delaying postfix until/unless VPN is up/connected

classic Classic list List threaded Threaded
43 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bob Proulx
Wietse Venema wrote:
> Ranjan Maitra:
> > Thanks, except that it does not send even when VPN is up. I get
> > the same message and I can get it to send only when I change my
> > relayhost back to the default.

What is your relayhost setting?

> 2) the remote relayhost must only accept mail when the VPN is up.

When the VPN is up verify that your relayhost setting is correct.  The
above sounds as if it is not.

If it were me I would use 'nc' to connect to the same address and port
as configured for relayhost and verify the SMTP header is being seen.
It's all text.  If you can't connect with 'nc' then the problem is the
address or port.  Upon connection you should get an SMTP banner.

By the discussion thread I hope you are trying to connect to an
address that is only available when the VPN is up.  Such as a VPN
private address for your mail relay that is not available when the VPN
is down but is available when the VPN is up.

For example many use 172.16.0.0/12 addresses for VPNs.  For example.
If so then if the mail relay host VPN address is 172.16.10.101 then
connecting there should work only when the VPN is up but not when it
is down.  In which case, for example, this following would work only
when the VPN is up.

  $ nc 172.16.10.101 25
  220 mail.example.com ESMTP Postfix

If you can't connect and get a banner then Postfix can't connect and
get a banner.

Bob
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bastian Blank-3
In reply to this post by Ranjan Maitra
On Mon, Mar 23, 2020 at 01:04:44PM -0500, Ranjan Maitra wrote:
> So, I am wondering if I it is possible to have a setup whereby postfix is delayed unless/until VPN is up and running. If VPN is down, then I would like postfix to be delayed until such time as it comes up. If it is possible, how do I go about doing this? Other ideas?

I would just reject SMTP connections outgoing on your non-VPN interfaces.

| iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
| iptables -A OUTPUT -m tcp --dport 25 -j REJECT

Bastian

--
Each kiss is as the first.
                -- Miramanee, Kirk's wife, "The Paradise Syndrome",
                   stardate 4842.6
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
On Mon, 30 Mar 2020 13:11:42 +0200 Bastian Blank <bastian+postfix-users=[hidden email]> wrote:

> On Mon, Mar 23, 2020 at 01:04:44PM -0500, Ranjan Maitra wrote:
> > So, I am wondering if I it is possible to have a setup whereby postfix is delayed unless/until VPN is up and running. If VPN is down, then I would like postfix to be delayed until such time as it comes up. If it is possible, how do I go about doing this? Other ideas?
>
> I would just reject SMTP connections outgoing on your non-VPN interfaces.
>
> | iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> | iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>

Thanks very much! This seems to a very simple solution. And would this delay postfix until VPN is up and running for messages that are sent?

Also, just to be clear, I tried

echo $vpn

with and without VPN connected. I got a blank. Is this expected? (I was expecting the VPN connection to show up when I had VPN running.)

Many thanks and best wishes,
Ranjan



Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
In reply to this post by Bastian Blank-3
On Mon, 30 Mar 2020 13:11:42 +0200 Bastian Blank <bastian+postfix-users=[hidden email]> wrote:

> On Mon, Mar 23, 2020 at 01:04:44PM -0500, Ranjan Maitra wrote:
> > So, I am wondering if I it is possible to have a setup whereby postfix is delayed unless/until VPN is up and running. If VPN is down, then I would like postfix to be delayed until such time as it comes up. If it is possible, how do I go about doing this? Other ideas?
>
> I would just reject SMTP connections outgoing on your non-VPN interfaces.
>
> | iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> | iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>

So, I was trying this out:

$ sudo iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
Try `iptables -h' or 'iptables --help' for more information.

Should I be matching with something other than tcp?

Many thanks,
Ranjan
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Peter Ajamian
In reply to this post by Ranjan Maitra
On 31/03/20 2:19 am, Ranjan Maitra wrote:

> On Mon, 30 Mar 2020 13:11:42 +0200 Bastian Blank <bastian+postfix-users=[hidden email]> wrote:
>
>> On Mon, Mar 23, 2020 at 01:04:44PM -0500, Ranjan Maitra wrote:
>>> So, I am wondering if I it is possible to have a setup whereby postfix is delayed unless/until VPN is up and running. If VPN is down, then I would like postfix to be delayed until such time as it comes up. If it is possible, how do I go about doing this? Other ideas?
>>
>> I would just reject SMTP connections outgoing on your non-VPN interfaces.
>>
>> | iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
>> | iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>>
>
> Thanks very much! This seems to a very simple solution. And would this delay postfix until VPN is up and running for messages that are sent?
>
> Also, just to be clear, I tried
>
> echo $vpn
>
> with and without VPN connected. I got a blank. Is this expected? (I was expecting the VPN connection to show up when I had VPN running.)

Substitute the name of your VPN interface for $vpn.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bob Proulx
In reply to this post by Ranjan Maitra
Ranjan Maitra wrote:

> Bastian Blank wrote:
> > I would just reject SMTP connections outgoing on your non-VPN interfaces.
> > | iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> > | iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>
> So, I was trying this out:
>
> $ sudo iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> Try `iptables -h' or 'iptables --help' for more information.
>
> Should I be matching with something other than tcp?

The "$vpn" part is a variable was simply a placeholder for the IP
address of your VPN connected relayhost.  It would be an IP address
like 93.184.216.34 but put in the IP address of your relay host that
is only accessible when the VPN is up.

  iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
  iptables -A OUTPUT -m tcp --dport 25 -j REJECT

But replace 93.184.216.34 with the IP address of your VPN relay host.
I simply used an actual address inorder to clarify the example.

What that does is it allows port 25 SMTP connections to 93.184.216.34
but then blocks all other port 25 SMTP connections to other addresses.

If you are using port 587 instead of port 25 then repeat those lines
with port 587.

BTW...  +1 for Bastian's very simple and elegant suggestion. :-)

Bob
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
On Mon, 30 Mar 2020 22:42:25 -0600 Bob Proulx <[hidden email]> wrote:

> Ranjan Maitra wrote:
> > Bastian Blank wrote:
> > > I would just reject SMTP connections outgoing on your non-VPN interfaces.
> > > | iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> > > | iptables -A OUTPUT -m tcp --dport 25 -j REJECT
> >
> > So, I was trying this out:
> >
> > $ sudo iptables -A OUTPUT -o $vpn -m tcp --dport 25 -j ACCEPT
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> > Should I be matching with something other than tcp?
>
> The "$vpn" part is a variable was simply a placeholder for the IP
> address of your VPN connected relayhost.  It would be an IP address
> like 93.184.216.34 but put in the IP address of your relay host that
> is only accessible when the VPN is up.
>
>   iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
>   iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>
> But replace 93.184.216.34 with the IP address of your VPN relay host.
> I simply used an actual address inorder to clarify the example.
>
> What that does is it allows port 25 SMTP connections to 93.184.216.34
> but then blocks all other port 25 SMTP connections to other addresses.
>
> If you are using port 587 instead of port 25 then repeat those lines
> with port 587.

Thank you for this detailed explanation. Just to be sure, is the VPN IP address something that is static/constant or does it change from one connection to the next? I just do not know if the VPN IP address changes with DHCP?

Many thanks again and best wishes,
Ranjan
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Peter Ajamian
In reply to this post by Bob Proulx
On 31/03/20 5:42 pm, Bob Proulx wrote:

> The "$vpn" part is a variable was simply a placeholder for the IP
> address of your VPN connected relayhost.  It would be an IP address
> like 93.184.216.34 but put in the IP address of your relay host that
> is only accessible when the VPN is up.
>
>    iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
>    iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>
> But replace 93.184.216.34 with the IP address of your VPN relay host.
> I simply used an actual address inorder to clarify the example.

Actually it's an interface name (such as tun0), not an IP address:


[!] -o, --out-interface name
               Name of an interface via which a packet is going to be
sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).
When the "!" argument is  used  before  the
               interface  name,  the  sense  is inverted.  If the
interface name ends in a "+", then any interface which begins with this
name will match.  If this option is omitted, any
               interface name will match.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Tessa Plum
sorry just OT, my VPS has only IPv6 interface, can I deploy it as mail
server?

Thank you.
Tessa

Peter wrote:
> Actually it's an interface name (such as tun0), not an IP address:
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
In reply to this post by Peter Ajamian
On Tue, 31 Mar 2020 19:41:58 +1300 Peter <[hidden email]> wrote:

> On 31/03/20 5:42 pm, Bob Proulx wrote:
> > The "$vpn" part is a variable was simply a placeholder for the IP
> > address of your VPN connected relayhost.  It would be an IP address
> > like 93.184.216.34 but put in the IP address of your relay host that
> > is only accessible when the VPN is up.
> >
> >    iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
> >    iptables -A OUTPUT -m tcp --dport 25 -j REJECT
> >
> > But replace 93.184.216.34 with the IP address of your VPN relay host.
> > I simply used an actual address inorder to clarify the example.
>
> Actually it's an interface name (such as tun0), not an IP address:
>
>
> [!] -o, --out-interface name
>                Name of an interface via which a packet is going to be
> sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).
> When the "!" argument is  used  before  the
>                interface  name,  the  sense  is inverted.  If the
> interface name ends in a "+", then any interface which begins with this
> name will match.  If this option is omitted, any
>                interface name will match.
>

Hi,

Thanks very much! My VPN interface ic alled cscotun0 so I use:

$ sudo iptables -A OUTPUT -o cscotun0  -m tcp --dport 25 -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.

I run dmesg but I am not sure what to find there.

My port is 25.

Btw,

$iptables -h
iptables v1.8.3

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain Append to chain
  --check   -C chain Check for the existence of a rule
  --delete  -D chain Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain] Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain Create a new user-defined chain
  --delete-chain
            -X [chain] Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
    --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match -m match
                                extended match (may load extension)
  --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table -t table table to manipulate (default: `filter')
  --verbose -v verbose mode
  --wait -w [seconds] maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs] wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers print line numbers when listing
  --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
  --modprobe=<command> try to insert modules using this command
  --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

What is wrong here?

Many thanks again and best wishes,
Ranjan
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bob Proulx
In reply to this post by Peter Ajamian
Peter wrote:
> Bob Proulx wrote:
> >    iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
> >    iptables -A OUTPUT -m tcp --dport 25 -j REJECT
> >
> > But replace 93.184.216.34 with the IP address of your VPN relay host.
> > I simply used an actual address inorder to clarify the example.
>
> Actually it's an interface name (such as tun0), not an IP address:

Oh how embarrassing for me.  Thank you for fixing my error!

Bob
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Peter Ajamian
In reply to this post by Ranjan Maitra
On 1/04/20 1:42 am, Ranjan Maitra wrote:

> On Tue, 31 Mar 2020 19:41:58 +1300 Peter <[hidden email]> wrote:
>
>> On 31/03/20 5:42 pm, Bob Proulx wrote:
>>> The "$vpn" part is a variable was simply a placeholder for the IP
>>> address of your VPN connected relayhost.  It would be an IP address
>>> like 93.184.216.34 but put in the IP address of your relay host that
>>> is only accessible when the VPN is up.
>>>
>>>     iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
>>>     iptables -A OUTPUT -m tcp --dport 25 -j REJECT
>>>
>>> But replace 93.184.216.34 with the IP address of your VPN relay host.
>>> I simply used an actual address inorder to clarify the example.
>>
>> Actually it's an interface name (such as tun0), not an IP address:
>>
>>
>> [!] -o, --out-interface name
>>                 Name of an interface via which a packet is going to be
>> sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).
>> When the "!" argument is  used  before  the
>>                 interface  name,  the  sense  is inverted.  If the
>> interface name ends in a "+", then any interface which begins with this
>> name will match.  If this option is omitted, any
>>                 interface name will match.
>>
>
> Hi,
>
> Thanks very much! My VPN interface ic alled cscotun0 so I use:
>
> $ sudo iptables -A OUTPUT -o cscotun0  -m tcp --dport 25 -j ACCEPT
> iptables: Invalid argument. Run `dmesg' for more information.

It should be -p tcp not -m tcp.

> I run dmesg but I am not sure what to find there.

Look for an error from ip_tables towards the end of the messages.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
On Wed, 1 Apr 2020 09:51:31 +1300 Peter <[hidden email]> wrote:

> On 1/04/20 1:42 am, Ranjan Maitra wrote:
> > On Tue, 31 Mar 2020 19:41:58 +1300 Peter <[hidden email]> wrote:
> >
> >> On 31/03/20 5:42 pm, Bob Proulx wrote:
> >>> The "$vpn" part is a variable was simply a placeholder for the IP
> >>> address of your VPN connected relayhost.  It would be an IP address
> >>> like 93.184.216.34 but put in the IP address of your relay host that
> >>> is only accessible when the VPN is up.
> >>>
> >>>     iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
> >>>     iptables -A OUTPUT -m tcp --dport 25 -j REJECT
> >>>
> >>> But replace 93.184.216.34 with the IP address of your VPN relay host.
> >>> I simply used an actual address inorder to clarify the example.
> >>
> >> Actually it's an interface name (such as tun0), not an IP address:
> >>
> >>
> >> [!] -o, --out-interface name
> >>                 Name of an interface via which a packet is going to be
> >> sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).
> >> When the "!" argument is  used  before  the
> >>                 interface  name,  the  sense  is inverted.  If the
> >> interface name ends in a "+", then any interface which begins with this
> >> name will match.  If this option is omitted, any
> >>                 interface name will match.
> >>
> >
> > Hi,
> >
> > Thanks very much! My VPN interface ic alled cscotun0 so I use:
> >
> > $ sudo iptables -A OUTPUT -o cscotun0  -m tcp --dport 25 -j ACCEPT
> > iptables: Invalid argument. Run `dmesg' for more information.
>
> It should be -p tcp not -m tcp.
>
> > I run dmesg but I am not sure what to find there.
>
> Look for an error from ip_tables towards the end of the messages.
>

Hi,

Sorry, but I did the following:

sudo iptables -A OUTPUT -o cscotun0  -p tcp --dport 25 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT

However, what has happened is that all my mail going out has stopped?

How do I revert it back to what I used to have?

Also, what is going wrong?

Many thanks,
Ranjan





Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Peter Ajamian
On 1/04/20 10:10 am, Ranjan Maitra wrote:
> sudo iptables -A OUTPUT -o cscotun0  -p tcp --dport 25 -j ACCEPT
> sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
>
> However, what has happened is that all my mail going out has stopped?
>
> How do I revert it back to what I used to have?

Look at the iptables man page, see the -D command.  Also you should be
using iptables-save so you can easily revert when you mess up.

> Also, what is going wrong?

The first rule should allow any outbound tcp packets that are destined
for the csctun0 device on port 25.

The second rule will stop any port 25 tcp packets that are not matched
by the first rule.

Are the messages that are not going through when the VPN is up?  Are
they supposed to go through the VPN?  Can you provide info as per the
DEBUG_README?


Peter
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
In reply to this post by Wietse Venema
On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema <[hidden email]> wrote:

> Corrected code follows (missing do/done).
>
> Save to file, chmod +x  name-of-file, don't run this script from
> cron.
>
> It needs to be started at boot time, or before you make a VPN
> connection.
>
> #!/bin/sh
>
> while :
> do
>     ifconfig xxx | egrep 'UP|DOWN'
>     sleep 2
> done | while read status
> do
>     case "$status" in
>   *UP*) if [ "$prev" -ne up ]
>         then
>             prev=up
>             postconf -X defer_transports
>             postfix reload
>         fi;;
>      *) if [ "$prev" -ne down ]
>         then
>             prev=down
>             postconf defer_transports=smtp
>             postfix reload
>         fi;;
>     esac
> done
>
>         Wietse
>


Hi,

Sorry to bring this up after a while, but I have been trying this code, but seem to hit a syntax error:

line 10: [: : integer expression expected


Line10: is  the following line:

  *UP*) if [ "$prev" -ne up ]

Any help?

Many thanks,
Ranjan

Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bill Cole-3
On 17 Apr 2020, at 0:57, Ranjan Maitra wrote:

> On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema
> <[hidden email]> wrote:
>
>> Corrected code follows (missing do/done).
>>
>> Save to file, chmod +x  name-of-file, don't run this script from
>> cron.
>>
>> It needs to be started at boot time, or before you make a VPN
>> connection.
>>
>> #!/bin/sh
>>
>> while :
>> do
>>     ifconfig xxx | egrep 'UP|DOWN'
>>     sleep 2
>> done | while read status
>> do
>>     case "$status" in
>>   *UP*) if [ "$prev" -ne up ]
>>         then
>>             prev=up
>>             postconf -X defer_transports
>>             postfix reload
>>         fi;;
>>      *) if [ "$prev" -ne down ]
>>         then
>>             prev=down
>>             postconf defer_transports=smtp
>>             postfix reload
>>         fi;;
>>     esac
>> done
>>
>>         Wietse
>>
>
>
> Hi,
>
> Sorry to bring this up after a while, but I have been trying this
> code, but seem to hit a syntax error:
>
> line 10: [: : integer expression expected
>
>
> Line10: is  the following line:
>
>   *UP*) if [ "$prev" -ne up ]
>
> Any help?

Make that line:

    *UP*) if [ "$prev" = up ]

Also replace '-ne' in line 16 with '='



--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ansgar Wiechers
On 2020-04-17 Bill Cole wrote:

> On 17 Apr 2020, at 0:57, Ranjan Maitra wrote:
> > On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema wrote:
> > > #!/bin/sh
> > >
> > > while :
> > > do
> > >     ifconfig xxx | egrep 'UP|DOWN'
> > >     sleep 2
> > > done | while read status
> > > do
> > >     case "$status" in
> > >      *UP*) if [ "$prev" -ne up ]
> > >         then
> > >             prev=up
> > >             postconf -X defer_transports
> > >             postfix reload
> > >         fi;;
> > >      *) if [ "$prev" -ne down ]
> > >         then
> > >             prev=down
> > >             postconf defer_transports=smtp
> > >             postfix reload
> > >         fi;;
> > >     esac
> > > done
> >
> > Sorry to bring this up after a while, but I have been trying this code,
> > but seem to hit a syntax error:
> >
> > line 10: [: : integer expression expected
> >
> >
> > Line10: is  the following line:
> >
> >   *UP*) if [ "$prev" -ne up ]
> >
> > Any help?
>
> Make that line:
>
>    *UP*) if [ "$prev" = up ]
>
> Also replace '-ne' in line 16 with '='

If I'm not mistaken, the '-ne' in both lines (10 & 16) should be '!='.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Bill Cole-3
On 17 Apr 2020, at 2:52, Ansgar Wiechers wrote:

> On 2020-04-17 Bill Cole wrote:
>> On 17 Apr 2020, at 0:57, Ranjan Maitra wrote:
>>> On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema wrote:
>>>> #!/bin/sh
>>>>
>>>> while :
>>>> do
>>>>     ifconfig xxx | egrep 'UP|DOWN'
>>>>     sleep 2
>>>> done | while read status
>>>> do
>>>>     case "$status" in
>>>>      *UP*) if [ "$prev" -ne up ]
>>>>         then
>>>>             prev=up
>>>>             postconf -X defer_transports
>>>>             postfix reload
>>>>         fi;;
>>>>      *) if [ "$prev" -ne down ]
>>>>         then
>>>>             prev=down
>>>>             postconf defer_transports=smtp
>>>>             postfix reload
>>>>         fi;;
>>>>     esac
>>>> done
>>>
>>> Sorry to bring this up after a while, but I have been trying this code,
>>> but seem to hit a syntax error:
>>>
>>> line 10: [: : integer expression expected
>>>
>>>
>>> Line10: is  the following line:
>>>
>>>   *UP*) if [ "$prev" -ne up ]
>>>
>>> Any help?
>>
>> Make that line:
>>
>>    *UP*) if [ "$prev" = up ]
>>
>> Also replace '-ne' in line 16 with '='
>
> If I'm not mistaken, the '-ne' in both lines (10 & 16) should be '!='.

Oops, yes: YOU ARE CORRECT.




--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Gregory Heytings
In reply to this post by Ranjan Maitra

Ranjan Maitra:

>
>> Wietse Venema:
>>
>> Corrected code follows (missing do/done).
>>
>> Save to file, chmod +x name-of-file, don't run this script from cron.
>>
>> It needs to be started at boot time, or before you make a VPN
>> connection.
>>
>> #!/bin/sh
>>
>> while :
>> do
>>     ifconfig xxx | egrep 'UP|DOWN'
>>     sleep 2
>> done | while read status
>> do
>>     case "$status" in
>>   *UP*) if [ "$prev" -ne up ]
>>         then
>>             prev=up
>>             postconf -X defer_transports
>>             postfix reload
>>         fi;;
>>      *) if [ "$prev" -ne down ]
>>         then
>>             prev=down
>>             postconf defer_transports=smtp
>>             postfix reload
>>         fi;;
>>     esac
>> done
>>
>>         Wietse
>>
>
> line 10: [: : integer expression expected
>
> Line10: is  the following line:
>
>  *UP*) if [ "$prev" -ne up ]
>

Wietse wrote earlier that this was "totally untested code".

You should replace the two "-ne" with "!=".

Also, $prev has not been assigned the first time the second loop ("while
read status do ... done") is executed.  So you should add "prev=down"
before the "while :".

Finally, note that you should also replace the "xxx" (in "ifconfig xxx")
with the actual name if your VPN interface, typically "tun0" or "tap0".

Gregory
Reply | Threaded
Open this post in threaded view
|

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra
On Fri, 17 Apr 2020 08:05:28 +0000 Gregory Heytings <[hidden email]> wrote:

>
> Ranjan Maitra:
> >
> >> Wietse Venema:
> >>
> >> Corrected code follows (missing do/done).
> >>
> >> Save to file, chmod +x name-of-file, don't run this script from cron.
> >>
> >> It needs to be started at boot time, or before you make a VPN
> >> connection.
> >>
> >> #!/bin/sh
> >>
> >> while :
> >> do
> >>     ifconfig xxx | egrep 'UP|DOWN'
> >>     sleep 2
> >> done | while read status
> >> do
> >>     case "$status" in
> >>   *UP*) if [ "$prev" -ne up ]
> >>         then
> >>             prev=up
> >>             postconf -X defer_transports
> >>             postfix reload
> >>         fi;;
> >>      *) if [ "$prev" -ne down ]
> >>         then
> >>             prev=down
> >>             postconf defer_transports=smtp
> >>             postfix reload
> >>         fi;;
> >>     esac
> >> done
> >>
> >>         Wietse
> >>
> >
> > line 10: [: : integer expression expected
> >
> > Line10: is  the following line:
> >
> >  *UP*) if [ "$prev" -ne up ]
> >
>
> Wietse wrote earlier that this was "totally untested code".
>
> You should replace the two "-ne" with "!=".
>
> Also, $prev has not been assigned the first time the second loop ("while
> read status do ... done") is executed.  So you should add "prev=down"
> before the "while :".
>
> Finally, note that you should also replace the "xxx" (in "ifconfig xxx")
> with the actual name if your VPN interface, typically "tun0" or "tap0".
>

Yes, thanks very much for this. He did say untested code, but it has been very helpful!

Btw, for me, when ifconfig is DOWN, I do not get a down.

$  ifconfig xxx | egrep 'UP|DOWN'
xxx: error fetching interface information: Device not found

while:

$  ifconfig xxx | egrep 'UP|DOWN'
xxx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1406

when it is up, with xxx being replaced by the name of the VPN tunnel.

I think I am going to modify the script to try:

$ nmcli connection show --active | grep xxx | echo $?

which is 0 or 1 depending on up or down.

Many thanks again for all the help from everyone, and best wishes,
Ranjan



--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses.

123