multiple IPs and postscreen

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

multiple IPs and postscreen

Eric Abrahamsen
Hi,

I've gotten postfix working with multiple IPs/domains/ssl certs, and so
far so good. I used the accepted answer at this link as a template:

http://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner

It works fine, until I try to add postscreen into the mix.

So the setup is, in master.cf, first a clause for the local server:

127.0.0.1:smtp inet  n    -    n   -    -   smtpd
      -o syslog_name=postfix-localhost
      -o smtp_helo_name=localhost
      -o smtp_bind_address=127.0.0.1
      -o myhostname=localhost

(I'm not actually sure if that's necessary.)

Then, for each of my two IP addresses, a block of services like so:

# for the domain blue.com

50.56.xxx.xxx:submission inet n - n - - smtpd
  -o smtpd_tls_key_file=/etc/ssl/private/blue.key
  -o smtpd_tls_cert_file=/etc/ssl/private/blue.pem

50.56.xxx.xxx:smtpd pass  - - n - - smtpd
  -o smtpd_tls_key_file=/etc/ssl/private/blue.key
  -o smtpd_tls_cert_file=/etc/ssl/private/blue.pem

50.56.xxx.xxx:smtp inet  n - n - - smtpd
  -o smtpd_tls_key_file=/etc/ssl/private/blue.key
  -o smtpd_tls_cert_file=/etc/ssl/private/blue.pem
  -o syslog_name=blue.com
  -o smtp_helo_name=mail.blue.com
  -o smtp_bind_address=50.56.xxx.xxx
  -o myhostname=mail.blue.com

blue-out  unix - - n - - smtp
   -o smtp_bind_address=50.56.xxx.xxx
   -o smtp_helo_name=mail.blue.com
   -o syslog_name=blue.com

There's another like that for red.com.

Then in sender_dependent_default_transport_maps =
hash:/etc/postfix/sender_transports

sender_transports:
@blue.com   blue-out:
@red.com    red-out:

This works great until I turn on postscreen:

50.56.xxx.xxx:smtp inet  n - n - 1 postscreen

Now, I send myself an email, and in the logs see:

blue.com/postscreen[6578]: warning: cannot connect to service
private/smtpd: Connection refused

I really don't know where to go from here. I guess I suspect something
to do with chroot'ing, which I don't really understand, but I don't know
how to fix it.

Any pointers much appreciated!

Thanks,
Eric

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Noel Jones-2
On 10/19/2015 8:15 AM, Eric Abrahamsen wrote:
> Hi,
>
> I've gotten postfix working with multiple IPs/domains/ssl certs, and so
> far so good. I used the accepted answer at this link as a template:
>
> http://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner
>
> It works fine, until I try to add postscreen into the mix.


Save yourself headaches and use multiple postfix instances instead.
http://www.postfix.org/MULTI_INSTANCE_README.html

While it may be possible to get postscreen to support multiple
domains inside a single postfix instance, it's very ugly, with
complex master.cf gyrations.  If you want to give it a shot anyway,
start with looking at the master.cf and postscreen documentation,
and the smtpd_service_name parameter.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Benny Pedersen-2
In reply to this post by Eric Abrahamsen
Eric Abrahamsen skrev den 2015-10-19 15:15:

> So the setup is, in master.cf, first a clause for the local server:
>
> 127.0.0.1:smtp inet  n    -    n   -    -   smtpd
>       -o syslog_name=postfix-localhost
>       -o smtp_helo_name=localhost
>       -o smtp_bind_address=127.0.0.1
>       -o myhostname=localhost

smtp_* does not being in use for smtpd_* binds :=)

remove smtp_helo_name and smtp_bind_address

> 50.56.xxx.xxx:submission inet n - n - - smtpd
>   -o smtpd_tls_key_file=/etc/ssl/private/blue.key
>   -o smtpd_tls_cert_file=/etc/ssl/private/blue.pem

suggest myhostname and syslog_name here aswell

copy that to multiple ips and its imho done
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

A. Schulze
In reply to this post by Eric Abrahamsen

Eric Abrahamsen:

> It works fine, until I try to add postscreen into the mix.
you did not post a complete config. but you may check your master.cf:

master.cf without postscreen:
     smtp  inet  n - n - - smtpd

master.cf with postscreen:
     smtp  inet  n - n - 1 postscreen
     smtpd pass  - - n - - smtpd

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Wietse Venema
A. Schulze:

>
> Eric Abrahamsen:
>
> > It works fine, until I try to add postscreen into the mix.
> you did not post a complete config. but you may check your master.cf:
>
> master.cf without postscreen:
>      smtp  inet  n - n - - smtpd
>
> master.cf with postscreen:
>      smtp  inet  n - n - 1 postscreen
>      smtpd pass  - - n - - smtpd

And with different services on different IP addresses:

master.cf with postscreen:
     1.2.3.5:smtp  inet  n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
     smtpd_1.2.3.5 pass  - - n - - smtpd

Ditto for the service on 1.2.3.4.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Eric Abrahamsen
[hidden email] (Wietse Venema) writes:

> A. Schulze:
>>
>> Eric Abrahamsen:
>>
>> > It works fine, until I try to add postscreen into the mix.
>> you did not post a complete config. but you may check your master.cf:
>>
>> master.cf without postscreen:
>>      smtp  inet  n - n - - smtpd
>>
>> master.cf with postscreen:
>>      smtp  inet  n - n - 1 postscreen
>>      smtpd pass  - - n - - smtpd
>
> And with different services on different IP addresses:
>
> master.cf with postscreen:
>      1.2.3.5:smtp  inet  n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
>      smtpd_1.2.3.5 pass  - - n - - smtpd
>
> Ditto for the service on 1.2.3.4.
>
> Wietse

Awesome! That worked like a charm. Noel had me worried for a second
there, but it looks like most of the necessary gyrations I'd already
gone through -- that last step with smtpd_service_name was very simple.

Thanks to Benny also for the cleanups and pointers, I was fishing a bit
for help like that.

Thanks again to all,
Eric

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Wietse Venema
Eric Abrahamsen:

> > master.cf with postscreen:
> >      1.2.3.5:smtp  inet  n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
> >      smtpd_1.2.3.5 pass  - - n - - smtpd
> >
> > Ditto for the service on 1.2.3.4.
> >
> > Wietse
>
> Awesome! That worked like a charm. Noel had me worried for a second
> there, but it looks like most of the necessary gyrations I'd already
> gone through -- that last step with smtpd_service_name was very simple.

One more thing: to make the logging understandable you also need
to specify the syslog_name.

1.2.3.5:smtp  inet  n - n - 1 postscreen
        -o smtpd_service_name=smtpd_1.2.3.5
        -o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass  - - n - - smtpd
        -o syslog_name=postfix/1.2.3.5

Ditto for the service on 1.2.3.4.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Eric Abrahamsen
[hidden email] (Wietse Venema) writes:

> Eric Abrahamsen:
>> > master.cf with postscreen:
>> >      1.2.3.5:smtp  inet  n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
>> >      smtpd_1.2.3.5 pass  - - n - - smtpd
>> >
>> > Ditto for the service on 1.2.3.4.
>> >
>> > Wietse
>>
>> Awesome! That worked like a charm. Noel had me worried for a second
>> there, but it looks like most of the necessary gyrations I'd already
>> gone through -- that last step with smtpd_service_name was very simple.
>
> One more thing: to make the logging understandable you also need
> to specify the syslog_name.
>
> 1.2.3.5:smtp  inet  n - n - 1 postscreen
> -o smtpd_service_name=smtpd_1.2.3.5
> -o syslog_name=postfix/1.2.3.5
> smtpd_1.2.3.5 pass  - - n - - smtpd
> -o syslog_name=postfix/1.2.3.5

Done, thanks again. I also had to add the SSL cert/key lines, of course.

While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?

Eric

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Benny Pedersen-2
On October 20, 2015 3:48:56 PM Eric Abrahamsen <[hidden email]> wrote:

> While we're still here, can I ask for my own information -- is the
> 127.0.0.1:smtp clause at the top still necessary, and if so, what does
> it actually do?

allow localhost to send email localy or aliases forwarded, to see what
happend if postfix is missing it, comment out it for testing, you need it
to support multiple wan ips when not running multiinstances

see it as the more simple multi instance setup with single queue spool in
postfix
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Wietse Venema
In reply to this post by Eric Abrahamsen
Eric Abrahamsen:

> > One more thing: to make the logging understandable you also need
> > to specify the syslog_name.
> >
> > 1.2.3.5:smtp  inet  n - n - 1 postscreen
> > -o smtpd_service_name=smtpd_1.2.3.5
> > -o syslog_name=postfix/1.2.3.5
> > smtpd_1.2.3.5 pass  - - n - - smtpd
> > -o syslog_name=postfix/1.2.3.5
>
> Done, thanks again. I also had to add the SSL cert/key lines, of course.
>
> While we're still here, can I ask for my own information -- is the
> 127.0.0.1:smtp clause at the top still necessary, and if so, what does
> it actually do?

The 127.0.0.1:smtp entry exists for compatibility with software
that submits mail via the loopback interface, such as a webmail
system or a local mail client.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Eric Abrahamsen
[hidden email] (Wietse Venema) writes:

> Eric Abrahamsen:
>> > One more thing: to make the logging understandable you also need
>> > to specify the syslog_name.
>> >
>> > 1.2.3.5:smtp  inet  n - n - 1 postscreen
>> > -o smtpd_service_name=smtpd_1.2.3.5
>> > -o syslog_name=postfix/1.2.3.5
>> > smtpd_1.2.3.5 pass  - - n - - smtpd
>> > -o syslog_name=postfix/1.2.3.5
>>
>> Done, thanks again. I also had to add the SSL cert/key lines, of course.
>>
>> While we're still here, can I ask for my own information -- is the
>> 127.0.0.1:smtp clause at the top still necessary, and if so, what does
>> it actually do?
>
> The 127.0.0.1:smtp entry exists for compatibility with software
> that submits mail via the loopback interface, such as a webmail
> system or a local mail client.

Got it, thanks to you both!

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Wietse Venema
Eric Abrahamsen:

> [hidden email] (Wietse Venema) writes:
>
> > Eric Abrahamsen:
> >> > One more thing: to make the logging understandable you also need
> >> > to specify the syslog_name.
> >> >
> >> > 1.2.3.5:smtp  inet  n - n - 1 postscreen
> >> > -o smtpd_service_name=smtpd_1.2.3.5
> >> > -o syslog_name=postfix/1.2.3.5
> >> > smtpd_1.2.3.5 pass  - - n - - smtpd
> >> > -o syslog_name=postfix/1.2.3.5
> >>
> >> Done, thanks again. I also had to add the SSL cert/key lines, of course.
> >>
> >> While we're still here, can I ask for my own information -- is the
> >> 127.0.0.1:smtp clause at the top still necessary, and if so, what does
> >> it actually do?
> >
> > The 127.0.0.1:smtp entry exists for compatibility with software
> > that submits mail via the loopback interface, such as a webmail
> > system or a local mail client.
>
> Got it, thanks to you both!

TLS? In that case you also need two tlsproxy services, each with
their own certificate stuff.

 1.2.3.5:smtp  inet  n - n - 1 postscreen
  -o tlsproxy_service_name=tlsproxy_1.2.3.5
  -o smtpd_service_name=smtpd_1.2.3.5
  -o syslog_name=postfix/1.2.3.5
 smtpd_1.2.3.5 pass  - - n - - smtpd
  -o syslog_name=postfix/1.2.3.5
 tlsproxy_1.2.3.5  ...other master settings...
  -o syslog_name=postfix/1.2.3.5
  ...certificate stuff...

    Wietse
  -o syslog_name=postfix/1.2.3.5


        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Eric Abrahamsen
[hidden email] (Wietse Venema) writes:

> Eric Abrahamsen:
>> [hidden email] (Wietse Venema) writes:
>>
>> > Eric Abrahamsen:
>> >> > One more thing: to make the logging understandable you also need
>> >> > to specify the syslog_name.
>> >> >
>> >> > 1.2.3.5:smtp  inet  n - n - 1 postscreen
>> >> > -o smtpd_service_name=smtpd_1.2.3.5
>> >> > -o syslog_name=postfix/1.2.3.5
>> >> > smtpd_1.2.3.5 pass  - - n - - smtpd
>> >> > -o syslog_name=postfix/1.2.3.5
>> >>
>> >> Done, thanks again. I also had to add the SSL cert/key lines, of course.
>> >>
>> >> While we're still here, can I ask for my own information -- is the
>> >> 127.0.0.1:smtp clause at the top still necessary, and if so, what does
>> >> it actually do?
>> >
>> > The 127.0.0.1:smtp entry exists for compatibility with software
>> > that submits mail via the loopback interface, such as a webmail
>> > system or a local mail client.
>>
>> Got it, thanks to you both!
>
> TLS? In that case you also need two tlsproxy services, each with
> their own certificate stuff.
>
>  1.2.3.5:smtp  inet  n - n - 1 postscreen
>   -o tlsproxy_service_name=tlsproxy_1.2.3.5
>   -o smtpd_service_name=smtpd_1.2.3.5
>   -o syslog_name=postfix/1.2.3.5
>  smtpd_1.2.3.5 pass  - - n - - smtpd
>   -o syslog_name=postfix/1.2.3.5
>  tlsproxy_1.2.3.5  ...other master settings...
>   -o syslog_name=postfix/1.2.3.5
>   ...certificate stuff...

Yes, that was the whole point of this! Thanks for the extra notes. I've
had things running for the past day or so without the separate tlsproxy
services, and haven't noticed any immediately obvious errors in the
logs. On the other hand, I *have* noticed an increase in spam, so
probably it hasn't been working after all! I'll tweak further tonight.

Is this particular setup detailed in the docs anywhere? It seems like
something a fair number of people will be interested in. I can do some
sort of blog post, but I don't know how many people it would reach.

E

Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Wietse Venema
Eric Abrahamsen:

> > TLS? In that case you also need two tlsproxy services, each with
> > their own certificate stuff.
> >
> >  1.2.3.5:smtp  inet  n - n - 1 postscreen
> >   -o tlsproxy_service_name=tlsproxy_1.2.3.5
> >   -o smtpd_service_name=smtpd_1.2.3.5
> >   -o syslog_name=postfix/1.2.3.5
> >  smtpd_1.2.3.5 pass  - - n - - smtpd
> >   -o syslog_name=postfix/1.2.3.5
> >  tlsproxy_1.2.3.5  ...other master settings...
> >   -o syslog_name=postfix/1.2.3.5
> >   ...certificate stuff...
>
> Yes, that was the whole point of this! Thanks for the extra notes. I've
> had things running for the past day or so without the separate tlsproxy
> services, and haven't noticed any immediately obvious errors in the
> logs. On the other hand, I *have* noticed an increase in spam, so
> probably it hasn't been working after all! I'll tweak further tonight.
>
> Is this particular setup detailed in the docs anywhere? It seems like
> something a fair number of people will be interested in. I can do some
> sort of blog post, but I don't know how many people it would reach.

The "-o <service>_name" feature works, but it quickly becomes
unwieldy with more comples configurations.  For complex setups,
separate Postfix instances are a more manageable solution than a
web of -o options. Unfortunately some distros don't handle multiple
Postfix instance support well.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: multiple IPs and postscreen

Eric Abrahamsen
[hidden email] (Wietse Venema) writes:

> Eric Abrahamsen:
>> > TLS? In that case you also need two tlsproxy services, each with
>> > their own certificate stuff.
>> >
>> >  1.2.3.5:smtp  inet  n - n - 1 postscreen
>> >   -o tlsproxy_service_name=tlsproxy_1.2.3.5
>> >   -o smtpd_service_name=smtpd_1.2.3.5
>> >   -o syslog_name=postfix/1.2.3.5
>> >  smtpd_1.2.3.5 pass  - - n - - smtpd
>> >   -o syslog_name=postfix/1.2.3.5
>> >  tlsproxy_1.2.3.5  ...other master settings...
>> >   -o syslog_name=postfix/1.2.3.5
>> >   ...certificate stuff...
>>
>> Yes, that was the whole point of this! Thanks for the extra notes. I've
>> had things running for the past day or so without the separate tlsproxy
>> services, and haven't noticed any immediately obvious errors in the
>> logs. On the other hand, I *have* noticed an increase in spam, so
>> probably it hasn't been working after all! I'll tweak further tonight.
>>
>> Is this particular setup detailed in the docs anywhere? It seems like
>> something a fair number of people will be interested in. I can do some
>> sort of blog post, but I don't know how many people it would reach.
>
> The "-o <service>_name" feature works, but it quickly becomes
> unwieldy with more comples configurations.  For complex setups,
> separate Postfix instances are a more manageable solution than a
> web of -o options. Unfortunately some distros don't handle multiple
> Postfix instance support well.

Okay, got it. My setup is fairly simple, so I'll stick with this for
now.

Thanks again,
Eric