Transport Map for selective IPv4/IPv6 per site

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
Following a recipe for selective transports on this list I have added a transport map to a server with IPv4 *and* IPv6 interfaces.

# postconf mail_version
mail_version = 2.11.3

# postconf -n | grep inet
inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3
inet_protocols = ipv4, ipv6

# postconf -n transport_maps
transport_maps = lmdb:$config_directory/transport

# cat /etc/postfix/transport
gmail.com       smtp-ipv6:
googlemail.com  smtp-ipv6:


$ postconf -Mf smtp-ipv6
smtp-ipv6  unix  -       -       -       -       -       smtp
    -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
    -o inet_protocols=ipv6

Unlike the original recipe http://postfix.1071664.n5.nabble.com/smtp-IPv4-IPv6-map-td61342.html, the transport  fails with _only_ 'inet_protocols=ipv6' (or ipv4 for the same reason) passed:

Jan  6 10:05:54 nihlus postfix/smtp[47968]: fatal: config variable inet_interfaces: host not found: [2001:470:1f0b:bd0::3]
Jan  6 10:05:55 nihlus postfix/master[47938]: warning: process /usr/lib/postfix/smtp pid 47968 exit status 1
Jan  6 10:05:55 nihlus postfix/master[47938]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling

I had to explicitly add the IP as an option for it to succeed:

    -o inet_interfaces=2001:470:1f0b:bd0::3

Jan  6 10:33:45 nihlus postfix/smtp[49669]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1a]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Am I missing something in this scenario?

Regards
Thomas

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Koko Wijatmoko
On Tue, 6 Jan 2015 10:53:42 +0100
Thomas Leuxner <[hidden email]> wrote:

> # postconf -n | grep inet
> inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3
> inet_protocols = ipv4, ipv6
>
set above to "= all" (default), and try to set:

smtp_bind_address = 188.138.4.217
smtp_bind_address6 = 2001:470:1f0b:bd0::3

test it by sending to gmail again.
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
* Koko Wijatmoko <[hidden email]> 2015.01.06 11:22:

> set above to "= all" (default), and try to set:
>
> smtp_bind_address = 188.138.4.217
> smtp_bind_address6 = 2001:470:1f0b:bd0::3
>
> test it by sending to gmail again.

Unfortunately this yields the same problem.

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Wietse Venema
In reply to this post by Thomas Leuxner
Thomas Leuxner:
> # postconf -n | grep inet
> inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3
> inet_protocols = ipv4, ipv6
...
> Unlike the original recipe
> http://postfix.1071664.n5.nabble.com/smtp-IPv4-IPv6-map-td61342.html, the
> transport  fails with _only_ 'inet_protocols=ipv6' (or ipv4 for
> the same reason) passed:

Why are you surprised? You disable a IPv6 in inet_protocols,
but you require IPv6 in inet_interfaces.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
* Wietse Venema <[hidden email]> 2015.01.06 12:36:

> Why are you surprised? You disable a IPv6 in inet_protocols,
> but you require IPv6 in inet_interfaces.

Hi Wietse,

because the option was not part of the original stanza which I deemed comprehensive. Maybe my impression was postfix internally knows which format is IPv4 and which is IPv6 and picks them from the interfaces list.

Is the way I implemented it the way it is supposed to be done/work (or a silly kludge)?

Regards
Thomas

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Wietse Venema
Thomas Leuxner:
> > Why are you surprised? You disable a IPv6 in inet_protocols,
> > but you require IPv6 in inet_interfaces.
>
> Hi Wietse,
>
> because the option was not part of the original stanza which I
> deemed comprehensive. Maybe my impression was postfix internally
> knows which format is IPv4 and which is IPv6 and picks them from
> the interfaces list.

Postfix supports the protocol addresses that you specify
with inet_protocols.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
* Wietse Venema <[hidden email]> 2015.01.06 12:52:

> Postfix supports the protocol addresses that you specify
> with inet_protocols.

Agree. But unless I give it the address to use, in addition to

    -o inet_protocols=ipv6

...it does not use the IPv6 addr. I have to add it as -o inet_interfaces in master.cf as it will not pick it from main.cf.

Regards
Thomas

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Wietse Venema
Thomas Leuxner:

> * Wietse Venema <[hidden email]> 2015.01.06 12:52:
>
> > Postfix supports the protocol addresses that you specify
> > with inet_protocols.
>
> Agree. But unless I give it the address to use, in addition to
>
>     -o inet_protocols=ipv6
>
> ...it does not use the IPv6 addr. I have to add it as -o inet_interfaces
> in master.cf as it will not pick it from main.cf.

IF you want to use IPv6 address syntax in inet_interfaces or elsewhere,

THEN you must enable IPv6 protocol support in main.cf or master.cf
with inet_protocols=all, inet_protocols=ipv4,ipv6, or inet_protocols=ipv6.

I hope this clarifies that there is no contradiction or inconsistency
in the manner that Postfix IPv6 protocol support works.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
* Wietse Venema <[hidden email]> 2015.01.06 14:35:

> IF you want to use IPv6 address syntax in inet_interfaces or elsewhere,
>
> THEN you must enable IPv6 protocol support in main.cf or master.cf
> with inet_protocols=all, inet_protocols=ipv4,ipv6, or inet_protocols=ipv6.
>
> I hope this clarifies that there is no contradiction or inconsistency
> in the manner that Postfix IPv6 protocol support works.
>
> Wietse

main.cf:

# postconf -n inet_protocols
inet_protocols = ipv4, ipv6

# postconf -n inet_interfaces
inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3

That's what I had setup from the start. I'm baffled because I can't override it in master.cf (referring to the original recipe). By protocol is not enough, I *have* to set the interface IPv6 address too:

# postconf -Mf smtp-ipv6
smtp-ipv6  unix  -       -       -       -       -       smtp
    -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
    -o inet_protocols=ipv6
    -o inet_interfaces=2001:470:1f0b:bd0::3

If I omit the last line, it fails...

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Wietse Venema
Thomas Leuxner:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.

> * Wietse Venema <[hidden email]> 2015.01.06 14:35:
>
> > IF you want to use IPv6 address syntax in inet_interfaces or elsewhere,
> >
> > THEN you must enable IPv6 protocol support in main.cf or master.cf
> > with inet_protocols=all, inet_protocols=ipv4,ipv6, or inet_protocols=ipv6.
> >
> > I hope this clarifies that there is no contradiction or inconsistency
> > in the manner that Postfix IPv6 protocol support works.
> >
> > Wietse
>
> main.cf:
>
> # postconf -n inet_protocols
> inet_protocols = ipv4, ipv6
>
> # postconf -n inet_interfaces
> inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3
>
> That's what I had setup from the start. I'm baffled because I can't override it in master.cf (referring to the original recipe). By protocol is not enough, I *have* to set the interface IPv6 address too:
>
> # postconf -Mf smtp-ipv6
> smtp-ipv6  unix  -       -       -       -       -       smtp
>     -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
>     -o inet_protocols=ipv6
>     -o inet_interfaces=2001:470:1f0b:bd0::3
>
> If I omit the last line, it fails...

Of course it fails. If you omit "-o inet_interfaces=2001:470:1f0b:bd0::3"
from master.cf, it will use "inet_interfaces = 188.138.4.217,
2001:470:1f0b:bd0::3" from main.cf.

IF you specify an IPv4 address in inet_interfaces.
THEN you must enable IPv4 support with inet_protocols.

IF you don't want to enable IPv4 support
THEN don't specify an IPv4 address in inet_interfaces.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Viktor Dukhovni
In reply to this post by Thomas Leuxner
On Tue, Jan 06, 2015 at 10:53:42AM +0100, Thomas Leuxner wrote:

> # postconf -n | grep inet
> inet_interfaces = 188.138.4.217, 2001:470:1f0b:bd0::3
> inet_protocols = ipv4, ipv6

Do this instead:

    main.cf:
        ipv4_interfaces = 188.138.4.217
        ipv6_interfaces = 2001:470:1f0b:bd0::3
        inet_interfaces = $ipv4_interfaces, $ipv6_interfaces
        inet_protocols = ipv4, ipv6

    master.cf:
        smtp-ipv6  unix  -       -       -       -       -       smtp
            -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
            -o inet_protocols=ipv6
            -o inet_interfaces=$ipv6_interfaces
        smtp-ipv4  unix  -       -       -       -       -       smtp
            -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
            -o inet_protocols=ipv4
            -o inet_interfaces=$ipv4_interfaces

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
In reply to this post by Wietse Venema
* Wietse Venema <[hidden email]> 2015.01.06 17:16:

> > # postconf -Mf smtp-ipv6
> > smtp-ipv6  unix  -       -       -       -       -       smtp
> >     -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
> >     -o inet_protocols=ipv6
> >     -o inet_interfaces=2001:470:1f0b:bd0::3
> >
> > If I omit the last line, it fails...
>
> Of course it fails. If you omit "-o inet_interfaces=2001:470:1f0b:bd0::3"
> from master.cf, it will use "inet_interfaces = 188.138.4.217,
> 2001:470:1f0b:bd0::3" from main.cf.
>
> IF you specify an IPv4 address in inet_interfaces.
> THEN you must enable IPv4 support with inet_protocols.
>
> IF you don't want to enable IPv4 support
> THEN don't specify an IPv4 address in inet_interfaces.
Got it. Thanks Wietse.

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Thomas Leuxner
In reply to this post by Viktor Dukhovni
* Viktor Dukhovni <[hidden email]> 2015.01.06 17:25:

> Do this instead:
>
>     main.cf:
> ipv4_interfaces = 188.138.4.217
> ipv6_interfaces = 2001:470:1f0b:bd0::3
> inet_interfaces = $ipv4_interfaces, $ipv6_interfaces
> inet_protocols = ipv4, ipv6
>
>     master.cf:
> smtp-ipv6  unix  -       -       -       -       -       smtp
>    -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
>    -o inet_protocols=ipv6
>    -o inet_interfaces=$ipv6_interfaces
> smtp-ipv4  unix  -       -       -       -       -       smtp
>    -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
>    -o inet_protocols=ipv4
>    -o inet_interfaces=$ipv4_interfaces
>
Neat! Thanks for the suggestion Viktor. Eventually implemented like this:

smtp      unix  -       -       -       -       -       smtp
  -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
smtp-ipv4 unix  -       -       -       -       -       smtp
  -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
  -o inet_protocols=ipv4
  -o inet_interfaces=$ipv4_interfaces
smtp-ipv6 unix  -       -       -       -       -       smtp
  -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
  -o inet_protocols=ipv6

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Benny Pedersen-2
In reply to this post by Thomas Leuxner
On 6. jan. 2015 15.08.00 Thomas Leuxner <[hidden email]> wrote:

> # postconf -Mf smtp-ipv6
> smtp-ipv6  unix  -       -       -       -       -       smtp

chroot

>     -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
>     -o inet_protocols=ipv6
>     -o inet_interfaces=2001:470:1f0b:bd0::3
>
> If I omit the last line, it fails...

try again without chroot
Reply | Threaded
Open this post in threaded view
|

Re: Transport Map for selective IPv4/IPv6 per site

Viktor Dukhovni
On Tue, Jan 06, 2015 at 11:59:44PM +0100, Benny Pedersen wrote:

> >    -o smtp_header_checks=pcre:$config_directory/header_checks_smtp_out
> >    -o inet_protocols=ipv6
> >    -o inet_interfaces=2001:470:1f0b:bd0::3
> >
> >If I omit the last line, it fails...
>
> try again without chroot

Let's avoid random advice, thanks.

--
        Viktor.