Re: setting up postscreen on a system with multiple external interfaces

Erik Slagter Thu, 21 Feb 2013 07:02:04 -0800

On 21-02-13 15:50, Wietse Venema wrote:
> Erik Slagter:
>> I tried another variant:
>>
>> 192.168.0.1:smtp inet ... postscreen
>>     -o options...
>>
>> 192.168.0.1:pass inet ... smtpd
>>     -o options...
> 
> If you don't show the exact options and the exact logging
> then no-one can say what mistake YOU are making.


Okay, I didn't post the complete master.cf because I thought it wouldn't
be necessary, so here it comes. This is the "plain" version that works,
without postscreen enabled. If somebody can explain to me how to
transform this into something working with postscreen enabled AND TLS
working on the outside interface (ppp0, ipv4 and ipv6), I'd be very
grateful, but really I've tried various approaches without luck.
Postscreen on itself is working fine, btw.

# ==========================================================================
# service                       type    private unpriv  chroot  wakeup  maxproc 
command + args
#                                       (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

#smtp                           inet    n       -       n       -       1       
smtpd
#smtp                           inet    n       -       n       -       1       
postscreen
#smtpd                          pass    -       -       n       -       -       
smtpd
#dnsblog                        unix    -       -       n       -       0       
dnsblog
#tlsproxy                       unix    -       -       n       -       0       
tlsproxy

#
# outside -> inside
# postfix(25) -> amavis(10025)
#

mx1.ipv4.slagter.name:smtp      inet    n       -       n       -       2       
smtpd
        -o myhostname=eriks.xs4all.nl
        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
        -o smtpd_tls_security_level=may
        -o postscreen_tls_security_level=may
        -o tlsproxy_tls_security_level=may
        -o smtpd_proxy_filter=nemesis.ipv4:10025
        -o soft_bounce=no
        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

mx1.ipv6.slagter.name:smtp      inet    n       -       n       -       2       
smtpd
        -o myhostname=mx1.ipv6.slagter.name
        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
        -o smtpd_tls_security_level=may
        -o postscreen_tls_security_level=may
        -o tlsproxy_tls_security_level=may
        -o smtpd_proxy_filter=nemesis.ipv4:10025
        -o soft_bounce=no
        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6

#
# amavis(10025) -> postfix(10026)
#

nemesis.ipv4:10026 inet n - n - 2 smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-10026
        -o smtpd_client_restrictions=
        -o smtpd_authorized_xforward_hosts=10.1.1.1

#
# postfix(25) -> dkimproxy(11025)
#

nemesis.ipv4:smtp inet n - n - 2 smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv4-25
        -o mynetworks=127.0.0.0/8
        -o smtpd_proxy_filter=nemesis.ipv4:11025

nemesis.ipv6:smtp inet n - n - 2 smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv6-25
        -o smtpd_proxy_filter=nemesis.ipv4:11025

#
# dkimproxy(11025) -> postfix(11026)
#

nemesis.ipv4:11026 inet n - n - 2 smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-11026
        -o smtpd_client_restrictions=
        -o smtpd_authorized_xforward_hosts=10.1.1.1

#
# locally generated
#

#localhost.ipv4:smtp inet n - n - - postscreen
localhost.ipv4:smtp inet n - n - - smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-25
        -o mynetworks=127.0.0.0/8

#nemesis.ipv4:smtp inet n - n - - postscreen
nemesis.ipv4:smtp inet n - n - - smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-vlan2-alt-ipv4-25
        -o mynetworks=10.0.2.0/24

::1:smtp inet n - n - - smtpd
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o body_checks=
        -o header_checks=
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv6-25

pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp -o
smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil

smtp-inside unix - - n - - smtp
        -o myhostname=nemesis.slagter.name
        -o smtp_helo_name=nemesis.slagter.name
        -o smtp_bind_address6=2001:980:5fef:1::1

smtp-default unix - - n - - smtp
        -o myhostname=eriks.xs4all.nl
        -o smtp_helo_name=eriks.xs4all.nl
        -o smtp_bind_address6=2001:980:5fef::1
        -o smtp_tls_security_level=may

smime.p7s
Description: S/MIME Cryptographic Signature

Re: setting up postscreen on a system with multiple external interfaces

Reply via email to