SMTP relaying depending of the recipient

[cottonthread]

Context

I created an home server with my Non-rDNS IP for my garage company (a startup without any financing and during COVID-19, yeah! 🥇 ), now I see I can't delivery any mail to those servers which need to verify rDNS records. Like mx01.1and1.es or kundenserver.de... It always deferrer my messages without any communication to my email inbox, the only way to detect it is based on the daily informing or looking into real-time server logs.

I found out some solutions to have a rDNS record like SendGrid, but for freemium, only 100 messages per day could be offered, and that is not enough, because all of our partners needs this quota. And I don't think creating multiple SendGrid account is an ethical ideal.

Expected Behavior

Maybe there is someway which allow me use the relay server just in case of recipient's domain.

Actual Behavior

Right now like in the Repo Wiki says, it just allow us to use SENDER relay: here

Possible Fix

Maybe this is the solution?
https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery/amp
http://www.postfix.org/transport.5.html

I think transport_maps and relay_transport is the key. But I really don't have the technical skill to follow and execute the process included in the link.

Steps to Reproduce

1. Send an email located in mx01.1and1.es or kundenserver.de, I am sorry for could not provide any email address due to the privacy issue.

Your Environment

• Any relevant stack traces ("Full trace" preferred):

Apr 24 11:46:44 MYHOST postfix/smtp[25410]: 6CAE65D007: host mx01.1and1.es[217.72.192.67] refused to talk to me:
554-kundenserver.de (mxeue109) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For explanation visit https://www.ionos.com/help/index.php?id=2425&ip=0.0.0.0&c=rdns

Thank you for creating such magnifical docker so people like us can use it easily. I hope to get your kindly help for solving this issue and maybe it can help other people too! 👍

[erik-wramner]

Interesting. I haven't used that approach at all. However, if you have a fixed IP you may perhaps be able to ask your ISP if they can add a reverse DNS record for you? If you're lucky they will do it. Happened to me once... but then I've failed to convince several others. If not I hope that somebody who is using this will answer. Good luck with your business!

[cottonthread]

Interesting. I haven't used that approach at all. However, if you have a fixed IP you may perhaps be able to ask your ISP if they can add a reverse DNS record for you? If you're lucky they will do it. Happened to me once... but then I've failed to convince several others. If not I hope that somebody who is using this will answer. Good luck with your business!

Thank you very much for your support, where I am it is practically impossible to ask for a fixed IP and request the ISP to put an rDNS record on it. Because we are talking about residential Internet service (for home users and cheap) that when you call them on the phone to ask for help, the only solution they give you is to restart your router.

I have renewed my thread with a new link: https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery/amp Because I realized that the previous one was talking about how to get emails in, but really what I wanted was to control how they have to go out by domain.

Thank you very much for your comment and help, I really like the atmosphere of this community. I hope I can help you in other things. 👍

[cottonthread]

After having investigated thoroughly on the matter with my almost total ignorance and null ability on the System, I have managed to control separately the send of emails according to recipient (address or domain).

What I have achieved is very dirty, I hope I can have your help to improve it and, if possible, add this function to the beloved setup.sh or something so that it can be well integrated:

Create postfix-main.cf with the following content:

transport_maps=texthash:/etc/postfix/transport
smtp_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtp_sasl_password_maps=texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options=noanonymous
smtp_sasl_tls_security_options= noanonymous
smtp_tls_security_level=may
# smtp_tls_note_starttls_offer=yes
# local_recipient_maps=$virtual_mailbox_maps $alias_maps

Explanation:

Ask Docker to extend the main configuration (main.cf) of POSTFIX as follows:

transport_maps = texthash:/etc/postfix/transport
The guide to tell our server which recipients are required to use relay.

smtp_sasl_auth_enable = yes
Now all relay servers need authentication, as we ask our server to do so.

broken_sasl_auth_clients = yes
Some relay servers may use a rare or obsolete authentication method, as we leave a record on our server that requires authentication as well.

smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
We indicate where the passwords are saved.

smtp_sasl_security_options = noanonymous
I don't know what it's for, I think it's to deny the relay server if it asks us to go anonymous.

smtp_sasl_tls_security_options = noanonymous
I don't know what it is for, I think it is to deny the relay server if it asks us to go anonymous when we establish a connection using TLS.

smtp_tls_security_level = may
If the relay server asks us to use TLS, we say OK, but if it does not ask us, we will connect too.

# smtp_tls_note_starttls_offer = yes
# local_recipient_maps = $virtual_mailbox_maps $alias_maps

They are data that I leave there for the tutorials that I looked at on the Internet, they are commented on why they do not work. But if the above fails me or gives me an error in some other relay server, they will be the first thing I will look at.

Create transport with the following content:

local.com      :
gmail.com      relay: [relay server 1]: 587
*              relay: [relay server 2]: 25

Explanation:
Here you put your rules, I still do not know very well what all can do with this file, for now you are doing the following:

1. For your own emails (arrival or auto-send), it is important to end with a : that if not your server goes crazy.
2. For a specific domain, for example gmail.com, go to relay server 1 port 587.
3. For all other emails, use * to include everything.

There are more usage methods here, but I don't quite know how to apply all of them:
http://www.postfix.org/transport.5.html

Create sasl_passwd with the following content:

[relay server 2]:25  USERNAME:PASSWORD
[relay server 1]:587 USERNAME:PASSWORD

Explanation:
Here the important thing is to make them match your transport file. I understand that this will be used by your server to authenticate when they go to the relay servers.

And last but not least, copy all those files to your Docker's /config rute.

Then modify your docker-compose.yml by adding:

     - ./config/transport:/etc/postfix/transport
     - ./config/sasl_passwd:/etc/postfix/sasl_passwd

Now you are good to go! (I hope)

Wishing that you can get if you need to separate the SMTP server that acts as a relay according to the recipient like me.

I also wish that someone could help me to improve what I have done and even integrate it into the Image, surely there could be many interested people.

[georglauterbach]

@cottonthread Interesting work. Even though you said this was dirty, would you add a wiki page entry with what you have explained here?

I'm sure this is a rather specific case, and there is a valid case to be made for checking against PTR/rDNS records. I'd like to close this, but your contribution is worth a wiki page for sure. I don't have the time (nor knowledge right now) to implement what you've said. But if you run into any trouble, I'd like to point towards Contabo. You can get a very cheap VPS sufficient for a Mailserver and you can set the rDNS entries yourself.

[Nymphxyz]

Your solution still works!!!

I just have a question about the sasl password, docker mail server provides a postfix-sasl-password.cf file and I delete this line smtp_sasl_password_maps=texthash:/etc/postfix/sasl_passwd in postfix-main.cf and try to use this file to store my auth info, but it's not working, it gets no authentication error from relay host.

Just wonder what's the logic behind docker mailserver.