[nSLUG] postfix config and half broken domains

Aaron Spanik a.spanik at ns.sympatico.ca
Tue Nov 27 18:21:53 AST 2007


Ah, the wonderful world of Exchange...

On Tue, 27 Nov 2007 11:28:34 -0400
"D G Teed" <donald.teed at gmail.com> wrote:

> *snip*
> 
> This result is perfect for users like me, but many of our users
> are on Exchange.  Exchange server relays through the same SMTP,
> but Exchange allows the Outlook clients to put the email
> into the Exchange queue when the domain has no MX.
> The result is a queue that goes nuts on Exchange, retrying
> every minute and they have to delete mail.

Firstly, why is Exchange configured to try to send mails every minute?
Is there no exponential backoff on mail that will not move?
I'm sure I've seen a properly configured Exchange server that
does not blindly and blithely hammer mail outwards just because
it thinks it should.  Secondly, are there that many people at your
location who are sending mail to undeliverable addresses?  That
seems........odd.

On a more helpful note, is your Postfix server configured as a "Smart
Host" for mail that is sent first to Exchange?  In the environment, it
"should" be.  The problem with this is that mail FOR Exchange users
FROM Exchange users will not leave Exchange.  And I don't know if
there's a way to change that.  There probably is, but it may not be
widely known.

The smart host configuration can either be done by setting it in the
"Connecter" (although in your environment, unless you've got a
GroupWise server or Domino server or something, you shouldn't be
using), or in the SMTP Listener (I forget the exact Exchange
parlance).  You simply tell it to forward all mail to an IP or
Hostname.  Again, this does not affect mail sent between Exchange users
and is still a less-than desirable solution.  Also, mail sent
to any address that's in Active Directory will probably be sent
directly by Exchange regardless of the smart host setting (never did
figure out why that is), so, for example, if you've got mails being
forwarded by Exchange to an off-site address (i.e. Blackberry user on
an off-site BEZ), those will go directly from Exchange to the off-site
address.

The "better" solution that you can pitch to anyone who can override the
Exchange admin is to have people set up their mail clients to use SMTP
and your Postfix server.  This does not prevent the use of Outlook
calendaring, the Active Directory Address Book, or any other
Exchange "feature". Further, you can light up SSL-enabled mail sending
on your Postfix box (authenticated through Exchange via RADIUS) on port
587 and Outlook will happily use STARTTLS to securely send mail from
off-site.  Using port 587 means ISP port 25 blocks do not affect it.

You can sell this as security.  I assume that your Postfix box is your
mail scanner for virii and SPAM and that your Exchange box does no
scanning of its own?  If so, mails from Exchange users to other
Exchange users are never scanned.  You probably don't want to scan for
SPAM, but certainly for virii.  Otherwise all your Exchange users, who
are probably at least your core business folks, could facilitate a major
virus outbreak on campus...

> Obviously, something is wrong with Exchange, but the
> sysadmin of that box cannot find a solution, so he is asking
> me if postfix can accept the messages into the postfix
> queue regardless.  That would be done by removing
> reject_unknown_recipient_domain from smtpd_recipient_restrictions
> The painful part of that would be learning typo'ed email addresses
> were not sent several days later.

"I can't make my thing work.  Can we make this your problem? kplsthxbye"

> Maybe someone else on the list has run into this problem
> and knows of a better solution.  Using delay_warning_time
> without reject_unknown_recipient_domain is about the best
> option I can see at this point (this is purely outbound postfix instance).
>
> This has happened a number of times for different domains, so
> we'd rather not take an access list type of approach.

I recommend you not turn off reject_unknown_recipient_domain as the
queue will become your problem and you've probably already got enough
to deal with in terms of the incoming mail queue and the SPAM scanning
and the virus scanning and the hey, hey!

Besides, consider all the rejection mails that are still going to
eventually going to head back to the Exchange server.  Eventually the
Postfix server has to send a DSN; if the folks are sending through
Exchange, that implies that their mailboxes are hosted on Exchange as
well.  If so, the next "problem" you'll have to deal with is people
complaining about getting "SPAMmed" by DSNs.

*sigh*

The answer is to find the right settings for Exchange and possibly to
re-visit site-wide email, how it's routed and how it works (e.g. nobody
sends through Exchange; there are plenty of Fortune 500 companies who
don't use Exchange for mail routing). There are lots of places around
that do MS Exchange/MS AD consulting work and audits and
recommendations are not as expensive as some people might think.  This
is, of course, provided you're working on a team of people who
understand that when things get complex and out of hand sometimes
money must be spent and/or outside assistance must be brought in.

Good luck ;)

/a

-- 
Aaron Spanik
a.spanik at ns.sympatico.ca



More information about the nSLUG mailing list