Discussion:
Can one specify an A record instead of an IP in the main.cf, mynetworks option?
(too old to reply)
Vasileios Vlachos
2016-07-23 17:12:01 UTC
Permalink
Hello,

My mail server is running postfix 2.11.3-1 on Debian 8.5.

In order for my home server to be able to send mail to my mail server to my
domain, I have installed postfix on it (same version of postfix as my
server and same OS as the server as well) and configured it as a smarthost.

So given my mail server is responsible for mydomain.com, I have done the
following to my home server:

/etc/mailname : mydomain.com
/etc/postfix/main.cf : relayhost = box.mydomain.com # MX record for
mydomain.com

Now, on the mail server, every "*_restrictions" option, allows "mynetworks"
("permit_mynetworks" appears first in the list). The "mynetworks" option
includes the IP of my home server which makes the entire thing work.
However, I cannot guarantee that this IP won't change. I use HE's free DDNS
service for this reason and I have a DNS A record which points to my home
firewall.

The question is, can I use this A record in the "mynetworks" option of my
mail server, or it only takes IP/IP ranges? If not, is there a way to
achieve what I want? I had a look on the documentation first and I have a
feeling the answer is no, but I am not 100% sure and i thought I'd ask here.

Many thanks for any help,
Vasilis
Noel Jones
2016-07-23 17:40:23 UTC
Permalink
Post by Vasileios Vlachos
Hello,
My mail server is running postfix 2.11.3-1 on Debian 8.5.
In order for my home server to be able to send mail to my mail
server to my domain, I have installed postfix on it (same version of
postfix as my server and same OS as the server as well) and
configured it as a smarthost.
So given my mail server is responsible for mydomain.com
/etc/mailname : mydomain.com <http://mydomain.com>
/etc/postfix/main.cf <http://main.cf> : relayhost = box.mydomain.com
<http://box.mydomain.com> # MX record for mydomain.com
<http://mydomain.com>
Now, on the mail server, every "*_restrictions" option, allows
"mynetworks" ("permit_mynetworks" appears first in the list). The
"mynetworks" option includes the IP of my home server which makes
the entire thing work. However, I cannot guarantee that this IP
won't change. I use HE's free DDNS service for this reason and I
have a DNS A record which points to my home firewall.
The question is, can I use this A record in the "mynetworks" option
of my mail server, or it only takes IP/IP ranges? If not, is there a
way to achieve what I want? I had a look on the documentation first
and I have a feeling the answer is no, but I am not 100% sure and i
thought I'd ask here.
While you can use an IP in mynetworks, it is only resolved on
startup, so it won't automatically change when your home server
changes. This might still kinda work since smtpd restarts fairly
often, after $max_use or $max_idle, and you can use
smtp_delivery_status_filter to convert any relay denied messages
into temporary failures. This will mostly work, but may not be 100%
reliable, so an OK low-volume solution if you don't mind messing
with it once in a while.
http://www.postfix.org/postconf.5.html#smtp_delivery_status_filter


The proper solution is to use some sort of authentication. For two
postfix servers, using self-signed TLS certificates for mutual auth
is pretty easy. Alternately, you can use SASL authentication, which
may be a little more to set up. Either way will work fine once
configured.

http://www.postfix.org/TLS_README.html
http://www.postfix.org/SASL_README.html


-- Noel Jones
Vasileios Vlachos
2016-07-23 18:08:57 UTC
Permalink
Hello Noel,
Post by Noel Jones
While you can use an IP in mynetworks, it is only resolved on
startup, ...
I am using an IP at the moment; did you mean I can use an A record as well
(since you talk about resolution next)?

I didn't know about $max_use and $max_idle. I also didn't know that a
possible A record will only be resolved on startup. A configuration that
would serve as a workaround due to this behaviour makes me think it might
not be worth it.

I will have a go on the TLS solution you suggested though.

Thank you very much for your help!
Vasilis
Post by Noel Jones
Post by Vasileios Vlachos
Hello,
My mail server is running postfix 2.11.3-1 on Debian 8.5.
In order for my home server to be able to send mail to my mail
server to my domain, I have installed postfix on it (same version of
postfix as my server and same OS as the server as well) and
configured it as a smarthost.
So given my mail server is responsible for mydomain.com
/etc/mailname : mydomain.com <http://mydomain.com>
/etc/postfix/main.cf <http://main.cf> : relayhost = box.mydomain.com
<http://box.mydomain.com> # MX record for mydomain.com
<http://mydomain.com>
Now, on the mail server, every "*_restrictions" option, allows
"mynetworks" ("permit_mynetworks" appears first in the list). The
"mynetworks" option includes the IP of my home server which makes
the entire thing work. However, I cannot guarantee that this IP
won't change. I use HE's free DDNS service for this reason and I
have a DNS A record which points to my home firewall.
The question is, can I use this A record in the "mynetworks" option
of my mail server, or it only takes IP/IP ranges? If not, is there a
way to achieve what I want? I had a look on the documentation first
and I have a feeling the answer is no, but I am not 100% sure and i
thought I'd ask here.
While you can use an IP in mynetworks, it is only resolved on
startup, so it won't automatically change when your home server
changes. This might still kinda work since smtpd restarts fairly
often, after $max_use or $max_idle, and you can use
smtp_delivery_status_filter to convert any relay denied messages
into temporary failures. This will mostly work, but may not be 100%
reliable, so an OK low-volume solution if you don't mind messing
with it once in a while.
http://www.postfix.org/postconf.5.html#smtp_delivery_status_filter
The proper solution is to use some sort of authentication. For two
postfix servers, using self-signed TLS certificates for mutual auth
is pretty easy. Alternately, you can use SASL authentication, which
may be a little more to set up. Either way will work fine once
configured.
http://www.postfix.org/TLS_README.html
http://www.postfix.org/SASL_README.html
-- Noel Jones
Noel Jones
2016-07-24 00:51:18 UTC
Permalink
Post by Vasileios Vlachos
Hello Noel,
Post by Noel Jones
While you can use an IP in mynetworks, it is only resolved on
startup, ...
I am using an IP at the moment; did you mean I can use an A record
as well (since you talk about resolution next)?
Misspoke... I meant a hostname. Funny how you can think one thing
and type something totally opposite.
Post by Vasileios Vlachos
I didn't know about $max_use and $max_idle. I also didn't know that
a possible A record will only be resolved on startup. A
configuration that would serve as a workaround due to this behaviour
makes me think it might not be worth it.
For a low-volume low-effort application, using a hostname that
"usually" works might be adequate. Using a one-line delivery filter
makes it reliable -- meaning no lost mail -- but with delivery
delays when the IP changes.
Post by Vasileios Vlachos
I will have a go on the TLS solution you suggested though.
Yes, using TLS certs is a proper and robust solution.

The other possible solution is a vpn back to the main server. A vpn
is a good solution if you control the boxes on both ends and want to
share services in addition to email. There's lots of VPNs to choose
from; I like OpenVPN since it's secure, reliable, and pretty easy to
set up.


-- Noel Jones

Loading...