I have used Exim for like 20 years or so. Because mail delivery to gmail.com and hotmail.com and other domains is sometimes sucky (either mail gets send to spam or gets accepted and goes nowhere) I use smtp2go for some domain names on Exim. But how can I do this with Postfix? There is a howto on smtp2go site for all mail (https://www.smtp2go.com/setupguide/postfix/) but not for some domain names.

    I read about rerouting some domains by using /etc/postfix/transport but I do not get how this works for smtp2go (as you need to use login credentials for this service)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Transports are probably the right way to go. You can add transports in ISPconfig. See Mail > Email routing
     
  3. iqpascal

    iqpascal Member

    Thank you for pointing me in the right direction.

    So I did this:
    Added @gmail.com to the relay recipients
    Added gmail.com to the Email routing with destination mail.smtp2go.com:2525

    And changed main.cf with:

    Code:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
    smtp_sasl_security_options = noanonymous
    smtp_tls_security_level = may
    Contents of relay_passwords is:

    Code:
    mail.smtp2go.com username:password
    postmap /etc/postfix/relay_password

    And restart postfix

    And that seems to work. It uses login credentials for mail.smt2pgo.com and routes all but gmail.com to the MX in the DNS. And gmail goes to mail.smtp2go.com.

    Perhaps this is tutorial worthy if there are no mistakes in my config?
     
    ahrasis and till like this.
  4. gbe

    gbe New Member HowtoForge Supporter

    Hey @iqpascal - even though it has been a few years, this is still very valuable, thank you!
    A question for you and @till - does adding @gmail as a relay recipient make you an open relay for that domain? What I mean is, could a spammer (say) connect to your server and spam a whole lot of Gmail addresses, and your server happily gets it all delivered through smtp2go?
    I guess what worries me is this sentence from the manual:
    Thanks
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I think when both adding the email routing and adding that whole domain in relay recipients, you very well might be an open relay for that relayed domain; probably not a big deal for customer domains (and in fact is required by the typical use case), but something like gmail.com which makes a large appearance on any spammer's list might well take down your server's reputation. But take a couple minutes to test it out and let us know what you find.
     
    ahrasis likes this.
  6. gbe

    gbe New Member HowtoForge Supporter

    Confirmed: having a domain in Relay Recipients will make your server an open relay for anything sent to that domain. No auth required, any server can send messages to any address on that domain. :eek:

    And so I must wonder: why is the Relay Recipients entry necessary? On page 133 where the manual talks about Email Routing, it says (in red):
    But in this use case why is it necessary to allow relaying for the domain?

    It seems to me that the email messages are already in the server and being handled, so if all that is required is to use a certain route when delivering to a certain domain, would the Email Routing entry be enough on its own?
     
    Last edited: May 6, 2021
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It's not, you only need to add relay recipients when you are relaying mail through your server to the destination.
    Yes, that is what you should do if you're not relaying mail for the domain (as mentioned in #2)
     
    gbe likes this.
  8. gbe

    gbe New Member HowtoForge Supporter

    It seems that the entry in Relay Recipients is indeed necessary for this to work.

    Here are the results of my testing:

    Email Routing + Relay Recipient
    1. Domain configured in ISPConfig is example.com (not the real domain). MX records point to ISPConfig server.
    2. Email Forward: [email protected] points to [email protected].
    3. Email Routing set up for hotmail.com to relay through smtp2go.
    4. Relay Recipient is set up for hotmail.com.
    5. When email is sent to [email protected], it gets relayed by smtp2go and ends up in [email protected].
    6. However ISPConfig server is now an OPEN RELAY and will handle any email bound for any hotmail.com address, without needing any auth or sender verification.
    7. Email from [email protected] to [email protected] gets accepted.
    Email Routing without Relay Recipient
    1. Domain configured in ISPConfig is example.com (not the real domain). MX records point to ISPConfig server.
    2. Email Forward: [email protected] points to [email protected].
    3. Email Routing set up for hotmail.com to relay through smtp2go.
    4. Relay Recipient is NOT set up for hotmail.com.
    5. When email is sent to [email protected], it gets relayed by smtp2go and ends up in [email protected].
    6. ISPConfig server is not an open relay and normal auth and sender verification applies to inbound mail.
    7. Email from [email protected] to [email protected] gets REJECTED.
    I'm a bit stuck here and not sure what to do.
    It looks like if I want to route mail for certain domains through a smarthost, then I have to make my server an open relay!
    Any suggestions in this regard? Maybe there is another way to achieve this?
    Many thanks.
     
    Last edited: May 8, 2021
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  10. gbe

    gbe New Member HowtoForge Supporter

    This is an extract from the bounce message sent to the Hotmail account ([email protected]) when it tried to email a real email address on my ISPConfig server, which receives email from everyone else:
    Code:
    my-ispconfig-server.com gave this error:
    <[email protected]>: Sender address rejected: User unknown in relay recipient table
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'll look into that, right off it looks like source of the issue is that the same mail_transport table is used for both transport_maps and relay_domains, with no way to distinguish one vs the other. In this case we only want the transport_maps result. But there may be more to it, I'll check later.
     
    gbe and ahrasis like this.
  12. gbe

    gbe New Member HowtoForge Supporter

    @Jesse Norell - any news on this?
    Many thanks
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I haven't gotten to that yet.
     

Share This Page