Loading ...
Sorry, an error occurred while loading the content.

291479Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Erik Slagter
    Feb 21, 2013
    • 0 Attachment
      On 21-02-13 15:50, Wietse Venema wrote:
      > Erik Slagter:
      >> I tried another variant:
      >>
      >> 192.168.0.1:smtp inet ... postscreen
      >> -o options...
      >>
      >> 192.168.0.1:pass inet ... smtpd
      >> -o options...
      >
      > If you don't show the exact options and the exact logging
      > then no-one can say what mistake YOU are making.

      Okay, I didn't post the complete master.cf because I thought it wouldn't
      be necessary, so here it comes. This is the "plain" version that works,
      without postscreen enabled. If somebody can explain to me how to
      transform this into something working with postscreen enabled AND TLS
      working on the outside interface (ppp0, ipv4 and ipv6), I'd be very
      grateful, but really I've tried various approaches without luck.
      Postscreen on itself is working fine, btw.

      # ==========================================================================
      # service type private unpriv chroot wakeup maxproc command + args
      # (yes) (yes) (yes) (never) (100)
      # ==========================================================================

      #smtp inet n - n - 1 smtpd
      #smtp inet n - n - 1 postscreen
      #smtpd pass - - n - - smtpd
      #dnsblog unix - - n - 0 dnsblog
      #tlsproxy unix - - n - 0 tlsproxy

      #
      # outside -> inside
      # postfix(25) -> amavis(10025)
      #

      mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
      -o myhostname=eriks.xs4all.nl
      -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
      -o smtpd_tls_security_level=may
      -o postscreen_tls_security_level=may
      -o tlsproxy_tls_security_level=may
      -o smtpd_proxy_filter=nemesis.ipv4:10025
      -o soft_bounce=no
      -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

      mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
      -o myhostname=mx1.ipv6.slagter.name
      -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
      -o smtpd_tls_security_level=may
      -o postscreen_tls_security_level=may
      -o tlsproxy_tls_security_level=may
      -o smtpd_proxy_filter=nemesis.ipv4:10025
      -o soft_bounce=no
      -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6

      #
      # amavis(10025) -> postfix(10026)
      #

      nemesis.ipv4:10026 inet n - n - 2 smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o
      receive_override_options=no_unknown_recipient_checks,no_header_body_checks
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-10026
      -o smtpd_client_restrictions=
      -o smtpd_authorized_xforward_hosts=10.1.1.1

      #
      # postfix(25) -> dkimproxy(11025)
      #

      nemesis.ipv4:smtp inet n - n - 2 smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv4-25
      -o mynetworks=127.0.0.0/8
      -o smtpd_proxy_filter=nemesis.ipv4:11025

      nemesis.ipv6:smtp inet n - n - 2 smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv6-25
      -o smtpd_proxy_filter=nemesis.ipv4:11025

      #
      # dkimproxy(11025) -> postfix(11026)
      #

      nemesis.ipv4:11026 inet n - n - 2 smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o
      receive_override_options=no_unknown_recipient_checks,no_header_body_checks
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-11026
      -o smtpd_client_restrictions=
      -o smtpd_authorized_xforward_hosts=10.1.1.1

      #
      # locally generated
      #

      #localhost.ipv4:smtp inet n - n - - postscreen
      localhost.ipv4:smtp inet n - n - - smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-25
      -o mynetworks=127.0.0.0/8

      #nemesis.ipv4:smtp inet n - n - - postscreen
      nemesis.ipv4:smtp inet n - n - - smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-vlan2-alt-ipv4-25
      -o mynetworks=10.0.2.0/24

      ::1:smtp inet n - n - - smtpd
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o body_checks=
      -o header_checks=
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv6-25

      pickup fifo n - n 60 1 pickup
      cleanup unix n - n - 0 cleanup
      qmgr fifo n - n 300 1 qmgr
      tlsmgr unix - - n 1000? 1 tlsmgr
      rewrite unix - - n - - trivial-rewrite
      bounce unix - - n - 0 bounce
      defer unix - - n - 0 bounce
      trace unix - - n - 0 bounce
      verify unix - - n - 1 verify
      flush unix n - n 1000? 0 flush
      proxymap unix - - n - - proxymap
      smtp unix - - n - - smtp
      relay unix - - n - - smtp -o
      smtp_helo_timeout=5 -o smtp_connect_timeout=5
      showq unix n - n - - showq
      error unix - - n - - error
      local unix - n n - - local
      virtual unix - n n - - virtual
      lmtp unix - - n - - lmtp
      anvil unix - - n - 1 anvil

      smtp-inside unix - - n - - smtp
      -o myhostname=nemesis.slagter.name
      -o smtp_helo_name=nemesis.slagter.name
      -o smtp_bind_address6=2001:980:5fef:1::1

      smtp-default unix - - n - - smtp
      -o myhostname=eriks.xs4all.nl
      -o smtp_helo_name=eriks.xs4all.nl
      -o smtp_bind_address6=2001:980:5fef::1
      -o smtp_tls_security_level=may
    • Show all 25 messages in this topic