Loading ...
Sorry, an error occurred while loading the content.

Re: setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Reindl Harald
    ... and how should this be supposed to use postscreen with smtpd instead of postscreen as command?
    Message 1 of 25 , Feb 21, 2013
    • 0 Attachment
      Am 21.02.2013 16:35, schrieb Erik Slagter:

      > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
      > -o myhostname=eriks.xs4all.nl
      > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
      > -o smtpd_tls_security_level=may
      > -o postscreen_tls_security_level=may
      > -o tlsproxy_tls_security_level=may
      > -o smtpd_proxy_filter=nemesis.ipv4:10025
      > -o soft_bounce=no
      > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

      and how should this be supposed to use postscreen
      with "smtpd" instead of "postscreen" as command?
    • Erik Slagter
      If I set up postscreen as closely as possible to the postscreen README document, I get this (diff to previous message) (I m sorry lots of it has been folded).
      Message 2 of 25 , Feb 21, 2013
      • 0 Attachment
        If I set up postscreen as closely as possible to the postscreen README
        document, I get this (diff to previous message) (I'm sorry lots of it
        has been folded). The log says "address already in use for 10.1.1.1",
        this is interesting because none of the changes involved 10.1.1.1.

        --- a 2013-02-21 16:37:18.348109048 +0100
        +++ b 2013-02-21 17:25:24.337265305 +0100
        @@ -8,7 +8,7 @@

        * Postfix logging

        -None relevant (really! the logging is exactly the same for postscreen
        and non-postscreen operation, up to the problem the problem occurs).
        +Feb 21 16:46:03 nemesis-vlan1 postfix/master[28268]: fatal: bind
        10.1.1.1 port 25: Address already in use

        * Postconf -n

        @@ -93,7 +93,7 @@

        * Postfinger

        -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013
        +postfinger - postfix configuration on do feb 21 17:24:49 CET 2013
        version: 1.30

        Warning: postfinger output may show private configuration information,
        @@ -178,7 +178,10 @@
        virtual_alias_maps = hash:/etc/postfix/virtual

        --master.cf--
        -mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
        +smtp inet n - n - 1 postscreen
        +dnsblog unix - - n - 0 dnsblog
        +tlsproxy unix - - n - 0 tlsproxy
        +mx1.ipv4.slagter.name:smtp pass n - n - 2 smtpd
        -o myhostname=eriks.xs4all.nl
        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
        -o smtpd_tls_security_level=may
        @@ -187,7 +190,7 @@
        -o smtpd_proxy_filter=nemesis.ipv4:10025
        -o soft_bounce=no
        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
        -mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
        +mx1.ipv6.slagter.name:smtp pass n - n - 2 smtpd
        -o myhostname=mx1.ipv6.slagter.name
        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
        -o smtpd_tls_security_level=may
        @@ -288,3 +291,6 @@
        -- end of postfinger output --
      • Erik Slagter
        Another variation I tried ( pass and postscreen the other way around). This works, but gives the original problem, the smtpd options are not honoured
        Message 3 of 25 , Feb 21, 2013
        • 0 Attachment
          Another variation I tried ("pass" and "postscreen" the other way
          around). This works, but gives the original problem, the smtpd options
          are not honoured (especially banner and starttls="may"), even though I
          set both:

          -o smtpd_tls_security_level=may
          -o postscreen_tls_security_level=may

          Output of postfinger, diff to first non-postscreen config:

          --- a 2013-02-21 17:35:41.568369098 +0100
          +++ c 2013-02-21 17:38:58.274633686 +0100
          @@ -1,4 +1,4 @@
          -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013
          +postfinger - postfix configuration on do feb 21 17:38:58 CET 2013
          version: 1.30

          Warning: postfinger output may show private configuration information,
          @@ -83,7 +83,10 @@
          virtual_alias_maps = hash:/etc/postfix/virtual

          --master.cf--
          -mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
          +smtpd pass - - n - - smtpd
          +dnsblog unix - - n - 0 dnsblog
          +tlsproxy unix - - n - 0 tlsproxy
          +mx1.ipv4.slagter.name:smtp inet n - n - 2 postscreen
          -o myhostname=eriks.xs4all.nl
          -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
          -o smtpd_tls_security_level=may
          @@ -92,7 +95,7 @@
          -o smtpd_proxy_filter=nemesis.ipv4:10025
          -o soft_bounce=no
          -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
          -mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
          +mx1.ipv6.slagter.name:smtp pass n - n - 2 postscreen
          -o myhostname=mx1.ipv6.slagter.name
          -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
          -o smtpd_tls_security_level=may

          * Log output

          Feb 21 17:42:40 nemesis-vlan1 postfix/master[4547]: daemon started --
          version 2.9.4, configuration /etc/postfix
          Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: CONNECT from
          [10.1.1.5]:49309 to [83.163.214.71]:25
          Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: WHITELISTED
          [10.1.1.5]:49309
          Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: cache
          btree:/var/lib/postfix/postscreen_cache-ipv4 full cleanup: retained=5
          dropped=0 entries
          Feb 21 17:42:42 nemesis-vlan1 postfix/smtpd[4554]: connect from
          eos.ipv4.slagter.name[10.1.1.5]
          Feb 21 17:42:50 nemesis-vlan1 postfix/smtpd[4554]: disconnect from
          eos.ipv4.slagter.name[10.1.1.5]
        • Reindl Harald
          ... postscreen != smtpd so why should it do so? http://www.postfix.org/postscreen.8.html The Postfix postscreen(8) server provides additional pro- tection
          Message 4 of 25 , Feb 21, 2013
          • 0 Attachment
            Am 21.02.2013 17:46, schrieb Erik Slagter:
            > Another variation I tried ("pass" and "postscreen" the other way around). This works, but gives the original
            > problem, the smtpd options are not honoured (especially banner and starttls="may"), even though I set both:

            postscreen != smtpd so why should it do so?
            http://www.postfix.org/postscreen.8.html

            The Postfix postscreen(8) server provides additional pro-
            tection against mail server overload. One postscreen(8)
            process handles multiple inbound SMTP connections, and
            decides which clients may talk to a Postfix SMTP server
            process.
          • Erik Slagter
            ... Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn t work... On the other hand nobody
            Message 5 of 25 , Feb 21, 2013
            • 0 Attachment
              On 21-02-13 16:45, Reindl Harald wrote:
              > Am 21.02.2013 16:35, schrieb Erik Slagter:
              >
              >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
              >> [ ... ]

              > and how should this be supposed to use postscreen
              > with "smtpd" instead of "postscreen" as command?

              Interesting how anybody is keen on telling me I am doing it wrong, which
              I sort of already had figured because it doesn't work... On the other
              hand nobody has given a hint on how to do it "right" then.

              Likewise people pointing me to the postscreen HOWTO, which I've been
              reading numerous times now and really does _not_ give an answer to this
              problem.

              >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
              >> [ ... ]

              > and how should this be supposed to use postscreen
              > with "smtpd" instead of "postscreen" as command?

              Well don't ask me, I don't know, I am just trying "everything" because
              the documentation doesn't tell me how to do it?
            • DTNX Postmaster
              ... You keep blaming the documentation and the software, when the problem is most likely in your understanding of it. Simplify your configuration. Don t assume
              Message 6 of 25 , Feb 21, 2013
              • 0 Attachment
                On Feb 21, 2013, at 18:28, Erik Slagter <erik@...> wrote:

                > On 21-02-13 16:45, Reindl Harald wrote:
                >> Am 21.02.2013 16:35, schrieb Erik Slagter:
                >>
                >>> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                > >> [ ... ]
                >
                >> and how should this be supposed to use postscreen
                >> with "smtpd" instead of "postscreen" as command?
                >
                > Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn't work... On the other hand nobody has given a hint on how to do it "right" then.
                >
                > Likewise people pointing me to the postscreen HOWTO, which I've been reading numerous times now and really does _not_ give an answer to this problem.
                >
                > >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                > >> [ ... ]
                >
                > > and how should this be supposed to use postscreen
                > > with "smtpd" instead of "postscreen" as command?
                >
                > Well don't ask me, I don't know, I am just trying "everything" because the documentation doesn't tell me how to do it?

                You keep blaming the documentation and the software, when the problem
                is most likely in your understanding of it.

                Simplify your configuration. Don't assume that what goes for 'smtpd'
                goes for 'postscreen' as well. Pick sensible defaults for 'main.cf',
                and override only the options that are absolutely necessary.

                If you have a legitimate reason (as in, contractual obligations or
                whatnot) to require seperate hostnames, greetings, TLS settings and
                such, use the multi-instance features and seperate them. Otherwise the
                KISS principle applies.

                Cya,
                Jona
              • Noel Jones
                ... You ve shared too much. By now no one has any idea what you re doing. Overview: Postscreen is a front-end listener for smtpd. It s not a proxy. Incoming
                Message 7 of 25 , Feb 21, 2013
                • 0 Attachment
                  On 2/21/2013 10:46 AM, Erik Slagter wrote:
                  > Another variation I tried ("pass" and "postscreen" the other way
                  > around).


                  You've shared too much. By now no one has any idea what you're doing.

                  Overview:

                  Postscreen is a front-end listener for smtpd. It's not a proxy.
                  Incoming connections are handled by postscreen until postscreen
                  either decides it's clean and passes the connection endpoint to
                  smtpd, or rejected. This is covered in more detail in the
                  POSTSCREEN_README.

                  When postscreen decides to pass the connection to smtpd, postscreen
                  is no longer involved, and smtpd has no knowledge of what transpired
                  between postscreen and a client.


                  Solution:

                  [this is not a complete how-to, but will show you how to use
                  multiple interfaces]

                  At some point you reported:


                  > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                  > -o myhostname=eriks.xs4all.nl
                  > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                  > -o smtpd_tls_security_level=may

                  Ok.

                  > -o postscreen_tls_security_level=may
                  > -o tlsproxy_tls_security_level=may

                  both these belong in main.cf, or better, set main.cf:
                  "smtpd_security_level = may" and leave these at their defaults.

                  > -o smtpd_proxy_filter=nemesis.ipv4:10025
                  > -o soft_bounce=no
                  > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

                  The cache map parameter belongs in main.cf. Probably a mistake to
                  create separate caches.

                  Same comments as above for the smtpd listener below.

                  >
                  > mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                  > -o myhostname=mx1.ipv6.slagter.name
                  > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                  > -o smtpd_tls_security_level=may
                  > -o postscreen_tls_security_level=may
                  > -o tlsproxy_tls_security_level=may
                  > -o smtpd_proxy_filter=nemesis.ipv4:10025
                  > -o soft_bounce=no
                  > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6



                  For the TLS part, it will be much easier to turn TLS on in main.cf,
                  then turn it off on the interfaces where you don't want to offer it
                  with "-o smtpd_tls_security_level=none".

                  # main.cf
                  smtpd_tls_security_level = may

                  For the greeting banners, set them as macros in main.cf and then
                  refer to them by $name in master.cf

                  # main.cf
                  postscreen_greet_v4 = postscreen.v4.mx1 ESMTP greets you
                  postscreen_greet_v6 = postscreen.v6.mx1 ESTMP greets you


                  Now tell postscreen which ports to listen on and to enable the banner:

                  # master.cf

                  mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                  -o postscreen_greet_banner=$postscreen_greet_v4

                  mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                  -o postscreen_greet_banner=$postscreen_greet_v6



                  Next we tell smtpd to get it's connections from postscreen.
                  On your existing "smtp ... smtpd" entries where you want postscreen,
                  change the "smtp inet n" part to "smtp pass -"
                  This is described in detail in
                  http://www.postfix.org/POSTSCREEN_README.html#config

                  so your existing entry:
                  > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd

                  would become:
                  mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd




                  Good luck.



                  -- Noel Jones
                • Erik Slagter
                  ... Yes I blame the documentation, but not the software. I ve been using postfix for, well, something like ten years or more, I think it s the best thing since
                  Message 8 of 25 , Feb 21, 2013
                  • 0 Attachment
                    On 21-02-13 19:17, DTNX Postmaster wrote:

                    > You keep blaming the documentation and the software, when the problem
                    > is most likely in your understanding of it.

                    Yes I blame the documentation, but not the software. I've been using
                    postfix for, well, something like ten years or more, I think it's the
                    best thing since sliced bread, especially compared to sendmail, qmail
                    and exchange.

                    The way I've configured it now, really suits the demands. I cannot
                    remember any phrases in the documentation recommending not to do it this
                    way (i.e. start multiple smtp listeners on different addresses with
                    different options, in one master process). If it actually appears to be
                    disrecommended, then that's clear to me, no problem.

                    > Simplify your configuration. Don't assume that what goes for 'smtpd'
                    > goes for 'postscreen' as well.

                    I'd like to, but where do I find what I CAN assume? The factual
                    documentation of postscreen is so sparse, it's mostly HOWTO,
                    monkey-see-monkey-do.

                    > Pick sensible defaults for 'main.cf',
                    > and override only the options that are absolutely necessary.

                    That's already done.

                    > If you have a legitimate reason (as in, contractual obligations or
                    > whatnot) to require seperate hostnames, greetings, TLS settings and
                    > such, use the multi-instance features and seperate them. Otherwise the
                    > KISS principle applies.

                    Actually this way is much more KISS to me than running multiple
                    instances of "master".

                    I'm starting to think that the reason this operation is not documented,
                    is because it's not possible. It looks like the postscreen layer
                    literaly sits between the remote client and the smtp process, and the
                    information where the connection took place (interface/address) is not
                    available at the point where the smtpd is invoked.

                    If that's the case, postscreen is not the way to go for me. I assumed
                    postscreen was implemented a bit like proxy-filter, where you can run
                    any number of filters on any number of addresses.
                  • Erik Slagter
                    ... I m just following the REPORT A PROBLEM procedure I was kindly pointed at... ... Yes at this point the smtpd/master has no knowledge of the
                    Message 9 of 25 , Feb 21, 2013
                    • 0 Attachment
                      On 21-02-13 19:30, Noel Jones wrote:

                      > You've shared too much. By now no one has any idea what you're doing.

                      I'm just following the "REPORT A PROBLEM" procedure I was kindly pointed
                      at...

                      > When postscreen decides to pass the connection to smtpd, postscreen
                      > is no longer involved, and smtpd has no knowledge of what transpired
                      > between postscreen and a client.

                      Yes at this point the smtpd/master has no knowledge of the
                      interface/address, that's exactly the thing I fear.

                      > At some point you reported:
                      > [ .. ]
                      >> -o postscreen_tls_security_level=may
                      >> -o tlsproxy_tls_security_level=may
                      >
                      > both these belong in main.cf, or better, set main.cf:
                      > "smtpd_security_level = may" and leave these at their defaults.

                      Tried both, doesn't matter. The thing is that what way you set the smtpd
                      options (in main.cf) you cannot override them with postscreen. So if you
                      set the default value suitable for address a and b, they must be
                      override for address c and d and vv. Yes, I have some internal address
                      that need to have tls_security=none and yes, that works like a charm
                      without postscreen enabled.

                      >> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                      >
                      > The cache map parameter belongs in main.cf. Probably a mistake to
                      > create separate caches.

                      Nope, the cache map cannot be shared between two smtpd processes (see
                      documentation ;-)). It's not a problem though, because one db holds ipv4
                      addresses and the other is ipv6 addresses.

                      > For the TLS part, it will be much easier to turn TLS on in main.cf,
                      > then turn it off on the interfaces where you don't want to offer it
                      > with "-o smtpd_tls_security_level=none".

                      All relevant options for tls are actually set in main.cf. It's only that
                      it's not enabled there, it's enabled on a per-address base. Which works.

                      > For the greeting banners, set them as macros in main.cf and then
                      > refer to them by $name in master.cf

                      That's a possibility, but it's not necessary and doesn't solve the problem.

                      > Now tell postscreen which ports to listen on and to enable the banner:
                      >
                      > # master.cf
                      >
                      > mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                      > -o postscreen_greet_banner=$postscreen_greet_v4
                      >
                      > mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                      > -o postscreen_greet_banner=$postscreen_greet_v6
                      >
                      > Next we tell smtpd to get it's connections from postscreen.
                      > On your existing "smtp ... smtpd" entries where you want postscreen,
                      > change the "smtp inet n" part to "smtp pass -"
                      > This is described in detail in
                      > http://www.postfix.org/POSTSCREEN_README.html#config
                      >
                      > so your existing entry:
                      >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                      >
                      > would become:
                      > mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd

                      I get your drift, but IIRC I already tried this (multiple times, with
                      slight variations) and also reported about the outcoming of that:
                      "fatal: address already in use".

                      Did I already mention I have followed all the steps from the README as
                      closely as possible?
                    • Viktor Dukhovni
                      ... Take a DEEP breath, relax and don t *try* implementing new configurations you don t yet understand. The shots in the dark will just get you more confused.
                      Message 10 of 25 , Feb 21, 2013
                      • 0 Attachment
                        On Thu, Feb 21, 2013 at 05:46:26PM +0100, Erik Slagter wrote:

                        > Another variation I tried ("pass" and "postscreen" the other way
                        > around). This works, but gives the original problem, the smtpd
                        > options are not honoured (especially banner and starttls="may"),
                        > even though I set both:

                        Take a DEEP breath, relax and don't *try* implementing new
                        configurations you don't yet understand. The shots in the dark will
                        just get you more confused.

                        It is time to try to *understand*.

                        1. A running Postfix instance is a collection of separate background
                        services (daemons) launched by an inetd-like service supervisor known
                        as "master. These services run independently in separate processes
                        and communicate with each other using unix-domain sockets.

                        They are configured either via main.cf (best practice) or via
                        master.cf "-o parameter=$value" overrides (when you must).

                        The MOST important thing you need to understand about this is:

                        Adding "-o FOO=BAR" to the master.cf entry for SERVICEA has
                        NO EFFECT on the value of FOO in SERVICEB!

                        Even when the MESSAGE is passed from SERVICEA to SERVICEB the
                        parameter settings ARE NOT.

                        Thus when you convert an existing "smtpd" entry to a "postscreen"
                        entry, it is a grave mistake to leave the "smtpd" (-o options)
                        that tune the functionality of smtpd attached to the "postscreen"
                        service. It (postscreen) won't care and the destination "smtpd"
                        to which the message is handed off will no longer know the parameters.

                        2. To provide multiple smtpd personalities, you need to implement multiple
                        "smtpd" services each with their own settings. (As you do when smtpd
                        listens directly on an "inet" socket).

                        3. To implement 2. with postscreen, each "inet" listening postscreen
                        (with settings relevant for postscreen) must hand the message off
                        to an "smtpd" appropriate for its listening IP address.

                        4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                        to hand the connection to. The postscreen(8) manual page refers you to

                        http://www.postfix.org/postconf.5.html#smtpd_service_name

                        which must specify the service name of a "pass" entry in master.cf,
                        you need one of these for each distinct postscreen instance.

                        192.0.2.1:25 inet ... postscreen
                        -o smtpd_service_name=25@192.0.2.1
                        -o <postscreen-related-settings> ...
                        25@192.0.2.1 pass ... smtpd
                        -o <smtpd-related-settings> ...

                        Lather, rinse, repeat:

                        192.0.2.1:587 inet ... postscreen
                        -o smtpd_service_name=587@192.0.2.1
                        -o <postscreen-related-settings> ...
                        587@192.0.2.1 pass ... smtpd
                        -o <smtpd-related-settings> ...

                        Lather, rinse, repeat:

                        192.0.2.2:25 inet ... postscreen
                        -o smtpd_service_name=25@192.0.2.2
                        -o <postscreen-related-settings> ...
                        25@192.0.2.2 pass ... smtpd
                        -o <smtpd-related-settings> ...

                        Lather, rinse, repeat:

                        192.0.2.3:25 inet ... postscreen
                        -o smtpd_service_name=25@192.0.2.3
                        -o <postscreen-related-settings> ...
                        25@192.0.3.2 pass ... smtpd
                        -o <smtpd-related-settings> ...

                        ... but do stop eventually ... :-)

                        --
                        Viktor.
                      • Erik Slagter
                        ... And THAT is exactly the clue I was looking for! It works! The only thing that would have to be in the README file is the need to use smtpd service names
                        Message 11 of 25 , Feb 22, 2013
                        • 0 Attachment
                          On 21-02-13 20:07, Viktor Dukhovni wrote:

                          > [ ... ] (lot of patronising text removed)

                          > 4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                          > to hand the connection to. The postscreen(8) manual page refers you to
                          >
                          > http://www.postfix.org/postconf.5.html#smtpd_service_name
                          >
                          > which must specify the service name of a "pass" entry in master.cf,
                          > you need one of these for each distinct postscreen instance.

                          And THAT is exactly the clue I was looking for! It works!

                          The only thing that would have to be in the README file is the need to
                          use "smtpd service names" in case of multiple smtp listeners, point to
                          http://www.postfix.org/postconf.5.html#smtpd_service_name and then add a
                          bit of really helpful text to the current one:

                          "The internal service that postscreen(8) hands off allowed connections
                          to. In a future version there may be different classes of SMTP service."

                          If you google for this command, you'll get references to either this
                          text or this thread :-(

                          So for other people seeking to do the same, this does the trick, it's
                          also simple once you know, the "service" parameter of a "pass" service
                          is not an address:portno combo but an identifier:

                          #
                          # outside -> inside
                          # postfix(25) -> amavis(10025)
                          #

                          mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                          -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                          -o
                          postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv4-25
                          -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv4-25
                          -o postscreen_tls_security_level=none
                          -o smtpd_service_name=mx1_ipv4

                          mx1_ipv4 pass - - n - - smtpd
                          -o myhostname=mx1.slagter.name
                          -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                          -o smtpd_tls_security_level=may
                          -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis

                          mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                          -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
                          -o
                          postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv6-25
                          -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv6-25
                          -o postscreen_tls_security_level=none
                          -o smtpd_service_name=mx1_ipv6

                          mx1_ipv6 pass - - n - - smtpd
                          -o myhostname=mx1.slagter.name
                          -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                          -o smtpd_tls_security_level=may
                          -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis
                        • Viktor Dukhovni
                          On Fri, Feb 22, 2013 at 11:04:34AM +0100, Erik Slagter wrote: First, a quick comment, all of the sturm and drang in this thread is the result of a peculiar
                          Message 12 of 25 , Feb 22, 2013
                          • 0 Attachment
                            On Fri, Feb 22, 2013 at 11:04:34AM +0100, Erik Slagter wrote:

                            First, a quick comment, all of the sturm and drang in this thread
                            is the result of a peculiar reluctance of most users to heed the
                            advice in MULTI_INSTANCE_README and simplify their configurations
                            by handling each distinct message flow in a separate Postfix
                            instance, each of which can be configured with few if any master.cf
                            tweaks, and understood and maintained much more easily.

                            A combination of MULTI_INSTANCE_README and POSTSCREEN_README would
                            get you there much more quickly, and even allow simpler configuration
                            of cases where identical policies apply to multiple protocol:address
                            endpoints, since you can just set inet_interfaces in main.cf to list
                            one or more network addresses for a given instance.

                            I strongly recommend that you take the time to refactor your
                            configuration to separate each flow into its own queue. The initial
                            investment of time pays off quickly in easier to manage configurations
                            and operational support (e.g. separate queues make it easier to
                            see which flow is having problems).

                            > On 21-02-13 20:07, Viktor Dukhovni wrote:
                            >
                            > > [ ... ] (lot of patronising text removed)

                            Text that is required background knowledge to understand what
                            follows, misconstrued to be patronizing rather than emphatic. Chill
                            man, the blustery tone of this thread is mostly the result of your
                            reticense to (AFAIK you never did) post the actual master.cf
                            configuration that failed to meet your expectations. You should
                            probably also not have included the text below in the initial post:

                            The options (-o) that I specify on the various per-interface
                            smtpd instances are NOT honoured anymore. ...

                            Is this intentional? A know[n] bug? ...

                            I must say the "howto" isn't very clear on this matter, it assumes you
                            only have only one external interface.

                            This is rude to the developers who take great pains to make Postfix
                            unusually robust and well documented. The "patronising" text is
                            sufficient to logically deduce that (and why) you need multiple
                            smtpd "pass" services, at which point one looks for a parameter to
                            specify the pass service, and finds it (in this case clustered
                            sub-optimally with unrelated settings, we'll fix that) in the postscreen(8)
                            manpage.

                            If Wietse is still reading this, we should move "smtpd_service_name"
                            to its ownn section nearer the top of the postscreen(8) manpage.

                            Fortunately, the parameter name is just what you'd expect if you've
                            ever seen "cleanup_service_name" which plays the same role one
                            handoff downstream.

                            > >4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                            > > to hand the connection to. The postscreen(8) manual page refers you to
                            > >
                            > > http://www.postfix.org/postconf.5.html#smtpd_service_name
                            > >
                            > > which must specify the service name of a "pass" entry in master.cf,
                            > > you need one of these for each distinct postscreen instance.
                            >
                            > And THAT is exactly the clue I was looking for! It works!

                            Naturally, since it is simply a logical consequence of understanding
                            the patronising text. :-) Perhaps some people even spotted the
                            transposition error in the last "Lather, rinse, repeat" example.
                            (It has been observed that students pay more attention to technical
                            books that contain minor errors that require them to pause and
                            think, and that they learn more from these than from polished
                            material that requires less attention).

                            [
                            Plus the fact that "unix" and "pass" service names are just file
                            names in /var/spool/postfix/private/ which I started to describe
                            in my first post, but decided to keep it more concise in the hope
                            that this will be apparent from context.

                            The master.cf services live in one of three namespaces:

                            - inet/public (inet can't be private).

                            - unix/public

                            - unix/private

                            Each of the "unix" cases subsumes "unix", "fifo" and "pass" since these
                            all are accessed via paths in /var/spool/postfix/{public,private}.

                            All delivery agents are "private" while "pickup", "qmgr", "flush"
                            and "showq" are "public" to support postdrop(1) and postqueue(1)
                            and their sendmail(1) interfaces. Almost everything else is private,
                            except for cleanup(8) which AFAIK is public only for historical
                            reasons.
                            ]

                            --
                            Viktor.
                          • Wietse Venema
                            ... This was changed from private into public , so that postdrop could directly submit mail into cleanup, using the maildrop directory only as a fall-back
                            Message 13 of 25 , Feb 22, 2013
                            • 0 Attachment
                              Viktor Dukhovni:
                              > All delivery agents are "private" while "pickup", "qmgr", "flush"
                              > and "showq" are "public" to support postdrop(1) and postqueue(1)
                              > and their sendmail(1) interfaces. Almost everything else is private,
                              > except for cleanup(8) which AFAIK is public only for historical
                              > reasons.

                              This was changed from "private" into "public", so that postdrop
                              could directly submit mail into cleanup, using the maildrop directory
                              only as a fall-back mechanism in case cleanup transaction failed.
                              Recovering from all possible failure modes is complicated and I did
                              not get around to write that code (and there are few people who I
                              would trust to write it).

                              Wietse
                            Your message has been successfully submitted and would be delivered to recipients shortly.