Loading ...
Sorry, an error occurred while loading the content.

291470Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • DTNX Postmaster
    Feb 21, 2013
    • 0 Attachment
      On Feb 21, 2013, at 10:31, Erik Slagter <erik@...> wrote:

      > Hello all,
      >
      > Please help me with the following. I have here a postfix system that
      > listens on multiple (external) interfaces, e.g. one of them receives
      > e-mail from the internet, one of them receives more or less secure mail
      > from associated institutions.
      >
      > E-mail received on the "internet" interface receives full processing,
      > including amavis which calls spamassassin (by proxy filter) and it
      > should offer "may" level TLS (no discussion about that please ;-)).
      >
      > The e-mail received on the "secure" interface receives limited
      > processing, e.g. no amavis and it doesn't need to offer TLS.
      >
      > Besides that there are also a few "internal" interfaces postfix listens
      > on as well, with minimal processing, but with dkim signing.
      >
      > So there are actually multiple flows through the system, depending on
      > the interface the mail was received on.
      >
      > I want to start using postscreen. Of course I am not going to "test" in
      > a production environment, so I made a comparable postfix installation
      > and with that installation I ran into a problem:
      >
      > The options (-o) that I specify on the various per-interface smtpd
      > instances are NOT honoured anymore. I can check that quite easily
      > because the hello string varies per interface and also TLS is no longer
      > offered (disabled in the main.cf and enable on a per-interface basis in
      > the master.cf file). When I revert to non-postscreen operation, it works
      > like expected.
      >
      > Is this intentional? A know bug? Or something I should do another way?
      > Anyone that has this configuration running, with postscreen?
      >
      > I must say the "howto" isn't very clear on this matter, it assumes you
      > only have only one external interface.
      >
      > Thanks in advance.

      http://www.postfix.org/POSTSCREEN_README.html

      Have you followed those instructions?

      AFAIK, you can bind 'postscreen' to a specific interface by specifying
      a hostname or an IP address in front of the port name or number in
      'master.cf';

      192.0.2.1:smtp inet .... postscreen

      And then have a regular Postfix instance on a seperate address;

      192.0.2.2:smtp inet .... smtpd

      If you cannot simplify your setup, you may need this;

      http://www.postfix.org/MULTI_INSTANCE_README.html

      Other than that, post proof that options are not honored anymore. The
      most likely cause is that you are trying to apply something to
      'postscreen' that is only supported for 'smtpd'?

      Cya,
      Jona
    • Show all 25 messages in this topic