Is it a good idea to set up a postfix server only to send supervision/debug mail?
Posted by Leogis@reddit | sysadmin | View on Reddit | 17 comments
Hello, for context: due to entreprise reasons, we use a mailserver that is out of our scope, in another place, administered by a completely different team => I can't touch anything on it
So if I want to recieve E-mail, from my services (password forgotten, backup success/failures, etc) i need a way to send Email without using the "official" company server.
But before I dive into the Postfix rabbithole, I'm wondering if the company's mail server is simply gonna trash the email sent by my random server
If i have to go through the whole process to ask them to allow my server, I might aswell ask them to create mail accounts
Since I don't know much about E-mail administration, i don't know how likely it is to work, is this kind of stuff usually blocked ? (Excluding firewalls i mean)
Arudinne@reddit
I would use SMTP2GO or Sendgrid.
_mick_s@reddit
it's not ideal, and emails will almost certainly go into spam due to lack of SPF/dkim/dmarc. And depending on how aggressive anti spam is it might get blocked completely.
I would say IF you are an actual administrator of some part of this infrastructure you can create a smart host / email relay for internal testing use only.
Honestly I would rather set up something like mailhog so you can see those emails without actually having to send them through normal email servers.
punkwalrus@reddit
No. This is the kind of shadow IT that ends up in heartbreak to both sides.
I have set up Postfix in such an environment that WAS approved by corporates, and it's a headache. Just a partial list:
Next, you must check what kind of email you have being sent. A lot of incoming mail milters will immediately reject things like HTML, attachments, may rate limit arbitrarily... there are testing tools out there to help.
It will randomly fail for some carriers. Gmail is REALLY strict, for example, and things that worked for years will suddenly not work. When the service fails, you won't know, unless you have some kind of RTT (round trip triggers) in your system, like every hour, send an email to a receiving monitor to record how long it took, if it arrived at all. Send too many, you'll trip rate limiting, so be careful with these.
I am sure I am missing some steps. I worked for a security company for many years that was responsible for sending out alerts via email, and god damn it was a headache. We had a fleet of these systems, and some customers would set alarms to email them for any and all motion for 400 cameras, and then it went to an email box nobody read. The box would fill up, the ISP would flag us to a RBL as a spammer, and then All CUSTOMERS STOPPED GETTING MAIL FROM US. We had tricks like cycling through IPs, only some IPs were allowed to send to certain carriers, and were rate limited like crazy. The queues would back up, and we'd monitor for bounced emails and just block them from outgoing because if we didn't, "sending to a dead/no-existent email" was another way to get on an RBL.
IwantToNAT-PING@reddit
Only you know if the risk of this is worth the reward.
What you're talking about technically - e.g. registering a domain, sorting DNS, and setting up a postfix server and configuring mailflow - completely normal IT project. If you're not sure on what you're doing then how well this goes is entirely down to how well you test/undertake the activity. Only you know if you're actually up to it, and how much you understand about smtp. Currently it sounds like you're maybe not sure about what you do/don't know, so I'd definitely do anything you're going to do in a test environment that cannot affect any production or is in any way public facing.
As to what you're talking about doing policy/procedurally/politically/shadow IT-wise... I'd be rather annoyed to discover that another dept had just entirely circumvented my dept to set up something that we manage for the organisation.
I've worked places where this might go entirely unnoticed. Or it might just result in an angry teams call /shouting match between my manager and theirs, and I've worked places where that would be a resume generating event, and you'd be terminated, even if the other department has been holding up global work.
I get that things are frustrating in big enterprises, but sometimes it can really blow up on you if you circumvent process. Or it might be fine and you'll have got stuff done. Without knowing your org we can tell you how we'd expect things to be done in a sane world, and also offer technical advice.
Margosiowe@reddit
Please do not do that and also
That's a weird conclusion, why not just ask them for a mailing account for services? If they say no, you escalate to boss, not create a mail shadowit.
Leogis@reddit (OP)
Because it would take ages, without going into details, they are waiting for a big change that may or may not happen somewhere between June and next year...
So I fear i'll get the "just wait for when we have a plan"
I have full control of an independant architecture that is under our jurisdiction but my workstation is using their AD and mail
Computer-Blue@reddit
Why would it take ages to provision a mailbox. If this is true your email infrastructure is fucked.
Assuming this is true maybe just stand up an SMS gateway server (private email sends to sms server email, converts to sms) or an app based notification platform to get these communications (private email account sends to bridge/cloud account, converts to alert on your phone app, no company email server involved).
Leogis@reddit (OP)
What's fucked is the way the whole company is split into multiple pieces
purplemonkeymad@reddit
If you do your own setup, then all your shadow emails should be getting blocked anyway. Either way you need to engage the email team, so send the request now. "ages" is even longer when you don't start the process.
kidmock@reddit
The best practice is to configure the localhost to relay to a smarthost as a send only service on the loopback
Your localhost is used to queue and retry when the smarthost can't be reached.
But all mail "should" be relayed through approved relays that are spf, dkim, and dmarc compliant.
You should also be rewriting the origin to be in compliance with domain policy, and the return-path MUST be valid. Don't "make up" an email address. When an email gets bounced or delayed, the receiving server will send a DNS/NDR back to the return-path, failure to do so will get you on a naughty list and the domain blacklisted in some cases.
kona420@reddit
Ask them for a subdomain, setup your postfix server against that. Reduces risk to the main domain.
Leogis@reddit (OP)
Ain't happening sadly, If i want a domain I have to create it myself
dhardyuk@reddit
That was quick.
When did you ask them?
Leogis@reddit (OP)
Never, I'm 100% sure it would get denied, i'd have to justify creating a whole subdomain for a very low number of users that are already fully fonctional in a current domain, just to send E-mails
kona420@reddit
There's your answer then. I do this anyway. I have mainbrand.com that is customer facing the abbrvcorp.com that is all internal tools.
LeakyAssFire@reddit
Nah, don't go down that rabbit hole. Just talk to your email admins. Being an enterprise, they likely already have a process for allowing email relaying for IT services.
Rajin1@reddit
Ask if they have an email relay you can use so you can send emails to that relay to be delivered to you