Friday, February 19, 2010

Postfix Backup MX Question

SkyHi @ Friday, February 19, 2010
This should do it:

relay_domains =
transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport: relay:[]

# postmap /etc/postfix/transport
# postfix reload

* do not list in mydestination, virtual_alias_domains or virtual_mailbox_domains *

I went for the dumb forward option without consideration for backscatter.

It's an easy mistake to make ;-)

Recipient verification is easy to set up. You can read more at

EDIT: I'd also recommend setting up a persistent database, but without caching negative responses... or set them to be forgotten in a very short time. (Negative caching, for some reason, is ON by default.) Otherwise, the database becomes very big with all the negative responses - it is amazing how many spammers out there scan for valid email addresses. See

EDIT 2: I forgot to mention that persistent databases are not recommended by the Postfix documentation:
If the persistent database ever gets corrupted then the world comes to an end and human intervention is needed. This violates a basic Postfix principle.
I've been using it on servers doing around 1,000 messages per day (considered light traffic) for about a year without a hitch. If you want to get paranoid about it, you could write a script to delete the database file and restart postfix if the queue size gets too big. Postfix would then renew the database file and the sky would stop falling. I have not gone this far myself because the problem has never happened.


Configuring Postfix as primary or backup MX host for a remote site

This section presents additional configuration. You need to combine this with basic configuration information as discussed the first half of this document.

When your system is SECONDARY MX host for a remote site this is all you need:

 1 DNS:
2 the.backed-up.domain.tld IN MX 100 your.machine.tld.
4 /etc/postfix/<a href=""></a>:
5 <a href="">relay_domains</a> = . . . the.backed-up.domain.tld
6 <a href="">smtpd_recipient_restrictions</a> =
7 <a href="">permit_mynetworks</a> <a href="">reject_unauth_destination</a>
9 # You must specify your NAT/proxy external address.
10 #<a href="">proxy_interfaces</a> =
12 <a href="">relay_recipient_maps</a> = hash:/etc/postfix/relay_recipients
14 /etc/postfix/relay_recipients:
15 user1@the.backed-up.domain.tld x
16 user2@the.backed-up.domain.tld x
17 . . .

When your system is PRIMARY MX host for a remote site you need the above, plus:

18 /etc/postfix/<a href=""></a>:<br />19     <a href="">transport_maps</a> = hash:/etc/postfix/transport<br />20 <br />21 /etc/postfix/transport:<br />22     the.backed-up.domain.tld       relay:[]<br />

Important notes:

  • Do not list the.backed-up.domain.tld in mydestination.

  • Do not list the.backed-up.domain.tld in virtual_alias_domains.

  • Do not list the.backed-up.domain.tld in virtual_mailbox_domains.

  • Lines 1-7: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain.

  • Line 10: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine.

  • Lines 12-16: Define the list of valid addresses in the "the.backed-up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@the.backed-up.domain.tld x" wild-card in the relay_recipients table.

  • Line 22: The [] forces Postfix to do no MX lookup.

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.

NOTE for Postfix < 2.2: Do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the fallback_relay host when the final destination is unavailable.

  • In specify "relay_transport = relay",
  • In specify "-o fallback_relay =" at the end of the relay entry.
  • In transport maps, specify "relay:nexthop..." as the right-hand side for backup or primary MX domain entries.

These are default settings in Postfix version 2.2 and later.