291491Re: setting up postscreen on a system with multiple external interfaces
- Feb 21, 2013On 21-02-13 19:30, Noel Jones wrote:
> You've shared too much. By now no one has any idea what you're doing.I'm just following the "REPORT A PROBLEM" procedure I was kindly pointed
> When postscreen decides to pass the connection to smtpd, postscreenYes at this point the smtpd/master has no knowledge of the
> is no longer involved, and smtpd has no knowledge of what transpired
> between postscreen and a client.
interface/address, that's exactly the thing I fear.
> At some point you reported:Tried both, doesn't matter. The thing is that what way you set the smtpd
> [ .. ]
>> -o postscreen_tls_security_level=may
>> -o tlsproxy_tls_security_level=may
> both these belong in main.cf, or better, set main.cf:
> "smtpd_security_level = may" and leave these at their defaults.
options (in main.cf) you cannot override them with postscreen. So if you
set the default value suitable for address a and b, they must be
override for address c and d and vv. Yes, I have some internal address
that need to have tls_security=none and yes, that works like a charm
without postscreen enabled.
>> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4Nope, the cache map cannot be shared between two smtpd processes (see
> The cache map parameter belongs in main.cf. Probably a mistake to
> create separate caches.
documentation ;-)). It's not a problem though, because one db holds ipv4
addresses and the other is ipv6 addresses.
> For the TLS part, it will be much easier to turn TLS on in main.cf,All relevant options for tls are actually set in main.cf. It's only that
> then turn it off on the interfaces where you don't want to offer it
> with "-o smtpd_tls_security_level=none".
it's not enabled there, it's enabled on a per-address base. Which works.
> For the greeting banners, set them as macros in main.cf and thenThat's a possibility, but it's not necessary and doesn't solve the problem.
> refer to them by $name in master.cf
> Now tell postscreen which ports to listen on and to enable the banner:I get your drift, but IIRC I already tried this (multiple times, with
> # master.cf
> mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
> -o postscreen_greet_banner=$postscreen_greet_v4
> mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
> -o postscreen_greet_banner=$postscreen_greet_v6
> Next we tell smtpd to get it's connections from postscreen.
> On your existing "smtp ... smtpd" entries where you want postscreen,
> change the "smtp inet n" part to "smtp pass -"
> This is described in detail in
> so your existing entry:
>> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
> would become:
> mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd
slight variations) and also reported about the outcoming of that:
"fatal: address already in use".
Did I already mention I have followed all the steps from the README as
closely as possible?
- << Previous post in topic Next post in topic >>