zimbra MTA as "backend MTA" another postfix MTA in front

[dagobert]

Hi,

i want to use some domains with zimbra and some with simple imap/webmail server.
I thought about not messing around too much with the postfix shipped with zimbra for update reasons. Therefor i thought about using a postfix MTA in front of all zimbra MTAs.
The postfix would handle all incoming mails and has all MX records set to its IP.

The scenatio woult be like this:

internet ---mail---> postfix ---relay-mail-to--->zimbraMasterMTA(---relay-mail-to--->zimbrasubserver)

Are there any problems i would face with this idea? For example: to prevent spam, the front postfix needs access to the user/mailbox table of the zimbraMasterMTA table. Is this possible?

Thanx for your help.

[uxbod]

Welcome to the forums

Yes this could be achieved IMHO, but the way I would do it would be to get a list of all the users from the Zimbra server using something like :-

Code:

zmprov gaa -v domain.com

write this out to a file say zmusers and then run :-

Code:

postmap zmusers

to create the binary db file. This is then called via the front-end Postfix process by changed main.cf and adding :-

Code:

relay_recipient_maps = hash:/etc/postfix/zmusers

so any invalid users should be rejected. Doing it this way would also reduce the number of network calls between the two machines. I do this for our Lotus Notes installation but extracting from LDAP.

If you want to split the domain traffic then just use transport files, so in /etc/postfix/transport setup something like :-

Code:

domain1.com                     smtp:normalmail.domain.com
.domain1.com                    smtp:normalmail.domain.com
domain2.com                     smtp:zimbramail.domain.com
.domain2.com                    smtp:zimbramail.domain.com

Hope this helps ?

[brian]

I wouldn't bother with getting the list of zimbra users to the frontend mta. That's a nightmare to maintain for a sight with any level of turn over. Instead I'd simply remove the frontend mta from the list of trusted mtas on the zimbra side and you can process spam with the zimbra mta.

[dagobert]

It is not that much about scanning mails to detect spam. It ist more about pre-queue anti spam.

To prevent the spam the postfix would use policyd and of cause the user table. without the user table zimbra would bounce mail to my postfix and i have to deal with that. This is not a good way.

@uxbod: Thanx for your help. The zmprov command dows not extract the "alias accounts".

Keeping the network calls low ist pretty good, but your way i would need to sync the file at least about every 10 to 15 minutes. With all the overhead to configure a secure way to copy the file, i might better stick to a ldap query.
Activating my rusty postfix knowledge i would translate your transport map as: mail for domain.com will be sent via smtp to the server normalmail.domain.com

For the outgoing direction i would need to configure the postfix server as smarthost for all zimbraMTAs, don't i?

[uxbod]

For the outgoing direction i would need to configure the postfix server as smarthost for all zimbraMTAs, don't i?

You could if you wanted to validate outgoing mail aswell, or the Zimbra MTAs could either send to a upstream smarthost of straight out to the Internet. The choice is yours.

[uxbod]

I wouldn't bother with getting the list of zimbra users to the frontend mta. That's a nightmare to maintain for a sight with any level of turn over. Instead I'd simply remove the frontend mta from the list of trusted mtas on the zimbra side and you can process spam with the zimbra mta.

Out of the box Zimbra only has a number of SPAM defences in its arsenal, and I appreciated that you could bolster it by reading Improving Anti-spam system - Zimbra :: Wiki

Though using a front-end MTA to pre-filter does make the maintenance of Zimbra a lot easier in respect to ensuring when a upgrade takes place all your modifications are carried across. I personally prefer this approach as I can have multiple MTAs serving my domains, and feeding into a select number of ZM servers.

[dagobert]

Hi,

sorry for my late response. I searched alot and found everything on handling emails of a domain which zimbra thinks as local but does not have registered.
So it sends it to a relay.
Thats all fine.

Now my Problem is more on the postfix side and probably not the right place for this forum. Still i will ask.

On the primary MTA (postfix) in this scenario i need to decide for every single email address to which imap or relay MTA it will be delivered.

Example:

a@mydomain.com -> (relay to) -> Zimbra MTA
b@mydomain.com -> (relay to) -> other MTA
c@mydomain.com -> to internal IMAP

I hope someone might help me.
Thanks in advance.

[uxbod]

Postfix manual - transport(5)