Re: check_recipient_mx_access issues. Don't know how to fix this

[Michael Storz]

Am 2021-06-10 02:20, schrieb Russell Jones:
Hi all,
I have check_recipient_mx_access setup to route mail for certain
providers through a relay. This has been working well, until I
discovered it is breaking delivery to local users that get CC'd in an
email that is being routed through this relay.

You must carefully distinguish between actions that are carried out on 
entire emails, on recipient domains or on recipient addresses. 
check_recipient_mx_access results in an action that is performed on 
recipient domains, whereas filter results in an action on the entire 
email. In the general case of an email with several different recipient 
domains, this cannot work.

For this to work, you have to "align" the reference objects of the 
actions. This means that the email has to be split into emails with 
recipients from the same (group of) domains. Then an action for the 
entire e-mail is identical to an action for the recipient domains. If 
there are only a handful of domains, this can be done using a transport 
table. This is the solution Viktor mentioned.

The next possibility would be to split the email into emails with 
recipients from the same domain. Unfortunately, Postfix (currently) has 
no way of configuring a relay host and specifying that the email should 
be split according to the same recipient domain.

The last option is to split the email into single recipient emails. Then 
there is no need to differentiate. You can use either single-instance or 
multi-instance Postfix installations to do this. We use single instance. 
Postfix has the TRANSPORT_destination_recipient_limit option (replace 
TRANSPORT with the name of the transport you are using) to split an 
email according to the number of recipients. If set to 1, you will 
receive single recipient emails.

Configuration:

main.cf:

smtpd_restriction_classes = rc_single_recipient

rc_single_recipient =
    check_recipient_mx_access hash:/etc/postfix/mxrelay
    permit_mynetworks
    reject

single-recipient_destination_recipient_limit = 1

smtpd_recipient_restrictions =
    ...
    check_recipient_mx_access hash:/etc/postfix/single_recipient
    ...

/etc/postfix/single_recipient:
    outlook.com FILTER single_recipient:[127.0.0.1]:10014
    ...

master.cf:

# SMTP-Transport to split an email with multiple recipients into emails 
with a single recipient
# use single-recipient_destination_recipient_limit = 1 in main.cf
single-recipient
        unix    -       -       n       -       50      smtp
        -o smtp_bind_address=127.0.0.1
        -o syslog_name=postfix-sr
        -o smtp_helo_name=single-recipient-transport

# Reinject for SMTP-Transport single-recipient
127.0.0.1:10014
        inet  n         -       n       -       -      smtpd
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=rc_single_recipient
        -o smtpd_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o 
receive_override_options=no_unknown_recipient_checks,no_milters
        -o syslog_name=postfix-sr
        -o content_filter=


Here is how I have it setup:

smtpd_recipient_restrictions = check_recipient_mx_access
hash:/etc/postfix/mxrelay permit_mynetworks permit_sasl_authenticated
check_client_access hash:/etc/postfix/rbl_override reject_rbl_client
b.barracudacentral.org [1] reject_rbl_client zen.spamhaus.org [2]
check_policy_service unix:/var/spool/postfix/postgrey/socket

[root@main log]# cat /etc/postfix/mxrelay
outlook.com [3] FILTER relay:[in-v3.mailjet.com [4]]:587
prodigy.net [5] FILTER relay:[in-v3.mailjet.com [4]]:587
yahoodns.net [6] FILTER relay:[in-v3.mailjet.com [4]]:587
google.com [7] FILTER relay:[in-v3.mailjet.com [4]]:587

If an email gets sent where the "To" address triggers the relay, and a
local user is CC'd in the email, the CC for the local user *also* gets
sent through the relay, and the address is mangled. Here's what I mean
by this, here's an example log line for a local user that should have
been delivered directly, getting sent through the relay. Note that the
"to" address has been mangled to a local user delivery address. This
of course ends up being blocked/bounced on the relay side:

Jun  9 18:12:27 main postfix/smtp[24065]: B31CEC37:
to=<russell-example....@main.example.com>,
orig_to=<russ...@example.com>, relay=in-v3.mailjet.com
[4][104.199.96.85]:587, delay=1.9, delays=0.15/0.01/1.5/0.28,
dsn=2.0.0, status=sent (250 OK queued as
49cd4c02-9c27-4d9d-958f-1a5ef2a64c24)

How can I do MX filtering and relaying, while telling Postfix to never
send a local domain through the relay?

Thank you for the help!

Links:
------
[1] http://b.barracudacentral.org
[2] http://zen.spamhaus.org
[3] http://outlook.com
[4] http://in-v3.mailjet.com
[5] http://prodigy.net
[6] http://yahoodns.net
[7] http://google.com