Problem with smtp client bind address
Good Day, I'm trying to bring up a new machine that serves several purposes and have run into a potentially Very Big Problem. The machine has two physical interfaces, one LAN-facing and one Internet-facing. So, naturally, I have something like: Let's say 10.1.1.0 is the Internet-facing network and 192.168.1.0 is inside. inet_interfaces = 10.1.1.4, 192.168.1.1 The machine has its real interface and additional virtual (or alias) interfaces on the outside: 10.1.1.2 hostname.example.com 10.1.1.3 ns1.example.com # alias/virtual 10.1.1.4 mx1.example.com # alias/virtual and so-on. The problem is: On outgoing connections to The World, via the 10.1.1... interface, SMTP clients, instead of binding to 10.1.1.4, are binding to 10.1.1.2, rather than 10.1.1.4. I can't use smtp_bind_address, because the server also delivers email to an internal server on the 192.168.1.0 network. So, do I either have to swap the addresses of hostname and mx1 (which would be kind of lame, IMO) or do-away with mx1 entirely, and let hostname be the MX? ISTM Postfix' SMTP clients should chose from the interfaces listed in inet_interfaces or smtp_bind_address should be smtp_bind_addresses, and it should chose from them. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
Re: Problem with smtp client bind address
James Seymour: Good Day, I'm trying to bring up a new machine that serves several purposes and have run into a potentially Very Big Problem. The machine has two physical interfaces, one LAN-facing and one Internet-facing. So, naturally, I have something like: Let's say 10.1.1.0 is the Internet-facing network and 192.168.1.0 is inside. inet_interfaces = 10.1.1.4, 192.168.1.1 The machine has its real interface and additional virtual (or alias) interfaces on the outside: 10.1.1.2 hostname.example.com 10.1.1.3 ns1.example.com # alias/virtual 10.1.1.4 mx1.example.com # alias/virtual and so-on. The problem is: On outgoing connections to The World, via the 10.1.1... interface, SMTP clients, instead of binding to 10.1.1.4, are binding to 10.1.1.2, rather than 10.1.1.4. I suggest that you use different smtp_bind_address settings in master.cf for the (default) smtp transport and for the (inbound) relay transport. I don't think it is practical for Postfix to grope kernel routing tables in order to choose the client IP address. There is no standard API for doing such things. Wietse
Re: Problem with smtp client bind address
On Thu, 1 Dec 2011 16:27:07 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: [snip] I suggest that you use different smtp_bind_address settings in master.cf for the (default) smtp transport and for the (inbound) relay transport. This server is, amongst other things, a mail gateway. It accepts incoming on both interfaces, and sends on both. I don't think it is practical for Postfix to grope kernel routing tables in order to choose the client IP address. There is no standard API for doing such things. Very well. Then either mx1 has to go away, and the machine's real hostname used, or I have to swap hostnames and mx1s addresses, or make mx1's address the real address. I don't like any of those solutions, but it would appear I've no choice. Thanks for the follow-up, Wietse. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
Re: Problem with smtp client bind address
James Seymour: On Thu, 1 Dec 2011 16:27:07 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: [snip] I suggest that you use different smtp_bind_address settings in master.cf for the (default) smtp transport and for the (inbound) relay transport. This server is, amongst other things, a mail gateway. It accepts incoming on both interfaces, and sends on both. It sends outbound mail on both interfaces? It sends inbound mail on both interfaces? I would expect that inbound and outbound use different interfaces, therefore you can use different delivery agents. For the default smtp transport, use -o smtp_bind_address=external-address Use a transport map to force inbound mail to use the relay transport, and that one will automagically use the right source IP address because there is only one to choose from. Wietse
Re: Problem with smtp client bind address
On Thu, 1 Dec 2011 16:46:00 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: James Seymour: On Thu, 1 Dec 2011 16:27:07 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: [snip] I suggest that you use different smtp_bind_address settings in master.cf for the (default) smtp transport and for the (inbound) relay transport. This server is, amongst other things, a mail gateway. It accepts incoming on both interfaces, and sends on both. It sends outbound mail on both interfaces? It sends inbound mail on both interfaces? Bah! No. Incoming goes out the inside interface and outgoing out the outside interface :p. Sorry, I was in serious burnout mode after having been hacking on the new box since about 07:30. I would expect that inbound and outbound use different interfaces, therefore you can use different delivery agents. And right you'd be. For the default smtp transport, use -o smtp_bind_address=external-address Use a transport map to force inbound mail to use the relay transport, and that one will automagically use the right source IP address because there is only one to choose from. Done! Worked like a charm, Wietse. Thanks *very* much for your help. I'd already had all the transport entries. (Holdover from when our mail routing was significantly more complicated.) I simply had to replace the smtp:s with relay:s, in addition to the master.cf change, and it was done. Great :) Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
