Re: Specify VPN for postfix

[Abi Askushi]

Say you have postfix sending outbound email on eth0 interface and TCP port
25, then you would have:

iptables -t nat -A OUTPUT -p tcp -m tcp --dport 25 -j REDIRECT --to-ports
 

You need to change the above to fit your specific network.


On Wed, Aug 2, 2017 at 3:10 PM, Yubin Ruan  wrote:

> 2017-08-02 2:39 GMT+08:00 Abi Askushi :
> > Since this is socks proxy and not vpn you could redirect postfix traffic
> > with iptables to the port your socks proxy listens. Plenty examples on
> > google.
>
> Please offer a simple iptable exmples, if you may. Probably I was
> stuck by some asymmetric routing problems after setting up a incorrect
> iptable rule.
>
> Yubin
>

Re: Specify VPN for postfix

[Yubin Ruan]

2017-08-02 15:28 GMT+08:00 Tobi :
> Am 01.08.2017 um 20:39 schrieb Abi Askushi:
>> Since this is socks proxy and not vpn you could redirect postfix traffic
>> with iptables to the port your socks proxy listens. Plenty examples on
>> google.
>
> if you redirect the full postfix traffic you might end up in asymetric
> routing.
>
> Most important question: does this postfix accept connections/mails from
> the outside world? If it does: which path these connections come to
> postfix? Via VPN/Socks or directly?

I only use postfix for delievering mail, not receiving anything from
the outside world. So all the connection to postfix come from local
programs (on my own laptop).

> If **ALL** connections to this postfix come via VPN/Socks simple
> iptables rules as suggested by Abi will work.
>
> Otherwise I gets more complex and the OP needs a routing based on the
> source of the pakets. The goal is to bring answers from postfix to the
> exact same path as the query from outside came in (means correct
> interface and gateway). And that can only be achieved by policy based
> routing.

A workable example will be really appreciated.

Yubin

Re: Specify VPN for postfix

[Yubin Ruan]

2017-08-02 2:39 GMT+08:00 Abi Askushi :
> Since this is socks proxy and not vpn you could redirect postfix traffic
> with iptables to the port your socks proxy listens. Plenty examples on
> google.

Please offer a simple iptable exmples, if you may. Probably I was
stuck by some asymmetric routing problems after setting up a incorrect
iptable rule.

Yubin

Re: Specify VPN for postfix

[Tobi]

Am 01.08.2017 um 20:39 schrieb Abi Askushi:
> Since this is socks proxy and not vpn you could redirect postfix traffic
> with iptables to the port your socks proxy listens. Plenty examples on
> google.

if you redirect the full postfix traffic you might end up in asymetric
routing.

Most important question: does this postfix accept connections/mails from
the outside world? If it does: which path these connections come to
postfix? Via VPN/Socks or directly?
If **ALL** connections to this postfix come via VPN/Socks simple
iptables rules as suggested by Abi will work.

Otherwise I gets more complex and the OP needs a routing based on the
source of the pakets. The goal is to bring answers from postfix to the
exact same path as the query from outside came in (means correct
interface and gateway). And that can only be achieved by policy based
routing.

Re: Specify VPN for postfix

[Abi Askushi]

Since this is socks proxy and not vpn you could redirect postfix traffic
with iptables to the port your socks proxy listens. Plenty examples on
google.

On Aug 1, 2017 19:23, "Yubin Ruan"  wrote:

> 2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
> >
> >
> > On 01-08-17 16:46, Wietse Venema wrote:
> >> Yubin Ruan:
> >>> Can anyone tell me how to point postfix to a VPN connection? I have
> >>> setup a VPN listening at background on my Ubuntu and I want to point
> >>> postfix to that listening port whenever postfix try to connect to the
> >>> internet.
> >>
> >> Wietse:
> >>> You specify
> >>> /etc/postfix/main.cf:
> >>>   relayhost = smtp:[host on other side of tunnel]
> >>
> >> Gary Sellani:
> >>> Could the host be something like 10.8.0.0/24?
> >>
> >> I wrote 'host' not 'network block'.
> >>
> >> Consider the network as a collection of layers. An example applicable
> >> to Postfix looks like: physical layer (ethernet), network layer
> >> (IP), transport layer (TCP), and application layer (SMTP). In this
> >> architecture, an SMTP destination is a domain or host, where the
> >> host may be specified as an IP address. It's not an IP address block
> >> nor is it an ethernet broadast domain.
> >>
> >>   Wietse
> >>
> >
> > Maybe you (the OP) should clarify what you mean with 'connect to the
> > internet'. Does this mean accepting email from hosts 'on the internet',
> > does it mean sending email to random hosts 'on the internet', or does it
> > mean something else? Explain in laymen terms what you're trying to do,
> > your question is too vague.
>
> I have a shadowsocks client listening at 127.0.0.1:, and I want to
> point postfix to that specified port when it try to connect to
> internet. Put it in another words, I would like to make that address
> (i.e., 127.0.0,1:) something like default gateway so that all my
> network traffic go through it.
>
> Thanks,
> Yubin
>

Re: Specify VPN for postfix

[Gary Sellani]

You don't know local IP except that it will be in that block (cidr). In 
practice, my first VPN instance will use 10.8.0.6. I don't recall what is used 
when I run two VPNs. 

But I get your point.

  Original Message  
From: wie...@porcupine.org
Sent: August 1, 2017 7:46 AM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Specify VPN for postfix

Yubin Ruan:
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

Wietse:
> You specify 
> /etc/postfix/main.cf:
>   relayhost = smtp:[host on other side of tunnel]

Gary Sellani:
> Could the host be something like 10.8.0.0/24? 

I wrote 'host' not 'network block'.

Consider the network as a collection of layers. An example applicable
to Postfix looks like: physical layer (ethernet), network layer
(IP), transport layer (TCP), and application layer (SMTP). In this
architecture, an SMTP destination is a domain or host, where the
host may be specified as an IP address. It's not an IP address block
nor is it an ethernet broadast domain.

Wietse

Re: Specify VPN for postfix

[Yubin Ruan]

2017-08-02 0:21 GMT+08:00 Yubin Ruan :
> 2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
>>
>>
>> On 01-08-17 16:46, Wietse Venema wrote:
>>> Yubin Ruan:
 Can anyone tell me how to point postfix to a VPN connection? I have
 setup a VPN listening at background on my Ubuntu and I want to point
 postfix to that listening port whenever postfix try to connect to the
 internet.
>>>
>>> Wietse:
 You specify
 /etc/postfix/main.cf:
   relayhost = smtp:[host on other side of tunnel]
>>>
>>> Gary Sellani:
 Could the host be something like 10.8.0.0/24?
>>>
>>> I wrote 'host' not 'network block'.
>>>
>>> Consider the network as a collection of layers. An example applicable
>>> to Postfix looks like: physical layer (ethernet), network layer
>>> (IP), transport layer (TCP), and application layer (SMTP). In this
>>> architecture, an SMTP destination is a domain or host, where the
>>> host may be specified as an IP address. It's not an IP address block
>>> nor is it an ethernet broadast domain.
>>>
>>>   Wietse
>>>
>>
>> Maybe you (the OP) should clarify what you mean with 'connect to the
>> internet'. Does this mean accepting email from hosts 'on the internet',
>> does it mean sending email to random hosts 'on the internet', or does it
>> mean something else? Explain in laymen terms what you're trying to do,
>> your question is too vague.
>
> I have a shadowsocks client listening at 127.0.0.1:, and I want to
> point postfix to that specified port when it try to connect to
> internet. Put it in another words, I would like to make that address
> (i.e., 127.0.0,1:) something like default gateway so that all my
> network traffic go through it.

Currently I can set up a proxy in the browser (i.e., pointing the
browser to that address (127.0.0.1:)) so that I got a VPN kind of
thing. And now I want to set it up for postfix, and if possible, for
every program in the system.

Thanks,
Yubin

Re: Specify VPN for postfix

[Yubin Ruan]

2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
>
>
> On 01-08-17 16:46, Wietse Venema wrote:
>> Yubin Ruan:
>>> Can anyone tell me how to point postfix to a VPN connection? I have
>>> setup a VPN listening at background on my Ubuntu and I want to point
>>> postfix to that listening port whenever postfix try to connect to the
>>> internet.
>>
>> Wietse:
>>> You specify
>>> /etc/postfix/main.cf:
>>>   relayhost = smtp:[host on other side of tunnel]
>>
>> Gary Sellani:
>>> Could the host be something like 10.8.0.0/24?
>>
>> I wrote 'host' not 'network block'.
>>
>> Consider the network as a collection of layers. An example applicable
>> to Postfix looks like: physical layer (ethernet), network layer
>> (IP), transport layer (TCP), and application layer (SMTP). In this
>> architecture, an SMTP destination is a domain or host, where the
>> host may be specified as an IP address. It's not an IP address block
>> nor is it an ethernet broadast domain.
>>
>>   Wietse
>>
>
> Maybe you (the OP) should clarify what you mean with 'connect to the
> internet'. Does this mean accepting email from hosts 'on the internet',
> does it mean sending email to random hosts 'on the internet', or does it
> mean something else? Explain in laymen terms what you're trying to do,
> your question is too vague.

I have a shadowsocks client listening at 127.0.0.1:, and I want to
point postfix to that specified port when it try to connect to
internet. Put it in another words, I would like to make that address
(i.e., 127.0.0,1:) something like default gateway so that all my
network traffic go through it.

Thanks,
Yubin

Re: Specify VPN for postfix

[Benny Pedersen]

Gary Sellani skrev den 2017-08-01 14:31:

Could the host be something like 10.8.0.0/24?


make a hostname with multiple A//MX

to do this one could simply add ip-addr to /etc/hosts with the hostname 
wanted for the lan of rfc1918 ips


then change relayhost to

relayhost = smtp::25

postfix will then use name-in-etc-hosts as a dns mx record


relayhost = smtp:[host on other side of tunnel]


with [] around hostname mx round robin is disabled

this is ok and desired for single ip hostname

# cat /etc/hosts
10.0.0.2 in.localdomain in
10.0.0.3 in.localdomain in

or simple use splited dnsview on public dns

better docs here:

https://en.wikipedia.org/wiki/Split-horizon_DNS

Re: Specify VPN for postfix

[Tom Hendrikx]

On 01-08-17 16:46, Wietse Venema wrote:
> Yubin Ruan:
>> Can anyone tell me how to point postfix to a VPN connection? I have
>> setup a VPN listening at background on my Ubuntu and I want to point
>> postfix to that listening port whenever postfix try to connect to the
>> internet.
> 
> Wietse:
>> You specify 
>> /etc/postfix/main.cf:
>>   relayhost = smtp:[host on other side of tunnel]
>  
> Gary Sellani:
>> Could the host be something like 10.8.0.0/24? 
> 
> I wrote 'host' not 'network block'.
> 
> Consider the network as a collection of layers. An example applicable
> to Postfix looks like: physical layer (ethernet), network layer
> (IP), transport layer (TCP), and application layer (SMTP). In this
> architecture, an SMTP destination is a domain or host, where the
> host may be specified as an IP address. It's not an IP address block
> nor is it an ethernet broadast domain.
> 
>   Wietse
> 

Maybe you (the OP) should clarify what you mean with 'connect to the
internet'. Does this mean accepting email from hosts 'on the internet',
does it mean sending email to random hosts 'on the internet', or does it
mean something else? Explain in laymen terms what you're trying to do,
your question is too vague.

Tom

Re: Specify VPN for postfix

[Wietse Venema]

Yubin Ruan:
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

Wietse:
> You specify 
> /etc/postfix/main.cf:
>   relayhost = smtp:[host on other side of tunnel]
 
Gary Sellani:
> Could the host be something like 10.8.0.0/24? 

I wrote 'host' not 'network block'.

Consider the network as a collection of layers. An example applicable
to Postfix looks like: physical layer (ethernet), network layer
(IP), transport layer (TCP), and application layer (SMTP). In this
architecture, an SMTP destination is a domain or host, where the
host may be specified as an IP address. It's not an IP address block
nor is it an ethernet broadast domain.

Wietse

Re: Specify VPN for postfix

[Gary Sellani]

Could the host be something like 10.8.0.0/24? 

  Original Message  
From: wie...@porcupine.org
Sent: August 1, 2017 4:01 AM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Specify VPN for postfix

Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

You specify 

/etc/postfix/main.cf:
   relayhost = smtp:[host on other side of tunnel]

Wietse

Re: Specify VPN for postfix

[Wietse Venema]

Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

You specify 

/etc/postfix/main.cf:
   relayhost = smtp:[host on other side of tunnel]

Wietse

AW: Specify VPN for postfix

[Tobi]

Easiest case if the default route for the postfix server points to the vpn 
tunnel.

If  def gw does not point to vpn then you could use nat rules on vpn server to 
replace the src address with the vpn servers vpn address. 

If NAT is not an option then you will have to setup a policy based routing aka 
source based routing on postfix server to ensure answers from postfix go back 
via the same gateway they came in.

Cheers

tobi

- Originale Nachricht -
Von: Yubin Ruan 
Gesendet: 01.08.2017 - 06:07
An: postfix-users@postfix.org
Betreff: Specify VPN for postfix

> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
> 
> Thanks,
> Yubin

Re: Specify VPN for postfix

[wilfried.es...@essignetz.de]

Am 01.08.2017 um 06:07 schrieb Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.


Hi,

read description of parameter "inet_interfaces"
(http://www.postfix.org/postconf.5.html#inet_interfaces). That should
help you finding the best way for you.

Willi

Re: Specify VPN for postfix

[li...@lazygranch.com]

Take a look at your header file when using the VPN to email yourself. I
think what you want happens automatically. 

Received: from [10.8.0.6] (unknown [MYIPADDRESS])

10.8.0.6 is the local IP space created by my VPN. But my IP address
also shows up, so hopefully a guru will chime in as to how this all
works.

One thing to consider is that you may run into an internet provider
(probably public wifi) that blocks the use of a VPN. Somewhat common
with IPSEC. Perhaps less with openvpn. So you wouldn't want to make the
VPN be a mandatory requirement.




On Tue, 1 Aug 2017 12:07:26 +0800
Yubin Ruan  wrote:

> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
> 
> Thanks,
> Yubin

Specify VPN for postfix

[Yubin Ruan]

Hi,
Can anyone tell me how to point postfix to a VPN connection? I have
setup a VPN listening at background on my Ubuntu and I want to point
postfix to that listening port whenever postfix try to connect to the
internet.

Thanks,
Yubin