Loading ...
Sorry, an error occurred while loading the content.

291491Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Erik Slagter
    Feb 21, 2013
      On 21-02-13 19:30, Noel Jones wrote:

      > You've shared too much. By now no one has any idea what you're doing.

      I'm just following the "REPORT A PROBLEM" procedure I was kindly pointed

      > When postscreen decides to pass the connection to smtpd, postscreen
      > is no longer involved, and smtpd has no knowledge of what transpired
      > between postscreen and a client.

      Yes at this point the smtpd/master has no knowledge of the
      interface/address, that's exactly the thing I fear.

      > At some point you reported:
      > [ .. ]
      >> -o postscreen_tls_security_level=may
      >> -o tlsproxy_tls_security_level=may
      > both these belong in main.cf, or better, set main.cf:
      > "smtpd_security_level = may" and leave these at their defaults.

      Tried both, doesn't matter. The thing is that what way you set the smtpd
      options (in main.cf) you cannot override them with postscreen. So if you
      set the default value suitable for address a and b, they must be
      override for address c and d and vv. Yes, I have some internal address
      that need to have tls_security=none and yes, that works like a charm
      without postscreen enabled.

      >> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
      > The cache map parameter belongs in main.cf. Probably a mistake to
      > create separate caches.

      Nope, the cache map cannot be shared between two smtpd processes (see
      documentation ;-)). It's not a problem though, because one db holds ipv4
      addresses and the other is ipv6 addresses.

      > For the TLS part, it will be much easier to turn TLS on in main.cf,
      > then turn it off on the interfaces where you don't want to offer it
      > with "-o smtpd_tls_security_level=none".

      All relevant options for tls are actually set in main.cf. It's only that
      it's not enabled there, it's enabled on a per-address base. Which works.

      > For the greeting banners, set them as macros in main.cf and then
      > refer to them by $name in master.cf

      That's a possibility, but it's not necessary and doesn't solve the problem.

      > Now tell postscreen which ports to listen on and to enable the banner:
      > # master.cf
      > mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
      > -o postscreen_greet_banner=$postscreen_greet_v4
      > mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
      > -o postscreen_greet_banner=$postscreen_greet_v6
      > Next we tell smtpd to get it's connections from postscreen.
      > On your existing "smtp ... smtpd" entries where you want postscreen,
      > change the "smtp inet n" part to "smtp pass -"
      > This is described in detail in
      > http://www.postfix.org/POSTSCREEN_README.html#config
      > so your existing entry:
      >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
      > would become:
      > mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd

      I get your drift, but IIRC I already tried this (multiple times, with
      slight variations) and also reported about the outcoming of that:
      "fatal: address already in use".

      Did I already mention I have followed all the steps from the README as
      closely as possible?
    • Show all 25 messages in this topic