Discussion:
multiple IPs and postscreen
(too old to reply)
Eric Abrahamsen
2015-10-19 13:15:31 UTC
Permalink
Hi,

I've gotten postfix working with multiple IPs/domains/ssl certs, and so
far so good. I used the accepted answer at this link as a template:

http://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner

It works fine, until I try to add postscreen into the mix.

So the setup is, in master.cf, first a clause for the local server:

127.0.0.1:smtp inet n - n - - smtpd
-o syslog_name=postfix-localhost
-o smtp_helo_name=localhost
-o smtp_bind_address=127.0.0.1
-o myhostname=localhost

(I'm not actually sure if that's necessary.)

Then, for each of my two IP addresses, a block of services like so:

# for the domain blue.com

50.56.xxx.xxx:submission inet n - n - - smtpd
-o smtpd_tls_key_file=/etc/ssl/private/blue.key
-o smtpd_tls_cert_file=/etc/ssl/private/blue.pem

50.56.xxx.xxx:smtpd pass - - n - - smtpd
-o smtpd_tls_key_file=/etc/ssl/private/blue.key
-o smtpd_tls_cert_file=/etc/ssl/private/blue.pem

50.56.xxx.xxx:smtp inet n - n - - smtpd
-o smtpd_tls_key_file=/etc/ssl/private/blue.key
-o smtpd_tls_cert_file=/etc/ssl/private/blue.pem
-o syslog_name=blue.com
-o smtp_helo_name=mail.blue.com
-o smtp_bind_address=50.56.xxx.xxx
-o myhostname=mail.blue.com

blue-out unix - - n - - smtp
-o smtp_bind_address=50.56.xxx.xxx
-o smtp_helo_name=mail.blue.com
-o syslog_name=blue.com

There's another like that for red.com.

Then in sender_dependent_default_transport_maps =
hash:/etc/postfix/sender_transports

sender_transports:
@blue.com blue-out:
@red.com red-out:

This works great until I turn on postscreen:

50.56.xxx.xxx:smtp inet n - n - 1 postscreen

Now, I send myself an email, and in the logs see:

blue.com/postscreen[6578]: warning: cannot connect to service
private/smtpd: Connection refused

I really don't know where to go from here. I guess I suspect something
to do with chroot'ing, which I don't really understand, but I don't know
how to fix it.

Any pointers much appreciated!

Thanks,
Eric
Noel Jones
2015-10-19 14:08:59 UTC
Permalink
Post by Eric Abrahamsen
Hi,
I've gotten postfix working with multiple IPs/domains/ssl certs, and so
http://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner
It works fine, until I try to add postscreen into the mix.
Save yourself headaches and use multiple postfix instances instead.
http://www.postfix.org/MULTI_INSTANCE_README.html

While it may be possible to get postscreen to support multiple
domains inside a single postfix instance, it's very ugly, with
complex master.cf gyrations. If you want to give it a shot anyway,
start with looking at the master.cf and postscreen documentation,
and the smtpd_service_name parameter.


-- Noel Jones
Benny Pedersen
2015-10-19 15:05:56 UTC
Permalink
Post by Eric Abrahamsen
127.0.0.1:smtp inet n - n - - smtpd
-o syslog_name=postfix-localhost
-o smtp_helo_name=localhost
-o smtp_bind_address=127.0.0.1
-o myhostname=localhost
smtp_* does not being in use for smtpd_* binds :=)

remove smtp_helo_name and smtp_bind_address
Post by Eric Abrahamsen
50.56.xxx.xxx:submission inet n - n - - smtpd
-o smtpd_tls_key_file=/etc/ssl/private/blue.key
-o smtpd_tls_cert_file=/etc/ssl/private/blue.pem
suggest myhostname and syslog_name here aswell

copy that to multiple ips and its imho done
A. Schulze
2015-10-19 18:12:31 UTC
Permalink
Post by Eric Abrahamsen
It works fine, until I try to add postscreen into the mix.
you did not post a complete config. but you may check your master.cf:

master.cf without postscreen:
smtp inet n - n - - smtpd

master.cf with postscreen:
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd

Andreas
Wietse Venema
2015-10-19 18:52:24 UTC
Permalink
Post by A. Schulze
Post by Eric Abrahamsen
It works fine, until I try to add postscreen into the mix.
smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
And with different services on different IP addresses:

master.cf with postscreen:
1.2.3.5:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd

Ditto for the service on 1.2.3.4.

Wietse
Eric Abrahamsen
2015-10-20 03:49:02 UTC
Permalink
Post by Wietse Venema
Post by A. Schulze
Post by Eric Abrahamsen
It works fine, until I try to add postscreen into the mix.
smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
1.2.3.5:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
Ditto for the service on 1.2.3.4.
Wietse
Awesome! That worked like a charm. Noel had me worried for a second
there, but it looks like most of the necessary gyrations I'd already
gone through -- that last step with smtpd_service_name was very simple.

Thanks to Benny also for the cleanups and pointers, I was fishing a bit
for help like that.

Thanks again to all,
Eric
Wietse Venema
2015-10-20 10:16:37 UTC
Permalink
Post by Eric Abrahamsen
Post by Wietse Venema
1.2.3.5:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
Ditto for the service on 1.2.3.4.
Wietse
Awesome! That worked like a charm. Noel had me worried for a second
there, but it looks like most of the necessary gyrations I'd already
gone through -- that last step with smtpd_service_name was very simple.
One more thing: to make the logging understandable you also need
to specify the syslog_name.

1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5

Ditto for the service on 1.2.3.4.

Wietse
Eric Abrahamsen
2015-10-20 13:47:39 UTC
Permalink
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
1.2.3.5:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd_1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
Ditto for the service on 1.2.3.4.
Wietse
Awesome! That worked like a charm. Noel had me worried for a second
there, but it looks like most of the necessary gyrations I'd already
gone through -- that last step with smtpd_service_name was very simple.
One more thing: to make the logging understandable you also need
to specify the syslog_name.
1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
Done, thanks again. I also had to add the SSL cert/key lines, of course.

While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?

Eric
Benny Pedersen
2015-10-20 14:26:13 UTC
Permalink
Post by Eric Abrahamsen
While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?
allow localhost to send email localy or aliases forwarded, to see what
happend if postfix is missing it, comment out it for testing, you need it
to support multiple wan ips when not running multiinstances

see it as the more simple multi instance setup with single queue spool in
postfix
Wietse Venema
2015-10-20 15:09:22 UTC
Permalink
Post by Eric Abrahamsen
Post by Wietse Venema
One more thing: to make the logging understandable you also need
to specify the syslog_name.
1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
Done, thanks again. I also had to add the SSL cert/key lines, of course.
While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?
The 127.0.0.1:smtp entry exists for compatibility with software
that submits mail via the loopback interface, such as a webmail
system or a local mail client.

Wietse
Eric Abrahamsen
2015-10-20 19:39:19 UTC
Permalink
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
One more thing: to make the logging understandable you also need
to specify the syslog_name.
1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
Done, thanks again. I also had to add the SSL cert/key lines, of course.
While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?
The 127.0.0.1:smtp entry exists for compatibility with software
that submits mail via the loopback interface, such as a webmail
system or a local mail client.
Got it, thanks to you both!
Wietse Venema
2015-10-20 19:54:52 UTC
Permalink
Post by Eric Abrahamsen
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
One more thing: to make the logging understandable you also need
to specify the syslog_name.
1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
Done, thanks again. I also had to add the SSL cert/key lines, of course.
While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?
The 127.0.0.1:smtp entry exists for compatibility with software
that submits mail via the loopback interface, such as a webmail
system or a local mail client.
Got it, thanks to you both!
TLS? In that case you also need two tlsproxy services, each with
their own certificate stuff.

1.2.3.5:smtp inet n - n - 1 postscreen
-o tlsproxy_service_name=tlsproxy_1.2.3.5
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
tlsproxy_1.2.3.5 ...other master settings...
-o syslog_name=postfix/1.2.3.5
...certificate stuff...

Wietse
-o syslog_name=postfix/1.2.3.5


Wietse
Eric Abrahamsen
2015-10-20 20:18:12 UTC
Permalink
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
One more thing: to make the logging understandable you also need
to specify the syslog_name.
1.2.3.5:smtp inet n - n - 1 postscreen
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
Done, thanks again. I also had to add the SSL cert/key lines, of course.
While we're still here, can I ask for my own information -- is the
127.0.0.1:smtp clause at the top still necessary, and if so, what does
it actually do?
The 127.0.0.1:smtp entry exists for compatibility with software
that submits mail via the loopback interface, such as a webmail
system or a local mail client.
Got it, thanks to you both!
TLS? In that case you also need two tlsproxy services, each with
their own certificate stuff.
1.2.3.5:smtp inet n - n - 1 postscreen
-o tlsproxy_service_name=tlsproxy_1.2.3.5
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
tlsproxy_1.2.3.5 ...other master settings...
-o syslog_name=postfix/1.2.3.5
...certificate stuff...
Yes, that was the whole point of this! Thanks for the extra notes. I've
had things running for the past day or so without the separate tlsproxy
services, and haven't noticed any immediately obvious errors in the
logs. On the other hand, I *have* noticed an increase in spam, so
probably it hasn't been working after all! I'll tweak further tonight.

Is this particular setup detailed in the docs anywhere? It seems like
something a fair number of people will be interested in. I can do some
sort of blog post, but I don't know how many people it would reach.

E
Wietse Venema
2015-10-20 21:27:02 UTC
Permalink
Post by Eric Abrahamsen
Post by Wietse Venema
TLS? In that case you also need two tlsproxy services, each with
their own certificate stuff.
1.2.3.5:smtp inet n - n - 1 postscreen
-o tlsproxy_service_name=tlsproxy_1.2.3.5
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
tlsproxy_1.2.3.5 ...other master settings...
-o syslog_name=postfix/1.2.3.5
...certificate stuff...
Yes, that was the whole point of this! Thanks for the extra notes. I've
had things running for the past day or so without the separate tlsproxy
services, and haven't noticed any immediately obvious errors in the
logs. On the other hand, I *have* noticed an increase in spam, so
probably it hasn't been working after all! I'll tweak further tonight.
Is this particular setup detailed in the docs anywhere? It seems like
something a fair number of people will be interested in. I can do some
sort of blog post, but I don't know how many people it would reach.
The "-o <service>_name" feature works, but it quickly becomes
unwieldy with more comples configurations. For complex setups,
separate Postfix instances are a more manageable solution than a
web of -o options. Unfortunately some distros don't handle multiple
Postfix instance support well.

Wietse
Eric Abrahamsen
2015-10-21 17:13:36 UTC
Permalink
Post by Wietse Venema
Post by Eric Abrahamsen
Post by Wietse Venema
TLS? In that case you also need two tlsproxy services, each with
their own certificate stuff.
1.2.3.5:smtp inet n - n - 1 postscreen
-o tlsproxy_service_name=tlsproxy_1.2.3.5
-o smtpd_service_name=smtpd_1.2.3.5
-o syslog_name=postfix/1.2.3.5
smtpd_1.2.3.5 pass - - n - - smtpd
-o syslog_name=postfix/1.2.3.5
tlsproxy_1.2.3.5 ...other master settings...
-o syslog_name=postfix/1.2.3.5
...certificate stuff...
Yes, that was the whole point of this! Thanks for the extra notes. I've
had things running for the past day or so without the separate tlsproxy
services, and haven't noticed any immediately obvious errors in the
logs. On the other hand, I *have* noticed an increase in spam, so
probably it hasn't been working after all! I'll tweak further tonight.
Is this particular setup detailed in the docs anywhere? It seems like
something a fair number of people will be interested in. I can do some
sort of blog post, but I don't know how many people it would reach.
The "-o <service>_name" feature works, but it quickly becomes
unwieldy with more comples configurations. For complex setups,
separate Postfix instances are a more manageable solution than a
web of -o options. Unfortunately some distros don't handle multiple
Postfix instance support well.
Okay, got it. My setup is fairly simple, so I'll stick with this for
now.

Thanks again,
Eric

Loading...