# Postfix (Relay Local Mail)



## Mythics (Mar 18, 2011)

No urgency, but we're using barracuda spam/virus firewalls for both our incoming and outgoing mail. We're using the relayhost config setting for the outgoing at the moment.

What we're wanting to do, if possible, is to relay mail through our outbound barracuda firewall whether it's local mail or external.


Any suggestions (preferably outside of setting up our own relay server)?

Thanks in advance,
Mythics


----------



## DutchDaemon (Mar 18, 2011)

I think you should restate the question or add a network diagram (ascii art is fine), because to me it is totally unclear what you're asking, or even IF you have a mail server right now, despite the 'Postfix' in the title. If you're asking about configuring the Barracudas, this is probably not the correct forum.


----------



## Mythics (Mar 18, 2011)

We have a mail server running a rather old version of FreeBSD and Postfix.
We are an ISP. We have thousands of users, but our old admin has left and I'm trying to take over for him.

Question:
Is it possible to set postfix to relay local mail as well as non-local mail?

Reason:
The relayhost setting in main.cf of postfix only relays non-local mail. 
We NEED to relay local mail as well.

Current Details:
We currently relay to a barracuda device for spam/virus scanning. 
It works perfectly for non-local mail.
It works perfectly because that's what the setting in main.cf does (relayhost, relays non-local mail).
However, we want local mail AND non-local mail to both hit our barracuda device prior to reaching their destination. 

Any chance that's any clearer?


----------



## DutchDaemon (Mar 18, 2011)

Yes. Now let's hope someone has an answer


----------



## mamalos (Mar 19, 2011)

I'm still not that sure whether I understood you correctly (local-mails==hosted on your machine, non-local==destined to other hosts?), and at the moment I don't have access on my mailserver that runs postfix, but I think that you need to edit both main.cf and master.cf to redirect incoming and outgoing mails to antispam/antivirus engines-filters. 

Look in your main.cf to see which LDA (local delivery agent) you use, and address it to send your mail to some filter first (or whatever this barracuda box is. This is done in master.cf if I remember correctly.

I don't think that I was very helpful, but without being able to see your config files, and without access on my config files this is the best I can do .

Check postfix documentation about LDA, main.cf and spamassassin/antivirus filters, they will give you a very good direction on how your setup works. Ah! And it's regardless of the OS you're running.

Good luck.


----------



## osman (Mar 21, 2011)

Yes, I guess the relayhost parameter won't work for system-generated emails. You need to remove relayhost and use default_transport.

http://www.postfix.org/postconf.5.html#default_transport

Regards
usman


----------



## Mythics (Mar 23, 2011)

Changing the default_transport doesn't force local mail to be pushed to it's nexthop. If I set the local delivery agent to our spam/virus scanner, it goes to it, comes back, and then goes back out for scanning again. An endless loop.

smtp doesn't have local_transport as an override option in master.cf, so I can't set it to null and listen on a different port for our spam/virus scanner to reply on.

The local service in master.cf also doesn't have local_transport (obviously, it IS the local service) and it doesn't use content_filter either (not the right time in the process for it to be applicable anyhow).

So, I still seem to be a little stuck. It looks like there are several potential methods of forcing local mail OUT to my spam/virus scanner, but it doesn't look like there are any viable methods that I can then override when it comes back.


----------



## mamalos (Apr 1, 2011)

Use mailbox_transport to whatever you wish (I use dovecot for my reasons), you may use procmail, and have some lines like this:

```
:0fw
* < 20000
| /usr/local/bin/spamc -d 192.168.18.7
```
in your /usr/local/etc/procmailrc to force local mails be scanned by *spamc* if they are less than 20K long. Since you don't use local spamassassin, write the relevant command that caters for your service.

Good luck with it.


----------



## CyberCr33p (Apr 12, 2018)

Mythics said:


> No urgency, but we're using barracuda spam/virus firewalls for both our incoming and outgoing mail. We're using the relayhost config setting for the outgoing at the moment.
> 
> What we're wanting to do, if possible, is to relay mail through our outbound barracuda firewall whether it's local mail or external.
> 
> ...



Did you find any solution about this?


----------



## ShelLuser (Apr 12, 2018)

This thread is 7 years old, it's unlikely (but not impossible I suppose) that the OP is still active here. I base myself on their rather low post amount.

Anyway, the answer can be extremely obvious: Postfix still honors /etc/aliases. See aliases(5). That is your "ticket out".

Seriously... This thread is somewhat disturbing to watch for me. Someone taking over as postmaster within _an ISP_ and they're clueless about aliases? <sighs>


----------



## CyberCr33p (Apr 13, 2018)

I don't see how aliases can resolve this. Can you give more information?

The only way I can find to solve this is to use 2 instances for postfix, one for incoming and one for outgoing.

If you have only one instance then you can configure the domain either as local or as remote. If you remove the domain from virtual_mailbox_domains file then e-mails from this domain are sent through the relay but then the relay tries to deliver them to the main smtp which can't accept it because you remove the domain from virtual_mailbox_domains.


----------



## ShelLuser (Apr 13, 2018)

CyberCr33p said:


> I don't see how aliases can resolve this. Can you give more information?


Haven't you read the manualpage?


```
name: addr_1, addr_2, addr_3, . ..

       The name is the name to alias, and the addr_n are the aliases for  that
       name.  addr_n can be another alias, a local username, a local filename,
       a command, an include file, or an external address.
```
So let's say we're internal.lan and the external host through which the mail needs to be relayed sits on the domain external.lan. By default (Sendmail alias file, see /etc/mail/aliases) everything gets sent to root. And this file is also used by Postfix (see alias_maps in main.cf).

As such:

```
root:   root@external.lan
```
... should be more than enough to re-route all local mail to the external host. This is of course keeping a default situation in mind in which all locally generated mail gets sent off to root in the first place. If there are more daemons which generate mail for other local accounts then you should change /etc/aliases accordingly with more forwarding rules.

(edit)

Depending on the situation you might also want to add the external host as relayhost within main.cf. This ensures that even if Postfix has no knowledge of the other domain (external.lan) it will still be forwarded to the external host no matter what.


----------



## CyberCr33p (Apr 14, 2018)

Thank you for the reply. I don't care for e-mails for local users (I already use .forward file to forward root@localhost to my personal e-mail using the relay and other local users are not allowed to send e-mail using the postfix authorized_submit_users setting). What I want to do is related to virtual domains / mailboxes.

My setup:

I have postfix and dovecot on server1.example.com and smtp.example.com acts as relay for server1.example.com. MX points to server1.example.com so incoming e-mails go to this server. Outgoing e-mails for domains not hosted in server1.example.com go through the relay. Now I want the e-mails that sender / recipient is on the same server (server1.example.com) to go through the relay (smtp.example.com). For example, currently I send e-mail from user@example.com to user@example.com and it does local delivery (e-mail does not leave server1.example.com). I want the e-mail to pass through relay smtp.example.com

The problem is that if I remove domain example.com from virtual_mailbox_domains then e-mails goes from server1.example.com to smtp.example.com but when it comes to server1.example.com it says "Relay denied" which I believe is related to postfix don't consider that is the server that actually hosts this domain.

--------------

/var/log/mailog :


```
Apr 12 19:49:08 server1 postfix/smtpd[24278]: connect from unknown[62.103.227.xxx]
Apr 12 19:49:08 server1 postfix/smtpd[24278]: Anonymous TLS connection established from unknown[62.103.227.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 12 19:49:08 server1 dovecot: auth: passwd-file(user@example.com,62.103.227.xxx): unknown user
Apr 12 19:49:09 server1 postfix/smtpd[24278]: 24B2A2730A: client=unknown[62.103.227.xxx], sasl_method=PLAIN, sasl_username=user@example.com
Apr 12 19:49:09 server1 postfix/cleanup[33817]: 24B2A2730A: message-id=<671AE13C-DBCE-449E-922C-011294A5923A@example.com>
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: from=<user@example.com>, size=740, nrcpt=1 (queue active)
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Connect from local
Apr 12 19:49:09 server1 dovecot: lmtp(user@example.com)<40507><w+0rEgWOz1o7ngAAPz4RRA>: sieve: msgid=<671AE13C-DBCE-449E-922C-011294A5923A@example.com>: stored mail into mailbox 'INBOX'
Apr 12 19:49:09 server1 dovecot: lmtp(40507): Disconnect from local: Client has quit the connection (state = READY)
Apr 12 19:49:09 server1 postfix/lmtp[34621]: 24B2A2730A: to=<user@example.com>, relay=server1.example.com[private/dovecot-lmtp], delay=0.24, delays=0.22/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <user@example.com> w+0rEgWOz1o7ngAAPz4RRA Saved)
Apr 12 19:49:09 server1 postfix/qmgr[77128]: 24B2A2730A: removed
```

postconf -Mf:


```
smtp       inet  n       -       n       -       -       smtpd
    -o content_filter=filter:
    -o receive_override_options=no_address_mappings
submission inet  n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=may
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
filter     unix  -       n       n       -       -       pipe flags=Rq
    user=filter argv=/usr/local/etc/bogofilter/postfix-filter.sh -f ${sender}
    -- ${recipient}
```


postconf -n:


```
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/recipient_access, check_policy_service { inet:127.0.0.1:10040, timeout=10s, default_action=dunno }, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de, reject_rbl_client dnsbl.dronebl.org, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
    $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
    hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
    inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
    permit_sasl_authenticated, reject_non_fqdn_sender,
    reject_non_fqdn_recipient, reject_unknown_recipient_domain,
    reject_unauth_destination, reject_unauth_pipelining,
    reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
    reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
    reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
    reject_rbl_client dnsbl.dronebl.org, check_policy_service
    inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
    reject_non_fqdn_sender, check_sender_access
    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
    permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
% postconf -nf
authorized_mailq_users =
authorized_submit_users = root, filter
body_checks = regexp:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
    $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 2
default_destination_rate_delay = 1s
default_extra_recipient_limit = 10
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 25600000
myhostname = server1.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = [smtp.example.com]
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 138.201.248.xxx
smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s
smtp_extra_recipient_limit = 10
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.pem
smtp_tls_key_file = /etc/ssl/private/mail.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_banner = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = check_recipient_access
    hash:/usr/local/etc/postfix/recipient_access, check_policy_service {
    inet:127.0.0.1:10040, timeout=10s, default_action=dunno },
    permit_sasl_authenticated, reject_non_fqdn_sender,
    reject_non_fqdn_recipient, reject_unknown_recipient_domain,
    reject_unauth_destination, reject_unauth_pipelining,
    reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bad.psky.me, reject_rbl_client b.barracudacentral.org,
    reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org,
    reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.blocklist.de,
    reject_rbl_client dnsbl.dronebl.org, check_policy_service
    inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unlisted_sender, permit_sasl_authenticated,
    reject_non_fqdn_sender, check_sender_access
    hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
    permit
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/recipient_transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_gid_maps = hash:/usr/local/etc/postfix/virtual_uids
virtual_mailbox_base = /home/mail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = hash:/usr/local/etc/postfix/virtual_uids
```


----------



## Lamia (Apr 14, 2018)

It appears that smtp.example.com in the relayhost is your outbound smtp. If you are seeing 'relay denied', chances are high than the user wanting to send email through it  OR/AND your mailserver is not authenticated/allowed to send email through the relay. You need figure out if the relayhost uses authentication (e.g. SASL) and you need add the login credentials for it to your sasl-authentication (e.g. cyrus-sasl, postfix-sasl, etc).

You also need to set your transport DB for all or specific senders to send emails through the relayhost. Most likely, you may also want messages with the recipient addresses that are NOT in  mynetworks should ALL go through the relayhost.


----------



## Lamia (Apr 14, 2018)

CyberCr33p said:


> For example, currently I send e-mail from user@example.com to user@example.com and it does local delivery (e-mail does not leave server1.example.com). I want the e-mail to pass through relay smtp.example.com
> 
> The problem is that if I remove domain example.com from virtual_mailbox_domains then e-mails goes from server1.example.com to smtp.example.com but when it comes to server1.example.com it says "Relay denied" which I believe is related to postfix don't consider that is the server that actually hosts this domain.


In addition to the above, you don't have to remove the entry in the virtual_mailbox. This matter is simply between your mailserver and the outbound_smtp. Here is a guide.


----------



## CyberCr33p (Apr 14, 2018)

The 'relay denied' is not in smtp.example.com logs.

E-mail from user@example.com to user@example.com :


```
client (1) --> server1.example.com (2) --> smtp.example.com (3) --> server1.example.com (4)
```

The 'relay denied' message is on server1.example.com logs at step (4).

I can solve the 'relay denied' by changing main.cf at server1.example.com from:


```
smtpd_relay_restrictions =
  permit_sasl_authenticated,
  defer_unauth_destination
```

to:


```
mynetworks = IP_address_for_smtp.example.com

smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination
```

But then I have an infinitive loop:


```
client --> server1.example.com --> smtp.example.com --> server1.example.com --> smtp.example.com -->  server1.example.com --> smtp.example.com --> ...
```


----------



## CyberCr33p (Apr 14, 2018)

Sending e-mails from user@example.com to other recipients not hosted in server1.example.com works fine (they go through relay).

The problem is only if I send from user@example.com to same address or other address that is hosted in server1.example.com

I want to make e-mails that sender and recipient hosted in same server to go through relay.


----------



## CyberCr33p (Apr 14, 2018)

It looks like the only possible way to do it is to use 2 postfix instances:

https://serverfault.com/questions/2...l-delivery-for-specific-domains/281045#281045

If someone knows another way to have only 1 postfix instance let me.


----------



## Lamia (Apr 14, 2018)

CyberCr33p said:


> I want to make e-mails that sender and recipient hosted in same server to go through relay.


Seriously? I can't think of any reason one would want to do so.


CyberCr33p said:


> It looks like the only possible way to do it is to use 2 postfix instances:
> 
> https://serverfault.com/questions/2...l-delivery-for-specific-domains/281045#281045
> 
> If someone knows another way to have only 1 postfix instance let me.


I suspected this situation right from the outset of your communication. You did not provide a VERY clear picture of what the mailserver and outbound_smtp are. I was under the impression that they were different machines. Sure, you cannot use the same machine (and I mean postfix/dovecot instance) as the MTA/MDA and a relay host/outbound_smtp. Most times, people use a separate outbound_smtp because some emails don't get delivered  to other mailservers e.g. Microsoft/Google/Yahoo  addresses. The "BB" servers block new IP addresses (mail servers); so you will need an older IP address or an outbound_smtp provider to get your emails delivered to their servers.



CyberCr33p said:


> I can solve the 'relay denied' by changing main.cf at server1.example.com from:


That it is how your configuration should be though.


CyberCr33p said:


> But then I have an infinitive loop:


At the point of receipt, dovecot should be the one handling the delivered email. I do not know why the email gets fed back into the queue || content filter (if any) for it to be reprocessed for delivery again.


----------



## CyberCr33p (Apr 14, 2018)

Thank you for your reply.

I manage a lot of servers for hosting customers (webhosting + e-mails) and I have 4 smtp relays using VPS ( smtp1.example.com, smtp2.example.com , smtp3.example.com and smtp4.example.com) for outgoing messages.

smtp.example.com points to these 4 IPs so outgoing e-mails randomly sent from each relay.

I did this for these reasons:

1) If someone hacks a website and server IP is in a blacklist to not have problem with e-mails.
2) To filter outgoing e-mails with MailScanner at relay level so I don't need to have extra software and dependencies at servers
3) If relay IP is in blacklist (I automatically monitor blacklists) I can temporary shutdown the VPS and e-mails are sent from other relays
4) If there is a serious issue with blacklist (haven't happen so far) I can easily replace this VPS with another one with different IP
6) It's easier to monitor providers (hotmail, aol, etc) loopbacks when I send e-mail from less IPs
7) It's faster to get good IP reputation with less IPs (some servers host only 1-2 domains so mail usage is minimal and it would take more time)
8) Easier to handle the queue in case of outgoing spam when I have to deal with only 4 queues

I ask this question because if a customer moves his mail server to other provider (without canceling his subscription to us), then e-mails sent from other domains in the same server to his domain will get delivered locally. Using a relay for all outgoing messages solves this issue.

Maybe I replace my current setup with multi-instance setup in the future (to use the antivirus/antispam feature between domains in same server too) but for now I think it's faster to write a script to check if the domains hosted in our servers use our MX records and if not to remove them from virtual_mailbox_domains


----------

