Multiple Postfix smtp instances

Glenn Steen glenn.steen at gmail.com
Thu Apr 13 10:22:34 IST 2006 

On 12/04/06, Jan Brinkmann <lucky at the-luckyduck.de> wrote:
> Hi,
>
> is it possible to have multiple smtpd instances of postfix running on
> different IPs where one instance is simple running to do SASL based
> mail relaying (without mailscanner) and the other one can act as the
> MX for virtual domains? On servers where I use amavis, it's possible
> to specify multiple smtpd lines where one has the content_filter set
> to an empty string. I thought it would also be possible to do this
> with header_checks, but it doesnt work as expected:
>
> 1.2.3.4:smtp      inet  n       -       n       -       -    smtpd
>   -o header_checks=
> 1.2.3.5:smtp      inet  n       -       n       -       -    smtpd
>
> The second instance (the one listening on 1.2.3.5) would be the one
> where the mails are set to a HOLD state to enable mailscanner. The
> other one would be the one which is used to relay mails for sasl
> authenticated users. If I try to do it this way, all mails get
> filtered by mailscanner. If I go the other way, with header_checks
> in main.cf set to an empty string and header_checks defined in the
> master.cf no mails get scanned at all:
>
> 1.2.3.4:smtp      inet  n       -       n       -       -    smtpd
>   -o header_checks=regexp:/etc/postfix/mailscanner_hold
> 1.2.3.5:smtp      inet  n       -       n       -       -    smtpd
>
>
> Any ideas if this can be done, and which way would be correct?
>
> --
> Jan Brinkmann
> http://the-luckyduck.de
>

smtpd don't know anything about the header_checks parameter (that is
done by cleanup, not smtpd), but do know about/act upon the
content_filter one.... So that is the (total:-) explanation why it
doesn't work for header_checks, but do work for the content_filer.

One way to do it that might look worse than it is, is to have two
separate postfix instances... Each only listening/handling one address
(inet_interface setting...). That is probably the simpllest solution,
but it might be a bit confusing:-).

Another, perhaps more appealing solution, is to only have one postfix
that hands everything to MailScanner, and have MailScanner whitelist
the authenticated users... by way of the IP they are using (From: can
handle subnets). That way is probably a lot less invasive and
confusing;).

A third, perhaps not that viable thing, would be to try to make an
intelligent exception to the  pattern... But I seriously doubt that is
a viable path.

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list