Re: setting up postscreen on a system with multiple external interfaces

Fri, 22 Feb 2013 02:05:10 -0800 

On 21-02-13 20:07, Viktor Dukhovni wrote:

> [ ... ] (lot of patronising text removed)


4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
    to hand the connection to. The postscreen(8) manual page refers you to

        http://www.postfix.org/postconf.5.html#smtpd_service_name

    which must specify the service name of a "pass" entry in master.cf,
    you need one of these for each distinct postscreen instance.


And THAT is exactly the clue I was looking for! It works!
The only thing that would have to be in the README file is the need to use "smtpd service names" in case of multiple smtp listeners, point to http://www.postfix.org/postconf.5.html#smtpd_service_name and then add a bit of really helpful text to the current one:
"The internal service that postscreen(8) hands off allowed connections to. In a future version there may be different classes of SMTP service."
If you google for this command, you'll get references to either this text or this thread :-(
So for other people seeking to do the same, this does the trick, it's also simple once you know, the "service" parameter of a "pass" service is not an address:portno combo but an identifier: 

#
# outside -> inside
# postfix(25) -> amavis(10025)
#

mx1.ipv4.slagter.name:smtp  inet    n   -   n   -   1   postscreen
    -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
-o postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv4-25 
    -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv4-25
    -o postscreen_tls_security_level=none
    -o smtpd_service_name=mx1_ipv4

mx1_ipv4            pass    -   -   n   -   -   smtpd
    -o myhostname=mx1.slagter.name
    -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
    -o smtpd_tls_security_level=may
    -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis

mx1.ipv6.slagter.name:smtp  inet    n   -   n   -   1   postscreen
    -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
-o postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv6-25 
    -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv6-25
    -o postscreen_tls_security_level=none
    -o smtpd_service_name=mx1_ipv6

mx1_ipv6            pass    -   -   n   -   -   smtpd
    -o myhostname=mx1.slagter.name
    -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
    -o smtpd_tls_security_level=may
    -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to