Friday, February 19, 2010

Emergency Postfix Backup MX

SkyHi @ Friday, February 19, 2010
Well the primary MX went tits up today and because the boss is pinning me for the new job I have to do something about it. My mail server has been shut down for a while now but the config is still there, so I sat down to do some modifications.

After the first two problems were encountered and we'd been down for twenty minutes I said "stuff it" to myself and copied the file for later backups. I needed a quick and dirty solution to get the backup MX receiving emails for our domain, no spam, no filtering, we'll let the primary MX work it all out later.

root@dread /etc/postfix# grep -Ev '^#|^$'
relay_domains =
smtpd_recipient_restrictions = check_relay_domains check_recipient_access hash:/etc/postfix/access, reject
transport_maps = hash:/etc/postfix/transport
myhostname =
root@dread /etc/postfix# grep -Ev '^#|^$' access OK
root@dread /etc/postfix# grep -Ev '^#|^$' transport smtp:[]
root@dread /etc/postfix# postfix start
postfix/postfix-script: starting the Postfix mail system
root@dread /etc/postfix#

It is that easy. This will receive all email for and relay it to as soon as it can, rejecting all else.

Edit: Changing file paths to avoid confusion over my symlinked folders.ß

Edit Two: UPDATE. If boss decides that you should be using multiple domains then we need to change relay domains to be:

Code: (
relay_domains = hash:/etc/postfix/access

Make sure to update your transport maps.

Ok this is an update to the original backup MX configuration you saw earlier. I've added a whole bunch of spam things in, including (though I hate to admit) Real time blacklist checks. I hate these things but they're easier than configuring spam assassin.

relay_domains = hash:/etc/postfix/access<br />recipient_access = hash:/etc/postfix/access<br />smtpd_recipient_restrictions =<br />        reject_unauth_pipelining,<br />        reject_rhsbl_client,<br />        reject_rhsbl_sender,<br />        reject_rbl_client,<br />        reject_rbl_client,<br />        check_relay_domains,<br />        check_recipient_access,<br />        reject<br />smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain<br />smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_unauth_pipelining<br />smtpd_data_restrictions = reject_unauth_pipelining<br />myhostname =<br />transport_maps = hash:/etc/postfix/transport<br />mynetworks_style = subnet<br />

This configuration enforces a few RFC-based checks on the sending machine to ensure we're getting somewhere decent. Note that this configuration does not do sender verification as I believe this is the worst thing ever.

Clean, simply, voila.