Loading ...
Sorry, an error occurred while loading the content.

291492Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Viktor Dukhovni
    Feb 21, 2013
    • 0 Attachment
      On Thu, Feb 21, 2013 at 05:46:26PM +0100, Erik Slagter wrote:

      > Another variation I tried ("pass" and "postscreen" the other way
      > around). This works, but gives the original problem, the smtpd
      > options are not honoured (especially banner and starttls="may"),
      > even though I set both:

      Take a DEEP breath, relax and don't *try* implementing new
      configurations you don't yet understand. The shots in the dark will
      just get you more confused.

      It is time to try to *understand*.

      1. A running Postfix instance is a collection of separate background
      services (daemons) launched by an inetd-like service supervisor known
      as "master. These services run independently in separate processes
      and communicate with each other using unix-domain sockets.

      They are configured either via main.cf (best practice) or via
      master.cf "-o parameter=$value" overrides (when you must).

      The MOST important thing you need to understand about this is:

      Adding "-o FOO=BAR" to the master.cf entry for SERVICEA has
      NO EFFECT on the value of FOO in SERVICEB!

      Even when the MESSAGE is passed from SERVICEA to SERVICEB the
      parameter settings ARE NOT.

      Thus when you convert an existing "smtpd" entry to a "postscreen"
      entry, it is a grave mistake to leave the "smtpd" (-o options)
      that tune the functionality of smtpd attached to the "postscreen"
      service. It (postscreen) won't care and the destination "smtpd"
      to which the message is handed off will no longer know the parameters.

      2. To provide multiple smtpd personalities, you need to implement multiple
      "smtpd" services each with their own settings. (As you do when smtpd
      listens directly on an "inet" socket).

      3. To implement 2. with postscreen, each "inet" listening postscreen
      (with settings relevant for postscreen) must hand the message off
      to an "smtpd" appropriate for its listening IP address.

      4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
      to hand the connection to. The postscreen(8) manual page refers you to

      http://www.postfix.org/postconf.5.html#smtpd_service_name

      which must specify the service name of a "pass" entry in master.cf,
      you need one of these for each distinct postscreen instance.

      192.0.2.1:25 inet ... postscreen
      -o smtpd_service_name=25@192.0.2.1
      -o <postscreen-related-settings> ...
      25@192.0.2.1 pass ... smtpd
      -o <smtpd-related-settings> ...

      Lather, rinse, repeat:

      192.0.2.1:587 inet ... postscreen
      -o smtpd_service_name=587@192.0.2.1
      -o <postscreen-related-settings> ...
      587@192.0.2.1 pass ... smtpd
      -o <smtpd-related-settings> ...

      Lather, rinse, repeat:

      192.0.2.2:25 inet ... postscreen
      -o smtpd_service_name=25@192.0.2.2
      -o <postscreen-related-settings> ...
      25@192.0.2.2 pass ... smtpd
      -o <smtpd-related-settings> ...

      Lather, rinse, repeat:

      192.0.2.3:25 inet ... postscreen
      -o smtpd_service_name=25@192.0.2.3
      -o <postscreen-related-settings> ...
      25@192.0.3.2 pass ... smtpd
      -o <smtpd-related-settings> ...

      ... but do stop eventually ... :-)

      --
      Viktor.
    • Show all 25 messages in this topic