Loading ...
Sorry, an error occurred while loading the content.

291495Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Erik Slagter
    Feb 22, 2013
    • 0 Attachment
      On 21-02-13 20:07, Viktor Dukhovni wrote:

      > [ ... ] (lot of patronising text removed)

      > 4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
      > to hand the connection to. The postscreen(8) manual page refers you to
      >
      > http://www.postfix.org/postconf.5.html#smtpd_service_name
      >
      > which must specify the service name of a "pass" entry in master.cf,
      > you need one of these for each distinct postscreen instance.

      And THAT is exactly the clue I was looking for! It works!

      The only thing that would have to be in the README file is the need to
      use "smtpd service names" in case of multiple smtp listeners, point to
      http://www.postfix.org/postconf.5.html#smtpd_service_name and then add a
      bit of really helpful text to the current one:

      "The internal service that postscreen(8) hands off allowed connections
      to. In a future version there may be different classes of SMTP service."

      If you google for this command, you'll get references to either this
      text or this thread :-(

      So for other people seeking to do the same, this does the trick, it's
      also simple once you know, the "service" parameter of a "pass" service
      is not an address:portno combo but an identifier:

      #
      # outside -> inside
      # postfix(25) -> amavis(10025)
      #

      mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
      -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
      -o
      postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv4-25
      -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv4-25
      -o postscreen_tls_security_level=none
      -o smtpd_service_name=mx1_ipv4

      mx1_ipv4 pass - - n - - smtpd
      -o myhostname=mx1.slagter.name
      -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
      -o smtpd_tls_security_level=may
      -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis

      mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
      -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
      -o
      postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv6-25
      -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv6-25
      -o postscreen_tls_security_level=none
      -o smtpd_service_name=mx1_ipv6

      mx1_ipv6 pass - - n - - smtpd
      -o myhostname=mx1.slagter.name
      -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
      -o smtpd_tls_security_level=may
      -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis
    • Show all 25 messages in this topic