ODMR/ATRN ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
44 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
Ronald F. Guilmette:

>
> In message <[hidden email]>,
> Wietse Venema <[hidden email]> wrote:
>
> >> and then use something like fetchmail to poll that periodically to pull
> >> down all mail for my several domains and then have fetchmail re-inject
> >> all of those mail messages into the local Postfix.  The plan would be to
> >> get all this running and then give up my local static IP here, exchanging
> >> it for a dynamic one instead.  (This will save me a tiny bit of money on
> >> my monthy local ISP bill.)
> >
> >What about setting up a tunnel between home (dynamic IP) and cloud
> >(static IP)? Could be a VPN, or SSH.
>
> In a word, yea.  That exact light just came on over my little noggin.
>
> If I can figure out how to make that work, I think that will be THE
> solution.
>
> I just need to find some tool... some something... that will *transparently*
> proxy all of the inbound port 25 traffic that  comes in to the cloud VM
> server machine to some other IP address... some other IP address that
> will in fact be dynamic and changing, over time. (And yes, I understand
> that dynamic DNS is likely to be helpful here.)
>
> So, what tool should I use to do this transparent TCP proxying?

HaProxy for inbound mail. Postfix supports their protocol.

For outbound, you need an MTA on the static IP address.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
In reply to this post by Ronald F. Guilmette-2
Ronald F. Guilmette:

> Let's say that the the dynamic IP that I *was* using, just before the
> power fail, was a.b.c.d.  The question is:  While I am wandering around
> with my flashlight in the dark, what if some other customer of my ISP
> happens to request a DHCP lease and also happens to get a.b.c.d ... which
> is possible, because after all, *I* am not using that specific IP address
> anymore, so it will have been returned to the DHCP free pool.
>
> In this scenario, could that other party who got a.b.c.d, dynamically,
> turn on a mail server and begin sucking down *my* emails from *my* cloud
> VM Postfix instance?

Alternatives:

- Use a tunnel (ssh port forwarding, or vpn) which is initated
by the home machine. This sidesteps any dynamic DNS issues.

- On the cloud MTA, require certificate authentication, so that
it will not send mail to the wrong 'home' server.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Tom Hendrikx

In message <[hidden email]>,
Tom Hendrikx <[hidden email]> wrote:

>You can add TLS verification to your postfix client in the cloud. The
>client will only deliver to a server when it presents a specific SSL
>certificate to the client during the handshake. See
>http://www.postfix.org/TLS_README.html#client_tls_policy

Perfect.  Thank you. Didn't know about that.  But I sure will be trying
to get it working.


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Darren Pilgrim
In reply to this post by Ronald F. Guilmette-2
On 2019-06-09 13:42, Ronald F. Guilmette wrote:

> I'd very much like to move my (Postfix) mail server, which currently resides
> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> and then use something like fetchmail to poll that periodically to pull
> down all mail for my several domains and then have fetchmail re-inject
> all of those mail messages into the local Postfix.  The plan would be to
> get all this running and then give up my local static IP here, exchanging
> it for a dynamic one instead.  (This will save me a tiny bit of money on
> my monthy local ISP bill.)
>
> Googling for options just now, it sure sounds like ODMR/ATRN would fit
> my needs nicely, however I can't quite make out whether any of this
> ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
> Has it been?
>
> Regardless of whether it has or not, if anyone wants to suggest or recommend
> any alternative solution(s) I'm all ears.  I am open to anything that
> will get the job done.  My only real requirements for a solution are:
>
>      1)  Must support unlimited email addresses per each recipient domain.
>
>      2)  Must preserve envelope sender information.
>

I use authenticated SMTP for this.  Each cloud VM has two postfix instances:

One is the MX:
- low-security opportunistic TLS
- spam filtering
- envelop validation using relay_domains and relay_recipient_maps

The other is the authenticated SMTP relay:
- mandatory TLSv1.3 with private EC PKI
- permit_tls_clientcerts only
- soft_bounce=yes
- long maximal_queue_lifetime
- per-destination transports for defer_transports granularity
123