Loading ...
Sorry, an error occurred while loading the content.

Postfix on different ports instead of different ip-addresses

Expand Messages
  • Willy Janssen
    Let me explain my current setup. Our current Postfix setup for outgoing e-mail uses three different entries for different type of e-mail from our university.
    Message 1 of 4 , Mar 1 2:36 AM
    • 0 Attachment
      Let me explain my current setup.

      Our current Postfix setup for outgoing e-mail uses three different
      entries for different type of e-mail from our university. This is
      accomplished by three different names, e.g. smtp1.example.com,
      smtp2.example.com and smtp3.example.com, pointing to three different
      ip-addresses. Every ip-adresses is load-balanced to two different
      servers. Per server there are three different ip-adresses, all listening
      on port 25. Obviously every instance has it's own Postfix configuration.
      No rocket science so far; this works for years, and very well.

      In the new setup, our networking department wants to get rid of the
      three different ip-adresses per server. Instead they want to 'stack' all
      the traffic comming from the load-balancer on one ip-address, but on
      different ports, say 1025, 2025 and 3025. (Needless to say the three
      different ip-adresses on the front-side of the load-balancer are being
      continued.)

      Most likely this setup will work, but I'm not very happy with it. It's
      more difficult to split logging and set-up of the host-based firewall
      (if applicable) is more difficult. The configuration of Postfix will be
      different from the current setup so it takes more time to adjust.

      However, all these items seem kind of 'cosmetic'. Therefor I would like
      to know if there are more consequences of this setup. Is there a
      technical reason which would prohibit this setup?

      Awaiting your answers.

      Regards, Willy Janssen
    • Reindl Harald
      ... if these are only load-balancers/firewalls which can be configured to port/ip no problem, only MX is restricted to port 25 because no way to specify in DNS
      Message 2 of 4 , Mar 1 3:03 AM
      • 0 Attachment
        Am 01.03.2012 11:36, schrieb Willy Janssen:
        > In the new setup, our networking department wants to get rid of the three different ip-adresses per server. Instead
        > they want to 'stack' all the traffic comming from the load-balancer on one ip-address, but on different ports, say
        > 1025, 2025 and 3025. (Needless to say the three different ip-adresses on the front-side of the load-balancer are
        > being continued.)
        >
        > However, all these items seem kind of 'cosmetic'. Therefor I would like to know if there are more consequences of
        > this setup. Is there a technical reason which would prohibit this setup?

        if these are only load-balancers/firewalls which can be configured to port/ip no
        problem, only MX is restricted to port 25 because no way to specify in DNS

        as example we have a dedicated port with no smtpd-restrictions for incoming
        mails from the spam-firewall and so seperated from "normal" mail traffic
      • Wietse Venema
        ... The game breaker is that Postfix configuration assumes that MTA instances do not share IP addresses. For example, MX host lookup (MX loop elimination) and
        Message 3 of 4 , Mar 1 6:01 AM
        • 0 Attachment
          Willy Janssen:
          > Let me explain my current setup.
          >
          > Our current Postfix setup for outgoing e-mail uses three different
          > entries for different type of e-mail from our university. This is
          > accomplished by three different names, e.g. smtp1.example.com,
          > smtp2.example.com and smtp3.example.com, pointing to three different
          > ip-addresses. Every ip-adresses is load-balanced to two different
          > servers. Per server there are three different ip-adresses, all listening
          > on port 25. Obviously every instance has it's own Postfix configuration.
          > No rocket science so far; this works for years, and very well.
          >
          > In the new setup, our networking department wants to get rid of the
          > three different ip-adresses per server. Instead they want to 'stack' all
          > the traffic comming from the load-balancer on one ip-address, but on
          > different ports, say 1025, 2025 and 3025. (Needless to say the three
          > different ip-adresses on the front-side of the load-balancer are being
          > continued.)
          >
          > Most likely this setup will work, but I'm not very happy with it. It's
          > more difficult to split logging and set-up of the host-based firewall
          > (if applicable) is more difficult. The configuration of Postfix will be
          > different from the current setup so it takes more time to adjust.
          >
          > However, all these items seem kind of 'cosmetic'. Therefor I would like
          > to know if there are more consequences of this setup. Is there a
          > technical reason which would prohibit this setup?

          The game breaker is that Postfix configuration assumes that MTA
          instances do not share IP addresses. For example, MX host lookup
          (MX loop elimination) and relay access control are based on IP
          addresses, not on TCP ports.

          Apart from that, you can run many Postfix instances on one box, and
          use syslog_name and syslog_facility to distinguish the logging of
          different Postfix instances.

          Wietse
        • Wietse Venema
          ... To clarify, MTAs can share IP addresses provided that they never try to send mail to each other. This is where HTTP servers fundamentally differ from mail
          Message 4 of 4 , Mar 1 8:34 AM
          • 0 Attachment
            Wietse Venema:
            > Willy Janssen:
            > > Let me explain my current setup.
            > >
            > > Our current Postfix setup for outgoing e-mail uses three different
            > > entries for different type of e-mail from our university. This is
            > > accomplished by three different names, e.g. smtp1.example.com,
            > > smtp2.example.com and smtp3.example.com, pointing to three different
            > > ip-addresses. Every ip-adresses is load-balanced to two different
            > > servers. Per server there are three different ip-adresses, all listening
            > > on port 25. Obviously every instance has it's own Postfix configuration.
            > > No rocket science so far; this works for years, and very well.
            > >
            > > In the new setup, our networking department wants to get rid of the
            > > three different ip-adresses per server. Instead they want to 'stack' all
            > > the traffic comming from the load-balancer on one ip-address, but on
            > > different ports, say 1025, 2025 and 3025. (Needless to say the three
            > > different ip-adresses on the front-side of the load-balancer are being
            > > continued.)
            > >
            > > Most likely this setup will work, but I'm not very happy with it. It's
            > > more difficult to split logging and set-up of the host-based firewall
            > > (if applicable) is more difficult. The configuration of Postfix will be
            > > different from the current setup so it takes more time to adjust.
            > >
            > > However, all these items seem kind of 'cosmetic'. Therefor I would like
            > > to know if there are more consequences of this setup. Is there a
            > > technical reason which would prohibit this setup?
            >
            > The game breaker is that Postfix configuration assumes that MTA
            > instances do not share IP addresses. For example, MX host lookup
            > (MX loop elimination) and relay access control are based on IP
            > addresses, not on TCP ports.

            To clarify, MTAs can share IP addresses provided that they never
            try to send mail to each other. This is where HTTP servers fundamentally
            differ from mail servers: mail is store-and-forward, and therefore
            requires loop elimination.

            > Apart from that, you can run many Postfix instances on one box, and
            > use syslog_name and syslog_facility to distinguish the logging of
            > different Postfix instances.
            >
            > Wietse
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.