Re: setting up postscreen on a system with multiple external interfaces

Thu, 21 Feb 2013 11:03:28 -0800 

On 21-02-13 19:30, Noel Jones wrote:


You've shared too much.  By now no one has any idea what you're doing.



I'm just following the "REPORT A PROBLEM" procedure I was kindly pointed 
at...



When postscreen decides to pass the connection to smtpd, postscreen
is no longer involved, and smtpd has no knowledge of what transpired
between postscreen and a client.



Yes at this point the smtpd/master has no knowledge of the 
interface/address, that's exactly the thing I fear.



At some point you reported:

> [ .. ]

        -o postscreen_tls_security_level=may
        -o tlsproxy_tls_security_level=may


both these belong in main.cf, or better, set main.cf:
"smtpd_security_level = may" and leave these at their defaults.



Tried both, doesn't matter. The thing is that what way you set the smtpd 
options (in main.cf) you cannot override them with postscreen. So if you 
set the default value suitable for address a and b, they must be 
override for address c and d and vv. Yes, I have some internal address 
that need to have tls_security=none and yes, that works like a charm 
without postscreen enabled.



        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4


The cache map parameter belongs in main.cf.  Probably a mistake to
create separate caches.



Nope, the cache map cannot be shared between two smtpd processes (see 
documentation ;-)). It's not a problem though, because one db holds ipv4 
addresses and the other is ipv6 addresses.



For the TLS part, it will be much easier to turn TLS on in main.cf,
then turn it off on the interfaces where you don't want to offer it
with "-o smtpd_tls_security_level=none".



All relevant options for tls are actually set in main.cf. It's only that 
it's not enabled there, it's enabled on a per-address base. Which works.



For the greeting banners, set them as macros in main.cf and then
refer to them by $name in master.cf


That's a possibility, but it's not necessary and doesn't solve the problem.


Now tell postscreen which ports to listen on and to enable the banner:

# master.cf

mx1.ipv4.slagter.name:smtp inet  n - n  -  1  postscreen
   -o postscreen_greet_banner=$postscreen_greet_v4

mx1.ipv6.slagter.name:smtp inet  n - n  -  1  postscreen
   -o postscreen_greet_banner=$postscreen_greet_v6

Next we tell smtpd to get it's connections from postscreen.
On your existing "smtp ... smtpd" entries where you want postscreen,
change the "smtp inet n" part to "smtp pass -"
This is described in detail in
http://www.postfix.org/POSTSCREEN_README.html#config

so your existing entry:

mx1.ipv4.slagter.name:smtp      inet    n       -       n       -       2       
smtpd


would become:
mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd



I get your drift, but IIRC I already tried this (multiple times, with 
slight variations) and also reported about the outcoming of that: 
"fatal: address already in use".



Did I already mention I have followed all the steps from the README as 
closely as possible?





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature



























					Reply via email to