Thank you, Matthias, for your opinion.
Ironically, the proxy part in this whole story is not only the simple
part that I fully understand, but also the part that's very easily
testable with my current knowledge and understanding of networking. It's
easy to look into the IP addresses of incoming connections and
cross-check them with the senders. It's easy to see whether a PROXY
protocol with HAProxy works. I'm looking into that setup as we speak.
All that is easy. I'm actually surprised you're using that part as
argument to why I should shutdown my server.
Thanks to the wonderful people in this email list, now I understand my
mistake with that regard. I learned a lot.
If I were you, I'd focus on my lack of understanding of the email
protocol. Now that, is a part that I still cannot fully understand,
embarrassingly so. I still don't know what ehlo means, except that it's
the first message. I don't know why it matters what address we put after
it. That does make me look like an idiot, doesn't it? :-)
I fully understand your opinion and why you'd want me to shutdown my
server. But if I were you, I'd try to encourage people to learn more or
explain more to them. This whole incident reminds me of people who fall
for scams and pay scammers money. They can be ashamed of it and never
talk about it, or try to learn how to not fall for it again. Just my
humble opinion.
Cheers,
Sam
On 21/12/2022 10:21 PM, Matthias Andree wrote:
Am 21.12.22 um 09:45 schrieb Samer Afach:
Thank you for these hints, Benny. I wanna point out that I'm, in no
way, an expert in any of this, and my configuration is based on online
research and some copy/paste.
Then with all due respect, please shut down your mail server and do not
start it again until you have fully understood what your services are
doing, and need to do instead in order to be operated securely. We don't
need more public accidents.
Postfix has ways to let application-level proxies convey actual client
IP (XCLIENT). You will want those in the logs, and not your proxy's IP
address. Sooner or later you will find it necessary to at least
temporarily block offending subnets.
If your proxy can't do that, or you don't know how, or you don't know
how to do that with containers, perhaps use postscreen instead and run
your Postfix on a bridged networked container of VM instead.
I do not believe you (personally - no offense, but after your statement
above) are currently fit for setting up and operating such a complex
setup as you are using with several proxy and NAT layers and all that.
Containers may seem like a good idea, but if they dispose of crucial
information such as the client address, then revise your setup
THOROUGHLY.
Sorry to be blunt without asking, but we've all had our shares of eating
unsolicited e-mail.
Thank you.
