Migrating Postfix Server to New IP Block and Reverse DNS Issues

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Migrating Postfix Server to New IP Block and Reverse DNS Issues

asai

Greetings,

We're in the process of migrating our server to a new IP address block but we're running into issues where reverse DNS checks are causing some problems.  I will outline in brief here:

  • We're moving our email server to a new router with a new IP block
  • In order to do this in a gradual manner, we're moving services one at a time to the new IP block, which entails forwarding traffic from the new router and new IP block to the old router.  This is so we can test our firewall and NAT rules and ensure all services are working before making a final switchover.
  • This method works for HTTPs services, but for email it's a problem because the email service sees all traffic as coming from a single IP (static route from the new router) and breaks reverse DNS lookup for incoming mail.

Does anybody know of a method whereby we could get around this limitation?  Is reverse DNS lookup essential?  Or is there another way?

Thanks,

-- 
Asai
Reply | Threaded
Open this post in threaded view
|

Re: Migrating Postfix Server to New IP Block and Reverse DNS Issues

Wietse Venema
Asai:

> Greetings,
>
> We're in the process of migrating our server to a new IP address block
> but we're running into issues where reverse DNS checks are causing some
> problems.? I will outline in brief here:
>
>   * We're moving our email server to a new router with a new IP block
>   * In order to do this in a gradual manner, we're moving services one
>     at a time to the new IP block, which entails forwarding traffic from
>     the new router and new IP block to the old router. This is so we can
>     test our firewall and NAT rules and ensure all services are working
>     before making a final switchover.
>   * This method works for HTTPs services, but for email it's a problem
>     because the email service sees all traffic as coming from a single
>     IP (static route from the new router) and breaks reverse DNS lookup
>     for incoming mail.
>
> Does anybody know of a method whereby we could get around this
> limitation?? Is reverse DNS lookup essential?? Or is there another way?

If you can't do this without losing the remote SMTP client IP
address, your options are:

- Install HAproxy on the "router", configure HaProxy to forward
  mail to Postfix, and configure Postfix to use
  "smtpd_upstream_proxy_protocol = haproxy".

  With this, Postfix CANNOT receive direct SMTP mail. It is not
  guessing if a connection is made directly or through HAproxy.

- Install nginx on the "router", configure nginx to send XCLIENT
  commands to Postfix. and enable Postfix XCLIENT for the router's
  IP address with "smtpd_authorized_xclient_hosts = 1.2.3.4".

  With this, Postfix can still receive direct SMTP mail.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Migrating Postfix Server to New IP Block and Reverse DNS Issues

asai
> If you can't do this without losing the remote SMTP client IP
> address, your options are:
>
> - Install HAproxy on the "router", configure HaProxy to forward
>    mail to Postfix, and configure Postfix to use
>    "smtpd_upstream_proxy_protocol = haproxy".
>
>    With this, Postfix CANNOT receive direct SMTP mail. It is not
>    guessing if a connection is made directly or through HAproxy.
>
> - Install nginx on the "router", configure nginx to send XCLIENT
>    commands to Postfix. and enable Postfix XCLIENT for the router's
>    IP address with "smtpd_authorized_xclient_hosts = 1.2.3.4".
>
>    With this, Postfix can still receive direct SMTP mail.
>
> Wietse

Thank you, Wietse, for your expertise here.

If I may ask a couple more questions about this:

With HAProxy, would it work to install a VM and point email traffic to
it for both LAN and WAN traffic?

With Nginx XClient, would it also work to install this on a VM and have
it handling incoming SMTP email traffic from the WAN while not affecting
LAN SMTP traffic?

Do either of these options affect SMTP authentication over port 587?

Thank you,
Asai

Reply | Threaded
Open this post in threaded view
|

Re: Migrating Postfix Server to New IP Block and Reverse DNS Issues

Wietse Venema
Asai:

> > If you can't do this without losing the remote SMTP client IP
> > address, your options are:
> >
> > - Install HAproxy on the "router", configure HaProxy to forward
> >    mail to Postfix, and configure Postfix to use
> >    "smtpd_upstream_proxy_protocol = haproxy".
> >
> >    With this, Postfix CANNOT receive direct SMTP mail. It is not
> >    guessing if a connection is made directly or through HAproxy.
> >
> > - Install nginx on the "router", configure nginx to send XCLIENT
> >    commands to Postfix. and enable Postfix XCLIENT for the router's
> >    IP address with "smtpd_authorized_xclient_hosts = 1.2.3.4".
> >
> >    With this, Postfix can still receive direct SMTP mail.
> >
> > Wietse
>
> Thank you, Wietse, for your expertise here.
>
> If I may ask a couple more questions about this:
>
> With HAProxy, would it work to install a VM and point email traffic to
> it for both LAN and WAN traffic?

I don't understand this. What does it mean to point traffic (from
the internet? from the local network?) to a load balancer for LAN
(from the LAN? to the LAN?) or WAN (from the WAN? to the WAN?)
traffic.

Postfix supports load balancers for receiving mail. Postfix does not
support load balancers for sending mail.

> With Nginx XClient, would it also work to install this on a VM and have
> it handling incoming SMTP email traffic from the WAN while not affecting
> LAN SMTP traffic?

As I wrote a Postfix SMTP server process can receive mail from
an SMTP client and through nginx/XCLIENT.

As I wrote a Postfix SMTP server process cannot (receieve mail from
an SMTP client) and receive mail through HAproxy). You would need
to configure in master.cf a second smtpd process on a different
port or IP address, and use one process for SMTP clients and the
other for HaProxy.

> Do either of these options affect SMTP authentication over port 587?

HAproxy does not interfere with SMTP AUTH, it just passes bits.

You want to disable nginx SMTP AUTH support so that Postfix will
do it. nginx can do SMTP AUTH but that is only good for logging.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Migrating Postfix Server to New IP Block and Reverse DNS Issues

asai

> I don't understand this. What does it mean to point traffic (from
> the internet? from the local network?) to a load balancer for LAN
> (from the LAN? to the LAN?) or WAN (from the WAN? to the WAN?)
> traffic.
>
> Postfix supports load balancers for receiving mail. Postfix does not
> support load balancers for sending mail.
By "point" I meant via DNS addressing. I see what you're saying now,
though, it's only for incoming traffic.
> As I wrote a Postfix SMTP server process can receive mail from
> an SMTP client and through nginx/XCLIENT.
Thank you, I understand now.
>> Do either of these options affect SMTP authentication over port 587?
> HAproxy does not interfere with SMTP AUTH, it just passes bits.
>
> You want to disable nginx SMTP AUTH support so that Postfix will
> do it. nginx can do SMTP AUTH but that is only good for logging.
Excellent, thank you.

--
Asai