/dev/rob0:
> The doubt in my mind about this is for mail truly destined to our
> hosted domains. It resolves to an Internet (not an internal) IP
> address which is in the MX instance's proxy_interfaces setting. We're
> in a DC and behind NAT, with that Internet IP address being NATed to
> this host.
>
> They don't have "hairpin NAT" set up, whereby if I try to connect to
> this NATed IP address it would go to the router and come back to me.
> I'm fine with that, actually; while that would solve the instant
> problem, it could be bad in other ways.
An MTA should never connect to its own MTA address and port.
That is what proxy_interfaces and inet_interfaces are for.
When Postfix is properly configured it will understand that
[my.ip.address] is the MTA itself.
Postfix requires that a NAT performs the following translations:
- With inbound traffic, translate the public MTA destination IP
address into the private MTA destination IP address.
- With outbound traffic, translate the private MTA source IP address
into the public MTA source IP address.
No other translations. In particular, no translations of the remote
MTA IP address or port.
In addition, proxy_interfaces needs to specfy the external MTA IP
address.
Wietse
