How to stop postfix from forwarding mail to spampd when connection is from localhost

postfix smtp

Earlier today I asked about postfix and spamassassin for mail sent from localhost, postfix, spam assassin, swiftmailer and received a good answer quickly (thanks). Using sendmail directly has solved the speed problem, but I'd like to try using SMTP for other reasons, so I need to know how to stop postfix from forwarding mail to spampd when the connecting client is localhost. At the moment, bounces are being returned not to the REPLY-TO address but to the webserver admin, and I think that is because of using sendmail directly. My config is shown in the earlier question, except currently I've configured the mailer as 

'mailer' => [
    'class' => 'yii\swiftmailer\Mailer',
    // send all mails to a file by default. You have to set
    // 'useFileTransport' to false and configure a transport
    // for the mailer to send real emails.
    'useFileTransport' => false,
    'transport' => [
        'class' => 'Swift_SendmailTransport'
    ],
],

Here is how I solved the problem. Relevant doc is at http://www.postfix.org/SMTPD_PROXY_README.html

In /etc/postfix/master.cf are the relevant configs.

smtp       inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
127.0.0.1:10026 inet n  -       n       -        -      smtpd
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o receive_override_options=no_unknown_recipient_checks

These define port 10026 to receive outputs from the milter and are handled by the post-filter SMTP service of postfix. I set my config to send to port 10026 and SMTP handles the email with no delay.

I've tested this with an incorrect email address and the bounce is correctly sent to the reply-to address instead of to my webserver admin.

Actually I'm surprised I couldn't find more discussion of this issue, but maybe most servers have a single website so the webserver admin is the same or similar to the email sender on the website. In our case we have about 100 different email senders so it's important they get their own bounces.

Here's the Yii2 Swiftmailer config we are now using:

'mailer' => [
        'class' => 'yii\swiftmailer\Mailer',
        // send all mails to a file by default. You have to set
        // 'useFileTransport' to false and configure a transport
        // for the mailer to send real emails.
        'useFileTransport' => false,
        'transport' => [
            'class' => 'Swift_SmtpTransport',
            'host' => '127.0.0.1',
            'port' => '10026'
        ]
    ],

It should be obvious, but I will state that port 10026 isn't open on the firewall, so only localhost can use the port.

Related

XAMPP how to secure forward proxy for port 443
APC Smart-UPS 3000 turning off but passing own test
Policy Routing with Openvpn?
How do I target a different mail server depending on domain with exim?
GoDaddy virtual dedicated servers
IPtables: Forward port to another host is not working
How to make my in-the-office server available online?
Need Suggestions / Opinions about Load Balancing + some technical questions!
Error installing SQL Server 2008 r2 on Windows Server 2008 R2 Sp1
Behaviour of _destination_rate_delay in postfix
IIS 7.5 web site directory permisions
Missing RAID 6 array + LVM volume after hard reboot