From 5050001909c27c6107a65dd4f4f8ba93c46dd631 Mon Sep 17 00:00:00 2001 From: majorlinux Date: Mon, 15 Jun 2026 19:26:49 -0400 Subject: [PATCH] Replace real majormail IP with documentation IP in logwatch example The postfix MX-lookup example hard-coded majormail's real public IP (stale DO address). Swap in an RFC 5737 documentation IP (203.0.113.10) so the published wiki doesn't expose a real fleet IP. --- 02-selfhosting/monitoring/logwatch-fleet-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/02-selfhosting/monitoring/logwatch-fleet-setup.md b/02-selfhosting/monitoring/logwatch-fleet-setup.md index 15696f1..75703f1 100644 --- a/02-selfhosting/monitoring/logwatch-fleet-setup.md +++ b/02-selfhosting/monitoring/logwatch-fleet-setup.md @@ -240,7 +240,7 @@ systemctl reload postfix ### 2. Empty `relayhost` quietly forces public-MX delivery -If `postconf relayhost` returns an empty value, postfix doesn't fail — it just does an MX lookup for the destination domain and tries to deliver directly. For mail to your own mail server, that means going via the **public MX** (the domain's external MX record, e.g., `mail.majorshouse.com → 165.227.187.191:25`) instead of the **internal/Tailscale relay path** the rest of the fleet uses. +If `postconf relayhost` returns an empty value, postfix doesn't fail — it just does an MX lookup for the destination domain and tries to deliver directly. For mail to your own mail server, that means going via the **public MX** (the domain's external MX record, e.g., `mail.majorshouse.com → 203.0.113.10:25`) instead of the **internal/Tailscale relay path** the rest of the fleet uses. The public-MX path is subject to whatever spam filtering, content checks, and trust rules the receiving MX has configured for external traffic. Internal Tailscale-IP traffic typically gets a faster trust shortcut (e.g., bypass spamchk pipe). So this single configuration drift causes one host's mail to land in a different code path than its siblings — and then silently get filtered.