Backup MX should not setup relayhost
Today I learned a class from mailing list. A poster says his backup MX has relayhost setup, then the delivery loop will happen between backup MX and relayhost, when primary MX dies. Victor, one of Postfix developers, gives the answer below.
> 1. postfix is a backup MX for foo.com
> 2. this postfix uses other MTA as relay_host
This would be a misconfiguration. A backup MX host MUST NOT be an
effective null client that relays *all* non-local mail to a "smarthost"
relay. Rather, a backup MX host MUST be at least smart enough to
relay mail for the domain(s) in question to better (lower) preference
The best way to do this, is to configure an explicit nexthop in
default_transport, and be sure to leave relayhost empty.
# MUST be empty, to avoid backup MX domain loops.
relay_domains = foo.com
# Regularly updated list of valid foo.com (and any other relay
# domain) recipients:
relay_recipient_maps = ...
# Replace "smarthost.example" with actual default relayhost.
default_transport = smtp:smarthost.example
Relay domains will use "relay_transport" (default "relay", which is
a clone of "smtp"), so will not in error use the smarhost.
Simple to say, it should not setup a relayhost for backup MX. If you really need a smarthost for that backup MX, then setup smarthost in default_transport. Following postfix's documentation, default_transport will not include the domains for relay_domains.
default_transport (default: smtp)
The default mail delivery transport and next-hop destination for the default domain class: recipient domains that do not match $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or $relay_domains.