filtering mail from outside with dynamic address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

filtering mail from outside with dynamic address

Florin Andrei
Running Postfix 2.5.5 on Linux. The system is multihomed, connected to
several private networks, and to the Internet with a dynamic DNS hostname.

I'm using Amavisd-new with SpamAssassin and a bunch of other things to
filter email. Currently all email is filtered by Amavis. But I want to
only filter messages coming from the outside. I read this document...

http://www.postfix.org/FILTER_README.html#remote_only

...and it makes sense, except there's a problem: my public IP is dynamic.

Is there a way to bind the listener to an interface using the interface
name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?

If that's not possible, I guess I could create a fixed-address virtual
interface on the server, bind the listener to it, and then make a
"wormhole" with iptables between the dynamic outside interface and the
fixed virtual interface.
But that's pretty convoluted. I prefer to keep things simple, hence this
inquiry.

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Florin Andrei
Florin Andrei wrote:
>
> Is there a way to bind the listener to an interface using the interface
> name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?

Also, you know what would *really* help? The ability to say: "bind to
all interfaces except this one", by name. That would be really, really
neat. Then I could configure the listener completely with only two lines:

!eth5:smtp inet ...
        -o smtpd_client_restrictions=permit_mynetworks,reject
eth5:smtp inet ...
        -o content_filter=filter-service:filter-destination
        -o receive_override_options=no_address_mappings

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Wietse Venema
Florin Andrei:
> Florin Andrei wrote:
> >
> > Is there a way to bind the listener to an interface using the interface
> > name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?

No. The bind(2) system call specifies an address. Not an interface,
and not the route. Connections with source address of X are not
necessarily sent out via interface X. The interface is chosen
depending on the destination of the connection.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Florin Andrei
Wietse Venema wrote:
> Florin Andrei:
>> Florin Andrei wrote:
>>> Is there a way to bind the listener to an interface using the interface
>>> name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?
>
> No. The bind(2) system call specifies an address. Not an interface,
> and not the route. Connections with source address of X are not
> necessarily sent out via interface X. The interface is chosen
> depending on the destination of the connection.

I understand. It makes perfect sense from the perspective of the programmer.

But switch the perspective and look at it from the p.o.v. of the
sysadmin. In that case, it would be so nice to say "hey, bind to
interface ethX and stay there".

It's not unheard of either. Right now, on my home server, I've at least
three services running that are configured like that: samba, dhcpd and
mediatomb (a UPnP multimedia server). So it's not just doable, but quite
a widespread practice among open source projects.

This trick makes configuration so much easier on multihomed machines.
/etc/samba/smb.conf is a great example of a flexible configuration
syntax: you can mix and match addresses and interface names.

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Mikael Bak
In reply to this post by Florin Andrei
Hi,

Florin Andrei wrote:
> Running Postfix 2.5.5 on Linux. The system is multihomed, connected to
> several private networks, and to the Internet with a dynamic DNS hostname.
>

Is it really recommended to run a mail server that accepts email from
outside with non static IP address?

I would not do it.

Mikael
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Barney Desmond
In reply to this post by Florin Andrei
2009/8/12 Florin Andrei <[hidden email]>:

>>>> Is there a way to bind the listener to an interface using the interface
>>>> name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?
>>
>> No. The bind(2) system call specifies an address. Not an interface,
>> and not the route. Connections with source address of X are not
>> necessarily sent out via interface X. The interface is chosen
>> depending on the destination of the connection.
>
> I understand. It makes perfect sense from the perspective of the programmer.
>
> But switch the perspective and look at it from the p.o.v. of the sysadmin.
> In that case, it would be so nice to say "hey, bind to interface ethX and
> stay there".
>
> It's not unheard of either. Right now, on my home server, I've at least
> three services running that are configured like that: samba, dhcpd and
> mediatomb (a UPnP multimedia server). So it's not just doable, but quite a
> widespread practice among open source projects.

Right, but it'd introduce unnecessary complexity and possible
unexpected behaviour, something strongly frowned upon. As you mention,
there is software that can do this (the fact that it's open-source
isn't really relevant though), but I'd argue it's just something
postfix doesn't need. "It's not that kind of service", or something.

There's also the matter of having multiple IP addresses on an
interface. My own experience is limited, I can't remember if you can
add another address to an interface without using aliases. My
experience is linux-only, I use colons in the aliased interface names,
that'd cause problems with IPv6. If I use a tagged VLANs (802.1q) then
I'll have dots in the name, that might look like an IPv4 address. *BSD
might do things differently again, it could be very messy.

But if you insist, you could script this behaviour yourself. Maybe
there's a sane way to get this out of the kernel, this is just the
quickest thing I could come up with in my sleep-deprived state. grep
out the lines you want, cut it up to grab the addresses, and feed it
to postconf -e, whatever makes you happy. This is strictly a "works
for me" example.


#!/bin/sh
# this is crap, won't handle ipv6, isn't tested, no error-checking, etc...
ip addr | while read LINE
do
        case $LINE in
                [0-9]:*)
                        # Start processing an interface
                        IFNAME=`echo $LINE | cut -d':' -f2 | awk '{ print $1 }'`
                        echo -n "$IFNAME: "
                        IP=''
                        while read IFLINE
                        do
                                # Build the list of addresses
                                case $IFLINE in
                                        inet6*)
                                                break
                                        ;;
                                        inet*)
                                                IP="$IP`echo -n
$IFLINE | awk '{ print $2 }' | cut -d'/' -f1`, "
                                        ;;
                                esac
                        done
                        echo "$IP" | sed 's/, $//'
                ;;
        esac
done



postconf -e inet_interfaces="`./addr.sh | grep eth0 | cut -d' ' -f2-`"
; postfix reload
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Wietse Venema
In reply to this post by Florin Andrei
Florin Andrei:

> Wietse Venema wrote:
> > Florin Andrei:
> >> Florin Andrei wrote:
> >>> Is there a way to bind the listener to an interface using the interface
> >>> name (eth5:smtp) instead of the IP (1.2.3.4:smtp)?
> >
> > No. The bind(2) system call specifies an address. Not an interface,
> > and not the route. Connections with source address of X are not
> > necessarily sent out via interface X. The interface is chosen
> > depending on the destination of the connection.
>
> I understand. It makes perfect sense from the perspective of the programmer.

Especially considering that there is not a standardized API do do
these things. Not all the world is Linux, and the demand for doing
this is near zero.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Florin Andrei
In reply to this post by Mikael Bak
Mikael Bak wrote:
>
> Is it really recommended to run a mail server that accepts email from
> outside with non static IP address?
>
> I would not do it.

As long as the dynamic DNS service works well, and the IP address only
changes very rarely, why not?

I've been doing this for close to a decade now, while staying subscribed
to dozens of mailing lists like this one (email traffic probably in the
100s / day). The dynamic DNS provider gives me a very low TTL (10 sec),
responds in an instant to IP changes signaled from my side, and
otherwise works without a hitch.

My IP address is technically dynamic, but in reality it almost never
changes, which helps, I guess.

I've even switched Internet providers several times and had no problems.
The mail queues up upstream while I'm briefly offline, then starts
pouring in after the switch.

The only tricky part is to setup the dhcp client to run the DNS update
script triggered by any IP change. You have to test it carefully, maybe
tweak some delays in it, stuff like that. Delicate, but not rocket science.

Postfix itself is rock solid as ever. I'm grateful for having one less
service to worry about, security- and other-wise.

--
Florin Andrei

http://florin.myip.org/
Reply | Threaded
Open this post in threaded view
|

Re: filtering mail from outside with dynamic address

Mikael Bak
Florin Andrei wrote:

> Mikael Bak wrote:
>>
>> Is it really recommended to run a mail server that accepts email from
>> outside with non static IP address?
>>
>> I would not do it.
>
> As long as the dynamic DNS service works well, and the IP address only
> changes very rarely, why not?
>

Hi,
Your choice. I still wouldn't do it.

Even for only a theroretical chance that my MX record will ponit to
someone else's server - and in best case reject with Relay access denied
or not respond on port 25 at all - or in worst case accept the email,
scares me.

This is only why I wouldn't do it. I don't want to tell you to do otherwise.

Regards,
Mikael