Backup mx on cable

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Backup mx on cable

Fred Zinsli
Hello all

Not clued up on postfix at all so thought I would ask here.

I have primary and secondary MX servers, but my secondary server is on
cable. My primary server is on the backbone.

How can I configure my primary server to accept connections/mail from the
secondary server but still refuse connections/mail from all other cable
connections.

My secondary (backup) server is nothing more than that. It hosts nothing
else.

Postfix 2.7.1

Regards

Fred

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Wietse Venema
Fred Zinsli:

> Hello all
>
> Not clued up on postfix at all so thought I would ask here.
>
> I have primary and secondary MX servers, but my secondary server is on
> cable. My primary server is on the backbone.
>
> How can I configure my primary server to accept connections/mail from the
> secondary server but still refuse connections/mail from all other cable
> connections.

Secondary MX servers are often a problem because they accept SPAM
that your primary wants to reject. The problem is that the secondary
then returns the rejected SPAM to innocent people who didn't send it.

Assuming the following primary configuration to reject mail from
residential clients:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        # The following service is free for small sites.
        reject_rbl_client zen.spamhaus.org

This is how the primary would make an exception for the secondary:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        # Whitelist the secondary.
        check_client_access hash:/etc/postfix/client_access
        # The following service is free for small sites.
        reject_rbl_client zen.spamhaus.org

/etc/postfix/client_access:
    # Secondary IP address here.
    1.2.3.4 OK

Don't forget to execute "postmap /etc/postfix/client_access: whenever
the file is updated.

For background see http://www.postfix.org.SMTPD_ACCESS_README.html
and links from that page.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Stan Hoeppner
In reply to this post by Fred Zinsli
On 7/7/2013 4:29 PM, Fred Zinsli wrote:

> I have primary and secondary MX servers, but my secondary server is on
> cable. My primary server is on the backbone.
>
> How can I configure my primary server to accept connections/mail from the
> secondary server but still refuse connections/mail from all other cable
> connections.

You've said "cable" twice now, plus once in the subject.  Postfix
doesn't know what "cable" is.  "We" don't know what "cable" is.  Do you
actually mean to say "dynamic IP address" here?  Likewise, when you say
"backbone" do you simply mean "static IP address"?

This is a technical mailing list.  We can't help you if you don't
provide technically accurate information.  If the backup MX indeed has a
dynamic IP address then Wietse's suggestion obviously won't work for you
and a different solution is needed.

--
Stan

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Fred Zinsli
Thankyou for clarifying my technical ineptitude. But I thought it would
have been obvious that I had limited technical knowledge by the content of
my message. And rather than flame me, you may have been a little more
constructive.

As far as I can make out, postfix can tell the nature of a connection via
the PTR (rDNS) record information, although this can be modified on
request. It is that information I was eluding to, as postfix does use that
information within the relaying_stoplist to prevent just that.

So given my secondary (backup) MX server is on one off those types of
connection, how do I allow it to connect to my primary server when it
returns to service given I have not modified the relaying_stoplist file?

Now whilst I may have used some incorrect terms. Think about my puny
little brain, and how technically inept you were when you were getting
into IT.

Regards

Fred



> On 7/7/2013 4:29 PM, Fred Zinsli wrote:
>
>> I have primary and secondary MX servers, but my secondary server is on
>> cable. My primary server is on the backbone.
>>
>> How can I configure my primary server to accept connections/mail from
>> the
>> secondary server but still refuse connections/mail from all other cable
>> connections.
>
> You've said "cable" twice now, plus once in the subject.  Postfix
> doesn't know what "cable" is.  "We" don't know what "cable" is.  Do you
> actually mean to say "dynamic IP address" here?  Likewise, when you say
> "backbone" do you simply mean "static IP address"?
>
> This is a technical mailing list.  We can't help you if you don't
> provide technically accurate information.  If the backup MX indeed has a
> dynamic IP address then Wietse's suggestion obviously won't work for you
> and a different solution is needed.
>
> --
> Stan
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Viktor Dukhovni
On Wed, Jul 10, 2013 at 01:24:10AM +0400, Fred Zinsli wrote:

> Thankyou for clarifying my technical ineptitude. But I thought it would
> have been obvious that I had limited technical knowledge by the content of
> my message. And rather than flame me, you may have been a little more
> constructive.
>
> As far as I can make out, postfix can tell the nature of a connection via
> the PTR (rDNS) record information, although this can be modified on
> request. It is that information I was eluding to, as postfix does use that
> information within the relaying_stoplist to prevent just that.
>
> So given my secondary (backup) MX server is on one off those types of
> connection, how do I allow it to connect to my primary server when it
> returns to service given I have not modified the relaying_stoplist file?
>
> Now whilst I may have used some incorrect terms. Think about my puny
> little brain, and how technically inept you were when you were getting
> into IT.

On the primary MX host, there is no need to adjust relay controls
to permit access from secondary MX hosts, after all the mail queued
by the secondary is *inbound* mail.

All you need to do is not subject the secondary to anti-spam
controls, since all the anti-spam controls must be done by the host
that processes the original third-party mail transaction.

Therefore, all you need is:

  main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        check_client_access cidr:${config_directory}/2mx.cidr,
        ... anti-spam controls if any ...

  2mx.cidr:
        # Actual IP OK comment text so you why later
        192.0.2.1 OK secondary MX smtp.example.net

Replace 192.0.2.1 and smtp.example.net with the correct data.

With Postfix 2.10 your anti-relay controls may be separate:

      smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

and if that's the case then the recipient restrictions are for anti-spam
only, but still need to allow white-listed clients (mynetworks and SASL)
and thus become:

    smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access cidr:${config_directory}/2mx.cidr,
        ... anti-spam controls if any ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Jan P. Kessler-2
In reply to this post by Fred Zinsli

> How can I configure my primary server to accept connections/mail from the
> secondary server but still refuse connections/mail from all other cable
> connections.

I use TLS client certificates for these purposes*

http://www.postfix.org/TLS_README.html

* Not for backup to primary mx, but whenever I 'own' both sides of the
connection and one is behind a dynamic ip (soho server sends outgoing
mail via company relay, ...).

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Jan P. Kessler-2
Am 09.07.2013 23:56, schrieb Jan P. Kessler:

> > How can I configure my primary server to accept connections/mail from the
> > secondary server but still refuse connections/mail from all other cable
> > connections.
>
> I use TLS client certificates for these purposes*
>
> http://www.postfix.org/TLS_README.html
>
> * Not for backup to primary mx, but whenever I 'own' both sides of the
> connection and one is behind a dynamic ip (soho server sends outgoing
> mail via company relay, ...).

Please note that having a public MX behind a dynamic ip address may lead
to situations where someone else gets your mail!

I'm just thinking about setting up a honeypot postfix on my cable line
at home ;).

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

Fred Zinsli
> Am 09.07.2013 23:56, schrieb Jan P. Kessler:
>> > How can I configure my primary server to accept connections/mail from
>> the
>> > secondary server but still refuse connections/mail from all other
>> cable
>> > connections.
>>
>> I use TLS client certificates for these purposes*
>>
>> http://www.postfix.org/TLS_README.html
>>
>> * Not for backup to primary mx, but whenever I 'own' both sides of the
>> connection and one is behind a dynamic ip (soho server sends outgoing
>> mail via company relay, ...).
>
> Please note that having a public MX behind a dynamic ip address may lead
> to situations where someone else gets your mail!
>
> I'm just thinking about setting up a honeypot postfix on my cable line
> at home ;).
>
>

This is something I hadn't considered at all.
In order for me to better understand the consequences of my actions are
you able to explain to me why that is the case, and what situation would
need to arise for that to happen. Or simply point me to the appropriate
articles so I can read and investigate this.

It is looking more and more like I should be leasing another VPS server to
host my backup DNS and MX.

Regards

Fred


Reply | Threaded
Open this post in threaded view
|

Re: Backup mx on cable

btb-2

On Jul 9, 2013, at 21.56, Fred Zinsli <[hidden email]> wrote:

> This is something I hadn't considered at all.
> In order for me to better understand the consequences of my actions are
> you able to explain to me why that is the case, and what situation would
> need to arise for that to happen. Or simply point me to the appropriate
> articles so I can read and investigate this.
>
> It is looking more and more like I should be leasing another VPS server to
> host my backup DNS and MX.

honestly, i simply wouldn't bother with a backup mx.  what is the actual problem you're trying to solve by running a backup mx?  the contemporary internet is remarkably well connected - the days in which the truly practical application of a backup mx were back when hosts/sites often spent the majority of their time disconnected from the internet.

-ben