>>>>> "Viktor" == Viktor Dukhovni <postfix-us...@dukhovni.org> writes:
>> On 18 Nov 2021, at 12:28 pm, Togan Muftuoglu <tog...@dinamizm.com> wrote: >> >> Thanks for the clarification. One more thing having the backup MX listed in >> the SPF records of the domain and opendkim signing the relayed mails does >> not break the validations in the primary MX when it receives mail from the >> backup, correct ? Viktor> Any receiving system that elects to use a backup MX must whitelist Viktor> mail from the backup MX: Viktor> * Not apply any SPF checks Both Backup and Primary MX runs openDMARC with the following settings RejectFailures true SPFIgnoreResults false They also run opendkim in signing/verifying mode ## ## Causes the filter to perform a fallback SPF check itself when ## it can find no SPF results in the message header. If SPFIgnoreResults ## is also set, it never looks for SPF results in headers and ## always performs the SPF check itself when this is set. # SPFSelfValidate true ## TrustedAuthservIDs string ## default HOSTNAME ## ## Specifies one or more "authserv-id" values to trust as relaying true ## upstream DKIM and SPF results. The default is to use the name of ## the MTA processing the message. To specify a list, separate each entry ## with a comma. The key word "HOSTNAME" will be replaced by the name of ## the host running the filter as reported by the gethostname(3) function. # Both backup and primary have their fqdn listed as TrustedAuthservIDs Viktor> * Not greylist Both primary and backup are running postscreen with identical allowlisted cidr Viktor> * Not reject messages other than to invalid recipients Both of them reject all mail for non-existent recipients. Backup MX has relay_recipients that is synced with Primary MX recipients list They both have spamass-milter running and they both reject with a spam score of 8 In addition I have applied the examples mentioned in the http://www.postfix.org/BACKSCATTER_README.html#real So under the above mentioned conditions anything I should not be doing or should be doing instead ? Thanks