Re: postmulti behind NAT
- On Sat, Jul 20, 2013 at 03:45:35PM -0500, /dev/rob0 wrote:
> They don't have "hairpin NAT" set up, whereby if I try to connect toMay I ask what badness you expect from that? My first thought was to
> this NATed IP address it would go to the router and come back to me.
> I'm fine with that, actually; while that would solve the instant
> problem, it could be bad in other ways.
suggest setting up the NAT rules yourself (using iptables or whatever your
OS offers). If they're restricted to match only TCP to <externalIP>:25, I
don't see much potential for problems (but of course, I may be missing
- On Tue, Jul 23, 2013 at 07:54:38AM +0200, Ulrich Zehl wrote:
> On Sat, Jul 20, 2013 at 03:45:35PM -0500, /dev/rob0 wrote:You're right, probably none. People who do "hairpin NAT" wrong (not
> > They don't have "hairpin NAT" set up, whereby if I try to
> > connect to this NATed IP address it would go to the router
> > and come back to me. I'm fine with that, actually; while
> > that would solve the instant problem, it could be bad in
> > other ways.
> May I ask what badness you expect from that?
restricting by interface) can create open relays when the router IP
address is in $mynetworks. Even if not an open relay, it destroys
your strongest antispam tools by obscuring the client IP address.
In this case the NAT should only be done for packets from the MSA
instance to the MX instance, so the usual problem of the wrong IP
address being logged would not matter: the router IP *is* the MSA.
> My first thought was to suggest setting up the NAT rules yourselfMy ultimate solution was as per the discussion with Wietse: an
> (using iptables or whatever your OS offers). If they're restricted
> to match only TCP to <externalIP>:25, I don't see much potential
> for problems (but of course, I may be missing something).
alternate DNS view of the MX instance hostname. I accomplished it
using dnsmasq and an entry in /etc/hosts, quick and easy. Any
additional names which might be used for this address must be added
to hosts as well.
I should close up this thread by saying that in this case all my
puzzling was pointless. :) This site uses an external filtering
service as relayhost. MSA sends everything to relayhost, the
Still, it's not entirely useless, because I learned something, and
these folks might not always want to be at the mercy of their
filtering service provider. If/when they decide to switch to send
direct-to-MX, it already works.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: