On Wed, Jul 11, 2018 at 09:12:40PM -0400, Wietse Venema wrote:
> Steve Atkins:
> > I suspect the answer to this is going to be "Well, don't do
> > that then." but I may as well ask...
> >
> > I have a VM that's running two services. One of them is a vanilla
> > postfix smarthost - it accepts mail on port 587 and relays it out
> > to the world.
> >
> > The other is an unrelated smtp server that listens for inbound
> > email on port 25. They use unrelated domains and hostnames, but are
> > both on the same IP address.
>
> You can't do that with Postfix. Specifically, the inet_interfaces
> settings must be non-overlapping.
Yes, but that can actually be accomplished in this case.
To make this work:
1. Configure a different value for "myhostname" in the submission
instance, for example:
submission: myhostname = smtp.example.com
inbound-mx: myhostname = mx01.example.com
2. Assign the system's non-loopback interfaces to the port 25 MX host:
# All the non-loopback IPv4/IPv6 addresses on which the instance is
listening
inet_interfaces = 192.0.2.1
# Plus any NAT addresses externally mapped to the above
proxy_interfaces =
consequently this instance will have a non-wildcard TCP binding,
and will not serve the loopback address. That should be fine.
3. Assign just the loopback address to the submission service
inet_interfaces = loopback-only
which means that all "inet" services in master.cf will *default*
to listen only on the loopback address, but you can "steal"
some ports from the public IPs, provided they're not used by
the inbound MX service.
master.cf:
192.0.2.1.:587 inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
4. Optional safety net. Configure the inbound MX to also listen on
additional
loopback port:
master.cf:
127.0.0.1:26 inet n - n - - smtpd
then configure the *MSA* to relay email to known local domains to this
service, avoiding loop detection by using a non-default port:
main.cf:
indexed = ${default_database_type}:${config_directory}/
transport_maps = ${indexed}transport
transport:
# Route my own domains to the inbound MX for delivery
example.com relay:[127.0.0.1]:26
--
Viktor.
