Postfix problems after moving box behind firewall
Posted on 2004-10-18
Postfix version 2.1.0
I set up a postfix machine as an SMTP-AUTH mail relay server. It does not handle any local delivery nor accept mail locally. It's only purpose is to spit out emails sent locally and to give smtp relay access for one domain and a few individual users (like road warriors and clients I have who do not have an outgoing smtp server on their network for whatever reason).
Everything worked fine when the box was visible to the world with it's own ip. I recently replaced the SDSL line the domain used to run on with a T1. When I made the switch, I decided it would be a good time to tidy up the domain and move all the servers behind firewalls. My DMZ now is the "green" side of a red-green IPCop box and all of the port forwarding seems to be working and configured correctly.
At first, no mail was working on the outgoing or the incoming mail servers. After changing some DNS records, IP addresses in configuration files and /etc/postfix/main.cf to contain the proxy_interfaces= line to the world-visible ip on the firewall, I can send fine locally. My relay users are still broken however and I don't know where to look as according to the logs, the relay users connect through the firewall just fine, establish a TLS session and authenticate fine, and seem to have their messages get sent. postqueue -p shows and empty queue after the message seems to get sent.
That's as far as it goes. None of my roadwarrior test messages ever went through. I sent several to an incoming mail server I have access to, and there were never any connections from the postfix machine in questions. No firewall hits, no errors, no bounces, nothing in logs that indicate an error or problem...it's as if the machine in question sends the mail to /dev/null and never tried to send it to the proper destination.
If I compose a mail from the command line via an ssh session, it sends fine. Nothing different appears in the logs comparing the successful local test sends and the unsuccessful road warrior test sends. They all show a log entry similar to: (nothing has been censored, firstname.lastname@example.org is one of mine and on a domain I can access all logs on, and mail5.fixnix.net is the machine I'm having trouble with)
Oct 18 13:53:47 mail5 postfix/pipe: 96651D8121: to=<email@example.com>, relay=spamfilter, delay=1, status=sent (mail5.fixnix.net)
Oct 18 13:53:47 mail5 postfix/qmgr: 96651D8121: removed
I'm using cyrus-sasl2 for the road warrior authentication, and since this is a small, low-traffic domain with only about 10 or so road warrior users, I am not using a MySQL or similar database for users. The road warrior users are maintained in /etc/passwd as normal users are, except with a shell of /bin/false. Authentication is working fine.
My next step will be running tcpdump to see if any outbound connection is attempted to hit the destination mail server, but I suspect it is not or I should have gotten some bounces back.
I'm hoping I just had a small oversight or incorrect interpretation of a config file entry. Any ideas?