On 2/21/2013 10:46 AM, Erik Slagter wrote:
> Another variation I tried ("pass" and "postscreen" the other way
> around).
You've shared too much. By now no one has any idea what you're doing.
Overview:
Postscreen is a front-end listener for smtpd. It's not a proxy.
Incoming connections are handled by postscreen until postscreen
either decides it's clean and passes the connection endpoint to
smtpd, or rejected. This is covered in more detail in the
POSTSCREEN_README.
When postscreen decides to pass the connection to smtpd, postscreen
is no longer involved, and smtpd has no knowledge of what transpired
between postscreen and a client.
Solution:
[this is not a complete how-to, but will show you how to use
multiple interfaces]
At some point you reported:
> mx1.ipv4.slagter.name:smtp inet n - n - 2
> smtpd
> -o myhostname=eriks.xs4all.nl
> -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
> -o smtpd_tls_security_level=may
Ok.
> -o postscreen_tls_security_level=may
> -o tlsproxy_tls_security_level=may
both these belong in main.cf, or better, set main.cf:
"smtpd_security_level = may" and leave these at their defaults.
> -o smtpd_proxy_filter=nemesis.ipv4:10025
> -o soft_bounce=no
> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
The cache map parameter belongs in main.cf. Probably a mistake to
create separate caches.
Same comments as above for the smtpd listener below.
>
> mx1.ipv6.slagter.name:smtp inet n - n - 2
> smtpd
> -o myhostname=mx1.ipv6.slagter.name
> -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
> -o smtpd_tls_security_level=may
> -o postscreen_tls_security_level=may
> -o tlsproxy_tls_security_level=may
> -o smtpd_proxy_filter=nemesis.ipv4:10025
> -o soft_bounce=no
> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
For the TLS part, it will be much easier to turn TLS on in main.cf,
then turn it off on the interfaces where you don't want to offer it
with "-o smtpd_tls_security_level=none".
# main.cf
smtpd_tls_security_level = may
For the greeting banners, set them as macros in main.cf and then
refer to them by $name in master.cf
# main.cf
postscreen_greet_v4 = postscreen.v4.mx1 ESMTP greets you
postscreen_greet_v6 = postscreen.v6.mx1 ESTMP greets you
Now tell postscreen which ports to listen on and to enable the banner:
# master.cf
mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
-o postscreen_greet_banner=$postscreen_greet_v4
mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
-o postscreen_greet_banner=$postscreen_greet_v6
Next we tell smtpd to get it's connections from postscreen.
On your existing "smtp ... smtpd" entries where you want postscreen,
change the "smtp inet n" part to "smtp pass -"
This is described in detail in
http://www.postfix.org/POSTSCREEN_README.html#config
so your existing entry:
> mx1.ipv4.slagter.name:smtp inet n - n - 2
> smtpd
would become:
mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd
Good luck.
-- Noel Jones
