SMTPD for different IPs with IPv4 and IPv6

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SMTPD for different IPs with IPv4 and IPv6

Dirk Stöcker
Hello,

I did clean up my mail server a bit to finally get rid of my known issues
(i.e. filtering outgoing mails with SpamAssasin).

Using the approach like in

http://www.postfix.org/FILTER_README.html#remote_only

I did setup separate entries for localhost and external IP. Now with IPv4
and IPv6 that results in 4 lines of SMTP in master.cf.

Is this the way to go or can it be reduced to 2 lines? I tried to use
dns-names resolving to both addresses instead of IP addresses, but then
only the IPv4 address was used.

master.cf:
172.31.1.100:smtp inet n -       n       -       -       smtpd
   -o smtpd_milters=inet:localhost:10027,inet:localhost:10028
   -o content_filter=scan:[127.0.0.1]:10025
[2a01:4f8:c17:15d5::1:40]:smtp inet n - n -      -       smtpd
   -o smtpd_milters=inet:localhost:10027,inet:localhost:10028
   -o content_filter=scan:[127.0.0.1]:10025
127.0.0.1:smtp inet  n   -       n       -       -       smtpd
[::1]:smtp inet  n       -       n       -       -       smtpd

main.cf:
inet_interfaces = localhost, mail.stoecker.eu
inet_protocols = ipv4, ipv6

In case you wonder - The local IPv4 is not equal to the external visible
one for mail.stoecker.eu.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTPD for different IPs with IPv4 and IPv6

Peter Ajamian
On 22/02/17 07:19, Dirk Stöcker wrote:
> I did setup separate entries for localhost and external IP. Now with
> IPv4 and IPv6 that results in 4 lines of SMTP in master.cf.
>
> Is this the way to go or can it be reduced to 2 lines?

Yes, at least for a linux box and possibly other unix hosts.  You will
want to make sure that /etc/host.conf has the setting, "multi on", then
you can list multiple IPv4 and IPv6 addresses for the same name in
/etc/hosts and use those names in your master.cf file instead of the IP
addresses, so for example:

/etc/host.conf:
multi on

/etc/hosts:
127.0.0.1               localhost
::1                     localhost
172.31.1.100            external
2a01:4f8:c17:15d5::1:40 external

master.cf:
localhost:smtp inet ...
...
external:smtp inet ...
...

> main.cf:
> inet_interfaces = localhost, mail.stoecker.eu

Just remove the above, so it defaults to, "all".

> inet_protocols = ipv4, ipv6

Same, just remove this and let it default to, "all".

> In case you wonder - The local IPv4 is not equal to the external visible
> one for mail.stoecker.eu.

In this case postfix will see the connection on and need to bind to the
local address.


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTPD for different IPs with IPv4 and IPv6

Dirk Stöcker
On Wed, 22 Feb 2017, Peter wrote:

> Yes, at least for a linux box and possibly other unix hosts.  You will
> want to make sure that /etc/host.conf has the setting, "multi on", then
> you can list multiple IPv4 and IPv6 addresses for the same name in
> /etc/hosts and use those names in your master.cf file instead of the IP
> addresses, so for example:

I already use multiple domain names per IP in /etc/hosts and it also works
fine with Apache. Setting "multi on" did not change anything.

>> main.cf:
>> inet_interfaces = localhost, mail.stoecker.eu
>
> Just remove the above, so it defaults to, "all".

That assumes that mail.stoecker.eu is the only external IPv6 address.
The advantage of IPv6 is that each service can have an own address, so
that server has many addresses and they should not offer port 25 or 587
:-)

As above works fine for binding mail.stoecker.eu I rechecked everything.
The name localhost is only assigned to IPv4 and I tested most stuff with
localhost (easier name to type :-). Works now (still without "multi on").

It's disturbing that the localhost definition default is system depending.
Seems the newer systems don't assign ::1 to localhost anymore to reduce
trouble with old software. Because of the fallbacks to IPv4 I didn't
recognize this until now, as everything works fine.

>> inet_protocols = ipv4, ipv6
>
> Same, just remove this and let it default to, "all".

IPv6 wasn't default always. Removed it now.

Now I only need to switch the remaining old users submitting with SASL on
port 25 to submit port 587 and all is perfect (until I find the next issue
:-)

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTPD for different IPs with IPv4 and IPv6

Peter Ajamian
On 22/02/17 09:18, Dirk Stöcker wrote:
>>> main.cf:
>>> inet_interfaces = localhost, mail.stoecker.eu
>>
>> Just remove the above, so it defaults to, "all".
>
> That assumes that mail.stoecker.eu is the only external IPv6 address.
> The advantage of IPv6 is that each service can have an own address, so
> that server has many addresses and they should not offer port 25 or 587 :-)

The issue is that you're forcing it to do a DNS lookup for
mail.stoecker.eu, a DNS lookup that could fail, btw, and cause problems.

If you're specifying the IP in master.cf anyways then postfix will only
bind to what is in master.cf even if this is set to all.  Try it and
check your binds with netstat or ss.

> Seems the newer systems don't assign ::1 to localhost anymore
> to reduce trouble with old software.

If you're worried about this you can always assign a new name such as
localhost_all or something and use that so as not to break old software
that relies on localhost only being assigned to IPv4.


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SMTPD for different IPs with IPv4 and IPv6

Dirk Stöcker
On Wed, 22 Feb 2017, Peter wrote:

> On 22/02/17 09:18, Dirk Stöcker wrote:
>>>> main.cf:
>>>> inet_interfaces = localhost, mail.stoecker.eu
>>>
>>> Just remove the above, so it defaults to, "all".
>>
>> That assumes that mail.stoecker.eu is the only external IPv6 address.
>> The advantage of IPv6 is that each service can have an own address, so
>> that server has many addresses and they should not offer port 25 or 587 :-)
>
> The issue is that you're forcing it to do a DNS lookup for
> mail.stoecker.eu, a DNS lookup that could fail, btw, and cause problems.
No. As said, the name mail.stoecker.eu is defined in /etc/hosts. If it
would lookup DNS it would fail always, as the external and internal IPv4
addresses don't match :-)

> If you're specifying the IP in master.cf anyways then postfix will only
> bind to what is in master.cf even if this is set to all.  Try it and
> check your binds with netstat or ss.

Yes, for 25. But for 587 the inet_interfaces will still be used, as these
aren't separated in master.cf.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Loading...