3

Our server hosts various domains, half of them using Google Apps for their e-mail and the other half simply does not use any domain e-mail accounts. However, the websites and applications (eg crons, firewall) on the server need to send out mail. For this purpose postfix was installed (Ubuntu 10.04). All works well.

However, analyzing the logs I see that there are a lot of failed incoming e-mails. Mainly because those domains that have no mail at this moment, still have some spam messages being sent to their domain. And as the DNS points to this server, they still show up here, taking up resources and clogging the log. So a few questions:

  1. Can I simply change the DNS and remove the MX entries? I am rather afraid that the OUTGOING mails will more often fail, as external spam filters check for valid MX entries and see that these domains are not even supposed to send out mail. (I still want them to read @domain.com when sending it out). Or should a SPF record solve this problem?
  2. Should I replace Postfix with something lighter/better equipped for just sending mail? All incoming mail software is currently unused.
  3. Is there another way to make postfix outgoing-only, and avoid all of these log-entries?

Thanks!

2 Answers2

2

Here is what I would do:

For the domains using Google Apps or some other 3rd party email service, set the MX records appropriately for that domain's email service. I would find it very interesting if you emails were still being presented to that server if the MX records for the domain point elsewhere. That would mean some checking up on what email addresses are arriving at your server for further investigation.

For your Google Apps clients, if you find that your outgoing emails (sent from the server via the server in PHP or some other means) are not being delivered to email addresses ending in the same domain as the hostname, try this:

Postifx disable local delivery

An example of this would be the server whose hostname getbunch.com might not deliver email to jesse@getbunch.com because it thinks that that address should be local. In reality, it's not local. Disabling the local delivery will force the server to send your email to the right place.

For domains that have NO email service, I would simply remove the MX records. This should keep emails from being presented to the server for delivery.

Another thing you could do is block port 25 using iptables :

/sbin/iptables -A INPUT -p tcp --destination-port 25 -j DROP

Hope that helps!

Community
  • 1
Jesse Bunch
  • 324
  • 2
  • 9
1

Agreed. Block port 25 at the firewall or on the local machine. Stopping Postfix from listening to anything BUT the local loopback address is a good idea too.

A long time ago, I used a little program that looked into the mail spool dir, and forwarded the email to an external SMTP server based on a cron job. It worked perfect for sending out logs and other system emails and did not require being run full time. No PostFix or Sendmail was needed.

My Google powers are failing me as I can't find it now. Maybe you will have better luck.

Porch
  • 680
  • 5
  • 12