Loading ...
Sorry, an error occurred while loading the content.

smtp_bind_address not working through proxy

Expand Messages
  • sedandgrep
    Hello, I have an imap/smtp proxy in a remote location that handles everything for the postfix backend. However, when sending to external domains such as gmail,
    Message 1 of 20 , Apr 16, 2014
    • 0 Attachment
      Hello,

      I have an imap/smtp proxy in a remote location that handles everything for
      the postfix backend. However, when sending to external domains such as
      gmail, those headers show my SPF as failing since the email seems to be
      coming from the actual client and not from the proxy. I already made
      modifications to master.cf as such and even included an SNAT rule in
      iptables but I am new to SNAT'ing so that may be wrong:

      master.cf

      smtp unix - - - - - smtp
      -o smtp_bind_address=43.38.30.84
      relay unix - - - - - smtp
      -o smtp_bind_address=43.38.30.84

      $IPT -t nat -A POSTROUTING -p tcp -o eth1 -d 75.346.73.32 -j SNAT --to
      43.38.30.84

      Many thanks for any help



      --
      View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Wietse Venema
      ... In other words the actual client does not send mail through Postfix. Wietse
      Message 2 of 20 , Apr 16, 2014
      • 0 Attachment
        sedandgrep:
        > Hello,
        >
        > I have an imap/smtp proxy in a remote location that handles everything for
        > the postfix backend. However, when sending to external domains such as
        > gmail, those headers show my SPF as failing since the email seems to be
        > coming from the actual client and not from the proxy.

        In other words the actual client does not send mail through Postfix.

        Wietse
      • sedandgrep
        Upon inspection of the headers to an external domain (an email address I have at gmail), they show the SPF failing claiming that the ip of the client is not
        Message 3 of 20 , Apr 16, 2014
        • 0 Attachment
          Upon inspection of the headers to an external domain (an email address I have
          at gmail), they show the SPF failing claiming that the ip of the client is
          not designated to send emails for our domain (the domain of our postfix of
          course)




          --
          View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67036.html
          Sent from the Postfix Users mailing list archive at Nabble.com.
        • lists@rhsoft.net
          ... you need to adjust your SPF record to the IP the destination MX is facing as connecting one, whatever proxy, NAT or not you have on your side don t matter
          Message 4 of 20 , Apr 16, 2014
          • 0 Attachment
            Am 16.04.2014 19:07, schrieb sedandgrep:
            > Upon inspection of the headers to an external domain (an email address I have
            > at gmail), they show the SPF failing claiming that the ip of the client is
            > not designated to send emails for our domain (the domain of our postfix of
            > course)

            you need to adjust your SPF record to the IP the destination
            MX is facing as connecting one, whatever proxy, NAT or not
            you have on your side don't matter at all

            SPF woks on the physical connecting IP
          • sedandgrep
            The SPF record is defined only for the proxy machine and defining the actual backend postfix would reveal the backend IP. Are you saying that in this case SPF
            Message 5 of 20 , Apr 16, 2014
            • 0 Attachment
              The SPF record is defined only for the proxy machine and defining the actual
              backend postfix would reveal the backend IP. Are you saying that in this
              case SPF will not work unless I add a record for my backend postfix IP?



              --
              View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67046.html
              Sent from the Postfix Users mailing list archive at Nabble.com.
            • sedandgrep
              Ok. I actually am mistaken. I am at a different location. I was testing the emails outbound from my actual postfix backend connected to my LAN (a machine
              Message 6 of 20 , Apr 16, 2014
              • 0 Attachment
                Ok. I actually am mistaken. I am at a different location. I was testing the
                emails outbound from my actual postfix backend connected to my LAN (a
                machine within the LAN) so the public ip will always appear as the one
                mentioned. But the truth is, it isn't showing SPF failing based on the
                client, but actually the real physical backend postfix. Basically, my email
                are being sent FROM the postfix backend rather than the proxy. How can I
                make sure all emails are actually being sent from the proxy server?



                --
                View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67048.html
                Sent from the Postfix Users mailing list archive at Nabble.com.
              • lists@rhsoft.net
                ... you need to understand SPF, TCP and networking, that s all * your machine is connectiong to the destination * the destination knows the IP you are
                Message 7 of 20 , Apr 16, 2014
                • 0 Attachment
                  Am 16.04.2014 19:52, schrieb sedandgrep:
                  > The SPF record is defined only for the proxy machine and defining the actual
                  > backend postfix would reveal the backend IP. Are you saying that in this
                  > case SPF will not work unless I add a record for my backend postfix IP?

                  you need to understand SPF, TCP and networking, that's all

                  * your machine is connectiong to the destination
                  * the destination knows the IP you are connecting with
                  * the SPF record has to contain that IP

                  you reveal nothing - how do you come to that conclusion?

                  the destination already knows the connecting IP address, you can't hide
                  that based on how TCP works basically - your job is that in the DNS record
                  that IP adress is listed - there is no but/if or rocket science
                • sedandgrep
                  I do understand how it works but isn t there a way to force all smtp connections through the proxy and make it send from there? I wouldnt think this is so
                  Message 8 of 20 , Apr 16, 2014
                  • 0 Attachment
                    I do understand how it works but isn't there a way to force all smtp
                    connections through the proxy and make it send from there? I wouldnt think
                    this is so difficult given the many customizations we can do with almost
                    anything related to mail servers and proxying. Would an SNAT rule in
                    iptables or smtp_bind_address help in this case?



                    --
                    View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67050.html
                    Sent from the Postfix Users mailing list archive at Nabble.com.
                  • sedandgrep
                    lists: While you were posting your response, I had just posted something right before. My postfix machine is the one doing the sending to external domains,
                    Message 9 of 20 , Apr 16, 2014
                    • 0 Attachment
                      lists:

                      While you were posting your response, I had just posted something right
                      before. My postfix machine is the one doing the sending to external domains,
                      bypassing the proxy somehow.



                      --
                      View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67051.html
                      Sent from the Postfix Users mailing list archive at Nabble.com.
                    • sedandgrep
                      Any way to have the backend send through the proxy outbound? Would appreciate some input. Thanks again -- View this message in context:
                      Message 10 of 20 , Apr 17, 2014
                      • 0 Attachment
                        Any way to have the backend send through the proxy outbound? Would appreciate
                        some input. Thanks again



                        --
                        View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67109.html
                        Sent from the Postfix Users mailing list archive at Nabble.com.
                      • Wietse Venema
                        ... Which of these runs Postfix? Wietse
                        Message 11 of 20 , Apr 17, 2014
                        • 0 Attachment
                          sedandgrep:
                          > Any way to have the backend send through the proxy outbound? Would appreciate
                          > some input. Thanks again

                          Which of these runs Postfix?

                          Wietse
                        • sedandgrep
                          Just the backend. The nginx is an smtp/imap proxy and both work fine. The only issue is that postfix seems to send directly to external domains, which I find
                          Message 12 of 20 , Apr 17, 2014
                          • 0 Attachment
                            Just the backend. The nginx is an smtp/imap proxy and both work fine. The
                            only issue is that postfix seems to send directly to external domains, which
                            I find strange.



                            --
                            View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67112.html
                            Sent from the Postfix Users mailing list archive at Nabble.com.
                          • Viktor Dukhovni
                            ... This is a new use of the word strange I ve never seen before. It is far from strange that Postfix sends email to its nexthop destination, that s what
                            Message 13 of 20 , Apr 17, 2014
                            • 0 Attachment
                              On Thu, Apr 17, 2014 at 09:51:04AM -0700, sedandgrep wrote:

                              > Just the backend. The nginx is an smtp/imap proxy and both work fine. The
                              > only issue is that postfix seems to send directly to external domains, which
                              > I find strange.

                              This is a new use of the word "strange" I've never seen before.

                              It is far from strange that Postfix sends email to its nexthop
                              destination, that's what MTAs do.

                              What would be strange is Postfix magically delivering email to the
                              various MX hosts of various domains with the appropriate TLS and/or
                              SASL settings via some kind of SMTP proxy.

                              --
                              Viktor.
                            • sedandgrep
                              Yes you are correct. MTAs do send direct to other domains. But if there isn t a way to get postfix to send via the proxy, it defeats the purpose for my use. A
                              Message 14 of 20 , Apr 17, 2014
                              • 0 Attachment
                                Yes you are correct. MTAs do send direct to other domains. But if there isn't
                                a way to get postfix to send via the proxy, it defeats the purpose for my
                                use. A workaround is simply to place the postfix/dovecot server on a
                                completely separate box and run no smtp/imap proxy at all. I would have
                                better performance but I would rather have the proxy deployed in front of
                                it. The idea is to protect the postfix server by not revealing its true IP.



                                --
                                View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67114.html
                                Sent from the Postfix Users mailing list archive at Nabble.com.
                              • Wietse Venema
                                ... In that case smtp_bind_address is not the solution. Instead ise relayhost or transport_maps. Wietse
                                Message 15 of 20 , Apr 17, 2014
                                • 0 Attachment
                                  sedandgrep:
                                  > Just the backend. The nginx is an smtp/imap proxy and both work fine. The
                                  > only issue is that postfix seems to send directly to external domains, which
                                  > I find strange.

                                  In that case smtp_bind_address is not the solution. Instead
                                  ise relayhost or transport_maps.

                                  Wietse
                                • Viktor Dukhovni
                                  ... You would not be protecting anything by hiding the IP address of the MTA. If you managed to hide the MTA behind a proxy, you d be potentially allowing
                                  Message 16 of 20 , Apr 17, 2014
                                  • 0 Attachment
                                    On Thu, Apr 17, 2014 at 10:04:26AM -0700, sedandgrep wrote:

                                    > Yes you are correct. MTAs do send direct to other domains. But if there isn't
                                    > a way to get postfix to send via the proxy, it defeats the purpose for my
                                    > use. A workaround is simply to place the postfix/dovecot server on a
                                    > completely separate box and run no smtp/imap proxy at all. I would have
                                    > better performance but I would rather have the proxy deployed in front of
                                    > it. The idea is to protect the postfix server by not revealing its true IP.

                                    You would not be protecting anything by hiding the IP address of
                                    the MTA. If you managed to hide the MTA behind a proxy, you'd be
                                    potentially allowing unauthorized agents other than the MTA to send
                                    mail via the proxy as though they were the MTA. That could lead
                                    to your proxy IP being blacklisted.

                                    To protect your MTA block unwanted traffic, but hiding its IP
                                    address is futile.

                                    --
                                    Viktor.
                                  • lists@rhsoft.net
                                    ... and what is the problem with it s true IP? if you don t trust your setup solve that problem tell us *one* valid reason to not have the MTA directly on the
                                    Message 17 of 20 , Apr 17, 2014
                                    • 0 Attachment
                                      Am 17.04.2014 19:04, schrieb sedandgrep:
                                      > Yes you are correct. MTAs do send direct to other domains. But if there isn't
                                      > a way to get postfix to send via the proxy, it defeats the purpose for my
                                      > use. A workaround is simply to place the postfix/dovecot server on a
                                      > completely separate box and run no smtp/imap proxy at all. I would have
                                      > better performance but I would rather have the proxy deployed in front of
                                      > it. The idea is to protect the postfix server by not revealing its true IP

                                      and what is the problem with it's true IP?
                                      if you don't trust your setup solve that problem

                                      tell us *one* valid reason to not have the MTA directly on the WAN
                                      and even if you find one then setup another postfix as "proxy"
                                      configure it to strip the received headers from the backend and
                                      enter that MTA in your config as relayhost

                                      and if you are at it mask also the users local addresses
                                      which are in the received headers and no proxy will strip
                                      them away, there are even good chances that you reveal
                                      your IP somewhere in the headers even behind the proxy

                                      honestly i am doing my job for some years now but i never
                                      faced a setup with a MTA behind a proxy to mask his IP
                                    • sedandgrep
                                      I m glad you posted this. I have been seeing these various agents sending email to me from addresses of my own domain that I don t even have. I have been
                                      Message 18 of 20 , Apr 17, 2014
                                      • 0 Attachment
                                        I'm glad you posted this. I have been seeing these various agents sending
                                        email to me from addresses of my own domain that I don't even have. I have
                                        been looking at the logs and these "agents" are being sent all day. It was
                                        also a mess getting the smtp proxy to work both with imap proxy with nginx
                                        to begin with (took me 6 days straight) but I felt like I had accomplished
                                        something by doing so. This unwanted traffic is a bit new to me and I guess
                                        I should forget about smtp/imap proxy. Why do people use it? Or do they
                                        mainly use the imap proxy and not the smtp proxy?



                                        --
                                        View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67119.html
                                        Sent from the Postfix Users mailing list archive at Nabble.com.
                                      • sedandgrep
                                        You guys have been very helpful. Even if I needed a proxy, I should go with another postfix as proxy and not something else like nginx. The best solution is
                                        Message 19 of 20 , Apr 17, 2014
                                        • 0 Attachment
                                          You guys have been very helpful. Even if I needed a proxy, I should go with
                                          another postfix as proxy and not something else like nginx. The best
                                          solution is just a WAN facing postfix/dovecot but still use nginx for my
                                          actual web. I fear a web exploit would gain access to everything including
                                          the database if all on the same box, thats all.

                                          Am 17.04.2014 19:04, schrieb sedandgrep:
                                          > Yes you are correct. MTAs do send direct to other domains. But if there
                                          > isn't
                                          > a way to get postfix to send via the proxy, it defeats the purpose for my
                                          > use. A workaround is simply to place the postfix/dovecot server on a
                                          > completely separate box and run no smtp/imap proxy at all. I would have
                                          > better performance but I would rather have the proxy deployed in front of
                                          > it. The idea is to protect the postfix server by not revealing its true IP

                                          and what is the problem with it's true IP?
                                          if you don't trust your setup solve that problem

                                          tell us *one* valid reason to not have the MTA directly on the WAN
                                          and even if you find one then setup another postfix as "proxy"
                                          configure it to strip the received headers from the backend and
                                          enter that MTA in your config as relayhost

                                          and if you are at it mask also the users local addresses
                                          which are in the received headers and no proxy will strip
                                          them away, there are even good chances that you reveal
                                          your IP somewhere in the headers even behind the proxy

                                          honestly i am doing my job for some years now but i never
                                          faced a setup with a MTA behind a proxy to mask his IP





                                          --
                                          View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67120.html
                                          Sent from the Postfix Users mailing list archive at Nabble.com.
                                        • sedandgrep
                                          I knew something was wrong with this setup. The unauthorized agents sending mail and the fact that I felt the MTA sending outbound directly was strange. What
                                          Message 20 of 20 , Apr 17, 2014
                                          • 0 Attachment
                                            I knew something was wrong with this setup. The unauthorized agents sending
                                            mail and the fact that I felt the MTA sending outbound directly was strange.
                                            What was strange was what I thought!



                                            --
                                            View this message in context: http://postfix.1071664.n5.nabble.com/smtp-bind-address-not-working-through-proxy-tp67034p67122.html
                                            Sent from the Postfix Users mailing list archive at Nabble.com.
                                          Your message has been successfully submitted and would be delivered to recipients shortly.