Loading ...
Sorry, an error occurred while loading the content.

291489Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Noel Jones
    Feb 21, 2013
    • 0 Attachment
      On 2/21/2013 10:46 AM, Erik Slagter wrote:
      > Another variation I tried ("pass" and "postscreen" the other way
      > around).


      You've shared too much. By now no one has any idea what you're doing.

      Overview:

      Postscreen is a front-end listener for smtpd. It's not a proxy.
      Incoming connections are handled by postscreen until postscreen
      either decides it's clean and passes the connection endpoint to
      smtpd, or rejected. This is covered in more detail in the
      POSTSCREEN_README.

      When postscreen decides to pass the connection to smtpd, postscreen
      is no longer involved, and smtpd has no knowledge of what transpired
      between postscreen and a client.


      Solution:

      [this is not a complete how-to, but will show you how to use
      multiple interfaces]

      At some point you reported:


      > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
      > -o myhostname=eriks.xs4all.nl
      > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
      > -o smtpd_tls_security_level=may

      Ok.

      > -o postscreen_tls_security_level=may
      > -o tlsproxy_tls_security_level=may

      both these belong in main.cf, or better, set main.cf:
      "smtpd_security_level = may" and leave these at their defaults.

      > -o smtpd_proxy_filter=nemesis.ipv4:10025
      > -o soft_bounce=no
      > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

      The cache map parameter belongs in main.cf. Probably a mistake to
      create separate caches.

      Same comments as above for the smtpd listener below.

      >
      > mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
      > -o myhostname=mx1.ipv6.slagter.name
      > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
      > -o smtpd_tls_security_level=may
      > -o postscreen_tls_security_level=may
      > -o tlsproxy_tls_security_level=may
      > -o smtpd_proxy_filter=nemesis.ipv4:10025
      > -o soft_bounce=no
      > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6



      For the TLS part, it will be much easier to turn TLS on in main.cf,
      then turn it off on the interfaces where you don't want to offer it
      with "-o smtpd_tls_security_level=none".

      # main.cf
      smtpd_tls_security_level = may

      For the greeting banners, set them as macros in main.cf and then
      refer to them by $name in master.cf

      # main.cf
      postscreen_greet_v4 = postscreen.v4.mx1 ESMTP greets you
      postscreen_greet_v6 = postscreen.v6.mx1 ESTMP greets you


      Now tell postscreen which ports to listen on and to enable the banner:

      # master.cf

      mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
      -o postscreen_greet_banner=$postscreen_greet_v4

      mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
      -o postscreen_greet_banner=$postscreen_greet_v6



      Next we tell smtpd to get it's connections from postscreen.
      On your existing "smtp ... smtpd" entries where you want postscreen,
      change the "smtp inet n" part to "smtp pass -"
      This is described in detail in
      http://www.postfix.org/POSTSCREEN_README.html#config

      so your existing entry:
      > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd

      would become:
      mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd




      Good luck.



      -- Noel Jones
    • Show all 25 messages in this topic