Specify VPN for postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Specify VPN for postfix

Yubin Ruan
Hi,
Can anyone tell me how to point postfix to a VPN connection? I have
setup a VPN listening at background on my Ubuntu and I want to point
postfix to that listening port whenever postfix try to connect to the
internet.

Thanks,
Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

lists@lazygranch.com
Take a look at your header file when using the VPN to email yourself. I
think what you want happens automatically.

Received: from [10.8.0.6] (unknown [MYIPADDRESS])

10.8.0.6 is the local IP space created by my VPN. But my IP address
also shows up, so hopefully a guru will chime in as to how this all
works.

One thing to consider is that you may run into an internet provider
(probably public wifi) that blocks the use of a VPN. Somewhat common
with IPSEC. Perhaps less with openvpn. So you wouldn't want to make the
VPN be a mandatory requirement.




On Tue, 1 Aug 2017 12:07:26 +0800
Yubin Ruan <[hidden email]> wrote:

> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
>
> Thanks,
> Yubin

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Wilfried.Essig@Essignetz.de
In reply to this post by Yubin Ruan
Am 01.08.2017 um 06:07 schrieb Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.


Hi,

read description of parameter "inet_interfaces"
(http://www.postfix.org/postconf.5.html#inet_interfaces). That should
help you finding the best way for you.

Willi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AW: Specify VPN for postfix

Tobi
In reply to this post by Yubin Ruan
Easiest case if the default route for the postfix server points to the vpn tunnel.

If  def gw does not point to vpn then you could use nat rules on vpn server to replace the src address with the vpn servers vpn address.

If NAT is not an option then you will have to setup a policy based routing aka source based routing on postfix server to ensure answers from postfix go back via the same gateway they came in.

Cheers

tobi

----- Originale Nachricht -----
Von: Yubin Ruan <[hidden email]>
Gesendet: 01.08.2017 - 06:07
An: [hidden email]
Betreff: Specify VPN for postfix

> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
>
> Thanks,
> Yubin

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Wietse Venema
In reply to this post by Yubin Ruan
Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

You specify

/etc/postfix/main.cf:
   relayhost = smtp:[host on other side of tunnel]

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

lists@lazygranch.com

Could the host be something like 10.8.0.0/24?

  Original Message  
From: [hidden email]
Sent: August 1, 2017 4:01 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: Specify VPN for postfix

Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

You specify

/etc/postfix/main.cf:
   relayhost = smtp:[host on other side of tunnel]

Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Wietse Venema
Yubin Ruan:
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

Wietse:
> You specify
> /etc/postfix/main.cf:
>   relayhost = smtp:[host on other side of tunnel]
 
Gary Sellani:
> Could the host be something like 10.8.0.0/24?

I wrote 'host' not 'network block'.

Consider the network as a collection of layers. An example applicable
to Postfix looks like: physical layer (ethernet), network layer
(IP), transport layer (TCP), and application layer (SMTP). In this
architecture, an SMTP destination is a domain or host, where the
host may be specified as an IP address. It's not an IP address block
nor is it an ethernet broadast domain.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Tom Hendrikx


On 01-08-17 16:46, Wietse Venema wrote:

> Yubin Ruan:
>> Can anyone tell me how to point postfix to a VPN connection? I have
>> setup a VPN listening at background on my Ubuntu and I want to point
>> postfix to that listening port whenever postfix try to connect to the
>> internet.
>
> Wietse:
>> You specify
>> /etc/postfix/main.cf:
>>   relayhost = smtp:[host on other side of tunnel]
>  
> Gary Sellani:
>> Could the host be something like 10.8.0.0/24?
>
> I wrote 'host' not 'network block'.
>
> Consider the network as a collection of layers. An example applicable
> to Postfix looks like: physical layer (ethernet), network layer
> (IP), transport layer (TCP), and application layer (SMTP). In this
> architecture, an SMTP destination is a domain or host, where the
> host may be specified as an IP address. It's not an IP address block
> nor is it an ethernet broadast domain.
>
> Wietse
>

Maybe you (the OP) should clarify what you mean with 'connect to the
internet'. Does this mean accepting email from hosts 'on the internet',
does it mean sending email to random hosts 'on the internet', or does it
mean something else? Explain in laymen terms what you're trying to do,
your question is too vague.

Tom
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Benny Pedersen-2
In reply to this post by lists@lazygranch.com
Gary Sellani skrev den 2017-08-01 14:31:
> Could the host be something like 10.8.0.0/24?

make a hostname with multiple A/AAAA/MX

to do this one could simply add ip-addr to /etc/hosts with the hostname
wanted for the lan of rfc1918 ips

then change relayhost to

relayhost = smtp:<name-in-etc-hosts>:25

postfix will then use name-in-etc-hosts as a dns mx record

> relayhost = smtp:[host on other side of tunnel]

with [] around hostname mx round robin is disabled

this is ok and desired for single ip hostname

# cat /etc/hosts
10.0.0.2 in.localdomain in
10.0.0.3 in.localdomain in

or simple use splited dnsview on public dns

better docs here:

https://en.wikipedia.org/wiki/Split-horizon_DNS
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Yubin Ruan
In reply to this post by Tom Hendrikx
2017-08-01 22:54 GMT+08:00 Tom Hendrikx <[hidden email]>:

>
>
> On 01-08-17 16:46, Wietse Venema wrote:
>> Yubin Ruan:
>>> Can anyone tell me how to point postfix to a VPN connection? I have
>>> setup a VPN listening at background on my Ubuntu and I want to point
>>> postfix to that listening port whenever postfix try to connect to the
>>> internet.
>>
>> Wietse:
>>> You specify
>>> /etc/postfix/main.cf:
>>>   relayhost = smtp:[host on other side of tunnel]
>>
>> Gary Sellani:
>>> Could the host be something like 10.8.0.0/24?
>>
>> I wrote 'host' not 'network block'.
>>
>> Consider the network as a collection of layers. An example applicable
>> to Postfix looks like: physical layer (ethernet), network layer
>> (IP), transport layer (TCP), and application layer (SMTP). In this
>> architecture, an SMTP destination is a domain or host, where the
>> host may be specified as an IP address. It's not an IP address block
>> nor is it an ethernet broadast domain.
>>
>>       Wietse
>>
>
> Maybe you (the OP) should clarify what you mean with 'connect to the
> internet'. Does this mean accepting email from hosts 'on the internet',
> does it mean sending email to random hosts 'on the internet', or does it
> mean something else? Explain in laymen terms what you're trying to do,
> your question is too vague.

I have a shadowsocks client listening at 127.0.0.1:8888, and I want to
point postfix to that specified port when it try to connect to
internet. Put it in another words, I would like to make that address
(i.e., 127.0.0,1:8888) something like default gateway so that all my
network traffic go through it.

Thanks,
Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Yubin Ruan
2017-08-02 0:21 GMT+08:00 Yubin Ruan <[hidden email]>:

> 2017-08-01 22:54 GMT+08:00 Tom Hendrikx <[hidden email]>:
>>
>>
>> On 01-08-17 16:46, Wietse Venema wrote:
>>> Yubin Ruan:
>>>> Can anyone tell me how to point postfix to a VPN connection? I have
>>>> setup a VPN listening at background on my Ubuntu and I want to point
>>>> postfix to that listening port whenever postfix try to connect to the
>>>> internet.
>>>
>>> Wietse:
>>>> You specify
>>>> /etc/postfix/main.cf:
>>>>   relayhost = smtp:[host on other side of tunnel]
>>>
>>> Gary Sellani:
>>>> Could the host be something like 10.8.0.0/24?
>>>
>>> I wrote 'host' not 'network block'.
>>>
>>> Consider the network as a collection of layers. An example applicable
>>> to Postfix looks like: physical layer (ethernet), network layer
>>> (IP), transport layer (TCP), and application layer (SMTP). In this
>>> architecture, an SMTP destination is a domain or host, where the
>>> host may be specified as an IP address. It's not an IP address block
>>> nor is it an ethernet broadast domain.
>>>
>>>       Wietse
>>>
>>
>> Maybe you (the OP) should clarify what you mean with 'connect to the
>> internet'. Does this mean accepting email from hosts 'on the internet',
>> does it mean sending email to random hosts 'on the internet', or does it
>> mean something else? Explain in laymen terms what you're trying to do,
>> your question is too vague.
>
> I have a shadowsocks client listening at 127.0.0.1:8888, and I want to
> point postfix to that specified port when it try to connect to
> internet. Put it in another words, I would like to make that address
> (i.e., 127.0.0,1:8888) something like default gateway so that all my
> network traffic go through it.

Currently I can set up a proxy in the browser (i.e., pointing the
browser to that address (127.0.0.1:8888)) so that I got a VPN kind of
thing. And now I want to set it up for postfix, and if possible, for
every program in the system.

Thanks,
Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

lists@lazygranch.com
In reply to this post by Wietse Venema

You don't know local IP except that it will be in that block (cidr). In practice, my first VPN instance will use 10.8.0.6. I don't recall what is used when I run two VPNs.

But I get your point.

  Original Message  
From: [hidden email]
Sent: August 1, 2017 7:46 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: Specify VPN for postfix

Yubin Ruan:
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.

Wietse:
> You specify
> /etc/postfix/main.cf:
>   relayhost = smtp:[host on other side of tunnel]

Gary Sellani:
> Could the host be something like 10.8.0.0/24?

I wrote 'host' not 'network block'.

Consider the network as a collection of layers. An example applicable
to Postfix looks like: physical layer (ethernet), network layer
(IP), transport layer (TCP), and application layer (SMTP). In this
architecture, an SMTP destination is a domain or host, where the
host may be specified as an IP address. It's not an IP address block
nor is it an ethernet broadast domain.

Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Abi Askushi
In reply to this post by Yubin Ruan
Since this is socks proxy and not vpn you could redirect postfix traffic with iptables to the port your socks proxy listens. Plenty examples on google.

On Aug 1, 2017 19:23, "Yubin Ruan" <[hidden email]> wrote:
2017-08-01 22:54 GMT+08:00 Tom Hendrikx <[hidden email]>:
>
>
> On 01-08-17 16:46, Wietse Venema wrote:
>> Yubin Ruan:
>>> Can anyone tell me how to point postfix to a VPN connection? I have
>>> setup a VPN listening at background on my Ubuntu and I want to point
>>> postfix to that listening port whenever postfix try to connect to the
>>> internet.
>>
>> Wietse:
>>> You specify
>>> /etc/postfix/main.cf:
>>>   relayhost = smtp:[host on other side of tunnel]
>>
>> Gary Sellani:
>>> Could the host be something like 10.8.0.0/24?
>>
>> I wrote 'host' not 'network block'.
>>
>> Consider the network as a collection of layers. An example applicable
>> to Postfix looks like: physical layer (ethernet), network layer
>> (IP), transport layer (TCP), and application layer (SMTP). In this
>> architecture, an SMTP destination is a domain or host, where the
>> host may be specified as an IP address. It's not an IP address block
>> nor is it an ethernet broadast domain.
>>
>>       Wietse
>>
>
> Maybe you (the OP) should clarify what you mean with 'connect to the
> internet'. Does this mean accepting email from hosts 'on the internet',
> does it mean sending email to random hosts 'on the internet', or does it
> mean something else? Explain in laymen terms what you're trying to do,
> your question is too vague.

I have a shadowsocks client listening at 127.0.0.1:8888, and I want to
point postfix to that specified port when it try to connect to
internet. Put it in another words, I would like to make that address
(i.e., 127.0.0,1:8888) something like default gateway so that all my
network traffic go through it.

Thanks,
Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Tobi
Am 01.08.2017 um 20:39 schrieb Abi Askushi:
> Since this is socks proxy and not vpn you could redirect postfix traffic
> with iptables to the port your socks proxy listens. Plenty examples on
> google.

if you redirect the full postfix traffic you might end up in asymetric
routing.

Most important question: does this postfix accept connections/mails from
the outside world? If it does: which path these connections come to
postfix? Via VPN/Socks or directly?
If **ALL** connections to this postfix come via VPN/Socks simple
iptables rules as suggested by Abi will work.

Otherwise I gets more complex and the OP needs a routing based on the
source of the pakets. The goal is to bring answers from postfix to the
exact same path as the query from outside came in (means correct
interface and gateway). And that can only be achieved by policy based
routing.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Yubin Ruan
In reply to this post by Abi Askushi
2017-08-02 2:39 GMT+08:00 Abi Askushi <[hidden email]>:
> Since this is socks proxy and not vpn you could redirect postfix traffic
> with iptables to the port your socks proxy listens. Plenty examples on
> google.

Please offer a simple iptable exmples, if you may. Probably I was
stuck by some asymmetric routing problems after setting up a incorrect
iptable rule.

Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Yubin Ruan
In reply to this post by Tobi
2017-08-02 15:28 GMT+08:00 Tobi <[hidden email]>:

> Am 01.08.2017 um 20:39 schrieb Abi Askushi:
>> Since this is socks proxy and not vpn you could redirect postfix traffic
>> with iptables to the port your socks proxy listens. Plenty examples on
>> google.
>
> if you redirect the full postfix traffic you might end up in asymetric
> routing.
>
> Most important question: does this postfix accept connections/mails from
> the outside world? If it does: which path these connections come to
> postfix? Via VPN/Socks or directly?

I only use postfix for delievering mail, not receiving anything from
the outside world. So all the connection to postfix come from local
programs (on my own laptop).

> If **ALL** connections to this postfix come via VPN/Socks simple
> iptables rules as suggested by Abi will work.
>
> Otherwise I gets more complex and the OP needs a routing based on the
> source of the pakets. The goal is to bring answers from postfix to the
> exact same path as the query from outside came in (means correct
> interface and gateway). And that can only be achieved by policy based
> routing.

A workable example will be really appreciated.

Yubin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Specify VPN for postfix

Abi Askushi
In reply to this post by Yubin Ruan
Say you have postfix sending outbound email on eth0 interface and TCP port 25, then you would have:

iptables -t nat -A OUTPUT -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 8888

You need to change the above to fit your specific network.


On Wed, Aug 2, 2017 at 3:10 PM, Yubin Ruan <[hidden email]> wrote:
2017-08-02 2:39 GMT+08:00 Abi Askushi <[hidden email]>:
> Since this is socks proxy and not vpn you could redirect postfix traffic
> with iptables to the port your socks proxy listens. Plenty examples on
> google.

Please offer a simple iptable exmples, if you may. Probably I was
stuck by some asymmetric routing problems after setting up a incorrect
iptable rule.

Yubin

Loading...