Robin Wilson
asked on
Getting postfix to send out a specific interface
I had this question after viewing Getting postfix to send out a specific interface.
I'm running Debian Linux with postfix installed, the server is also an apache web server .. there are a total of 19 interfaces not including the loopback ..
The issue is that our hostname www.example.com resolves to a specific IP address and postfix sends from a different address.. this causes some servers to reject our mail since the forward doesn't match the reverse.
In my main.cf the two relevant lines are:
inet_interfaces = all
#smtp_bind_address=64.XX.X
The issue is that when I set smtp_bind_address, outbound mail no longer works .. I get the following error:
postfix/smtp[16332]: 9C82836712: to=<xxxx@gmail.com>, relay=127.0.0.1[127.0.0.1]
The moment I disable that line and restart postfix, mail starts flowing again .. the interesting thing to note is that postfix appears to be binding to the last interface, I could swap those but I'm hesitant to do that..
What is the solution? I've searched but can't find the answer
I'm running Debian Linux with postfix installed, the server is also an apache web server .. there are a total of 19 interfaces not including the loopback ..
The issue is that our hostname www.example.com resolves to a specific IP address and postfix sends from a different address.. this causes some servers to reject our mail since the forward doesn't match the reverse.
In my main.cf the two relevant lines are:
inet_interfaces = all
#smtp_bind_address=64.XX.X
The issue is that when I set smtp_bind_address, outbound mail no longer works .. I get the following error:
postfix/smtp[16332]: 9C82836712: to=<xxxx@gmail.com>, relay=127.0.0.1[127.0.0.1]
The moment I disable that line and restart postfix, mail starts flowing again .. the interesting thing to note is that postfix appears to be binding to the last interface, I could swap those but I'm hesitant to do that..
What is the solution? I've searched but can't find the answer
For the latter part, because there is an accepted solution by the asker it mentions a verified solution. (the original asker DID accept a solution.... albeit not a helpful one)....
you may ask this one to the EE helpdesk.
Now on subject.
IP has no way to select an interface.... you cannot say i want the traffic to go accross this interface.
You can open a raw device on an interface and then run an IP stack on that yourself if you need to, you will have to write/borrow/copy all code to implement it though.
(Clearly something Postfix will not do). You will need the libpcap library to help sending & receiving packets.
Sometimes the source address can be bound to a specific IP address (which is required to be on your system).
so that specific source address will be used. (Still no guarantee that it will leave on the interface with the same address, though the return packets will come there). (use bind() on a source address).
I am not aware that postfix (or another mailer i am more familiar with exim ) allows to specify the source address to be used when sending mails. Why would it be needed. The IP stack will replace the 0.0.0.0 address that you have by default when you connect is done, to the one actualy used based on the routing information.
So why would it be required to specify a source address. It should be deterministic by selecting the route anyway, as return packets need to come back on the interface the left on from a routing perspective.
Can you state why you think is is needed to specify that specific source address?
you may ask this one to the EE helpdesk.
Now on subject.
IP has no way to select an interface.... you cannot say i want the traffic to go accross this interface.
You can open a raw device on an interface and then run an IP stack on that yourself if you need to, you will have to write/borrow/copy all code to implement it though.
(Clearly something Postfix will not do). You will need the libpcap library to help sending & receiving packets.
Sometimes the source address can be bound to a specific IP address (which is required to be on your system).
so that specific source address will be used. (Still no guarantee that it will leave on the interface with the same address, though the return packets will come there). (use bind() on a source address).
I am not aware that postfix (or another mailer i am more familiar with exim ) allows to specify the source address to be used when sending mails. Why would it be needed. The IP stack will replace the 0.0.0.0 address that you have by default when you connect is done, to the one actualy used based on the routing information.
So why would it be required to specify a source address. It should be deterministic by selecting the route anyway, as return packets need to come back on the interface the left on from a routing perspective.
Can you state why you think is is needed to specify that specific source address?
Robin,
I've asked for a moderator to look into this. Perhaps they can do something for you...
I'm not saying they can, only maybe ;)
Ken
I've asked for a moderator to look into this. Perhaps they can do something for you...
I'm not saying they can, only maybe ;)
Ken
ASKER
Hello Both
Thanks, I now understand why this showed as a solution but hopefully you can understand my frustration after hours of trying to solve this myself.
Just to explain, my reason for wanting to direct mail traffic through a certain IP is that I use a floating IP address on DigitalOcean for the server so all web traffic could quickly be redirected by switching the floating IP if there were ever problems rather than having to change the IP in DNS and wait for propogation.
However the fact that Postfix sends out mail through the server's main IP means reverse lookups fail and the mail is flagged as spam.
I can neither amend the network interface to route all traffic through the IP or bind Postfix to send via the secondary IP although I have been able to issue a wget command using the secondary internal IP and get that to show the correct origin proving traffic can be sent out via that secondary connection.
For now to get mail flow working again I went through my 30 or so domains and updated the IP so whilst this has got things working again it defeats the purpose of having a floating IP as to switch to the secondary server I would again need to manually update all the DNS records.
Like the person in the original question I use Postfix, Dovecot and Amavis (for spam and virus filtering). Binding Postfix to the secondary IP means it cannot communicate with Amavis as this is only listening on 127.0.0.1 and everything else I tried from that thread either resulted in errors or the mail still being sent via the other connection (evidenced by looking at the source of the received message on the destination server).
Thanks
Robin
Thanks, I now understand why this showed as a solution but hopefully you can understand my frustration after hours of trying to solve this myself.
Just to explain, my reason for wanting to direct mail traffic through a certain IP is that I use a floating IP address on DigitalOcean for the server so all web traffic could quickly be redirected by switching the floating IP if there were ever problems rather than having to change the IP in DNS and wait for propogation.
However the fact that Postfix sends out mail through the server's main IP means reverse lookups fail and the mail is flagged as spam.
I can neither amend the network interface to route all traffic through the IP or bind Postfix to send via the secondary IP although I have been able to issue a wget command using the secondary internal IP and get that to show the correct origin proving traffic can be sent out via that secondary connection.
For now to get mail flow working again I went through my 30 or so domains and updated the IP so whilst this has got things working again it defeats the purpose of having a floating IP as to switch to the secondary server I would again need to manually update all the DNS records.
Like the person in the original question I use Postfix, Dovecot and Amavis (for spam and virus filtering). Binding Postfix to the secondary IP means it cannot communicate with Amavis as this is only listening on 127.0.0.1 and everything else I tried from that thread either resulted in errors or the mail still being sent via the other connection (evidenced by looking at the source of the received message on the destination server).
Thanks
Robin
Is it possible you create a DIFFERENT smtp server on a different smtp_bind address and a different port?
[ amavis can handel a multitude of ports ..., i used to use 10025 [exim side] / 10026 [amavis side] for this ]
if postfix allows you to have a SMTP handler on a different port, then it can also use a different address.
might also geep configurations simpler when filtering. The port :10025 received mail can be distinguished from :25 received mail.
Oh btw. i moved on to rspamd from amavis because greylisting and other checks became a headache with amavis as they needed to be added elsewhere.
rspamd has a complete one stop shopping solutions (from a mailers pov).
[ amavis can handel a multitude of ports ..., i used to use 10025 [exim side] / 10026 [amavis side] for this ]
if postfix allows you to have a SMTP handler on a different port, then it can also use a different address.
might also geep configurations simpler when filtering. The port :10025 received mail can be distinguished from :25 received mail.
Oh btw. i moved on to rspamd from amavis because greylisting and other checks became a headache with amavis as they needed to be added elsewhere.
rspamd has a complete one stop shopping solutions (from a mailers pov).
ASKER
Hello noci
Thanks for the reply but what I want to do is make my existing SMTP server send mail from the secondary IP on the server. I don't understand how setting up a second Postfix instance would help unless this would be to send mail initially through Postfix 1 on IP 1 with spam protection and then forward the mail onto Postfix 2 running on the secondary IP where spam protection would not be running and send out through that one? I don't think it is possible to install 2 instances of Postfix on the same server. I would rather avoid running 2 instances if possible as it's complicated enough keeping 1 running.
Please can you elaborate on the proposed setup and I will see if it is possible.
I will have a look at Rspamd if this would allow spam protection from the secondary IP without running 2 mail servers.
Thanks
Robin
Thanks for the reply but what I want to do is make my existing SMTP server send mail from the secondary IP on the server. I don't understand how setting up a second Postfix instance would help unless this would be to send mail initially through Postfix 1 on IP 1 with spam protection and then forward the mail onto Postfix 2 running on the secondary IP where spam protection would not be running and send out through that one? I don't think it is possible to install 2 instances of Postfix on the same server. I would rather avoid running 2 instances if possible as it's complicated enough keeping 1 running.
Please can you elaborate on the proposed setup and I will see if it is possible.
I will have a look at Rspamd if this would allow spam protection from the secondary IP without running 2 mail servers.
Thanks
Robin
You can only select ONE address source..... using smtp_bind....
and you need to use your secondary address for one connection and Another address (127.0.0.1) for another...
So you need to be able TWO smtp_bind address ===> you need two SMTP handlers one for secondary address one for localhost.
(you don;t need 2 postfix.. you need ONE postfix with one handler on port 25 (regular mail) and one handler on another port (say 10025) to receive amavis on.
Otherwise you need to bind amavis also to the secondary interface and setup a few firewall rules to only allow certain traffic.
and you need to use your secondary address for one connection and Another address (127.0.0.1) for another...
So you need to be able TWO smtp_bind address ===> you need two SMTP handlers one for secondary address one for localhost.
(you don;t need 2 postfix.. you need ONE postfix with one handler on port 25 (regular mail) and one handler on another port (say 10025) to receive amavis on.
Otherwise you need to bind amavis also to the secondary interface and setup a few firewall rules to only allow certain traffic.
ASKER
Do I really need to run two instances as I only want to be able to send out mail using one single IP address?
So far from testing different configs I can do the following (assuming IP1 is the main IP when I want to use IP2):
Setting the bind in main.cf results in Postfix running on IP2 unable to contact Amavis running on IP1
Setting the bind against the SMTP lines in master.cf results in mail successfully being forwarded to Amavis but is still sent from IP1
Trying to bind Amavis to anything else results in Amavis failing to work
Disabling all spam and virus protection then email is sent from IP2
As outgoing mail is routed via Amavis as long as Amavis will only bind to 127.0.0.1 does that not mean mail will always go out from IP1?
Are you proposing: Postfix1 on IP1 > Amavis on IP1 > Postfix on IP2 > Destination? But then would the same instance of Amavis be able to communicate on both networks?
If you can confirm what values to change and where then I can give it a go but I already tried all the solutions suggested in the other thread and spent about 5 hours on it but have not tried the multiple handler option.
The other option is to amend the network settings so all outbound traffic goes via IP2 but I couldn't even get this to take effect as whatever I set in network/interfaces seemed to be ignored.
Thanks
Robin
So far from testing different configs I can do the following (assuming IP1 is the main IP when I want to use IP2):
Setting the bind in main.cf results in Postfix running on IP2 unable to contact Amavis running on IP1
Setting the bind against the SMTP lines in master.cf results in mail successfully being forwarded to Amavis but is still sent from IP1
Trying to bind Amavis to anything else results in Amavis failing to work
Disabling all spam and virus protection then email is sent from IP2
As outgoing mail is routed via Amavis as long as Amavis will only bind to 127.0.0.1 does that not mean mail will always go out from IP1?
Are you proposing: Postfix1 on IP1 > Amavis on IP1 > Postfix on IP2 > Destination? But then would the same instance of Amavis be able to communicate on both networks?
If you can confirm what values to change and where then I can give it a go but I already tried all the solutions suggested in the other thread and spent about 5 hours on it but have not tried the multiple handler option.
The other option is to amend the network settings so all outbound traffic goes via IP2 but I couldn't even get this to take effect as whatever I set in network/interfaces seemed to be ignored.
Thanks
Robin
Amavis can bind to other addresses as well. It is just a listening entry. I ran amavis on one system and an exim mail server on another system, so it needed to listen to another address.
use
In amavisd.conf to make it listen for 192.168.1.1 and/or 2001:db8:85a3::8a2e:370:73
The brackets in the IPv6 address are to allow for : in the address to be distingished from the separator for a port.
(the DEFAULT = to bind them to 127.0.0.1 (and ::1 if IPv6 is available.]
use
$inet_socket_bind = "192.168.1.1";$inet_socket_bind = ["192.168.1.1", "[2001:db8:85a3::8a2e:370:7334]"];In amavisd.conf to make it listen for 192.168.1.1 and/or 2001:db8:85a3::8a2e:370:73
The brackets in the IPv6 address are to allow for : in the address to be distingished from the separator for a port.
(the DEFAULT = to bind them to 127.0.0.1 (and ::1 if IPv6 is available.]
ASKER
Hello Noci
Thanks but I have already tried this and have again spent hours on various configurations and nothing seems to work.
I have given feedback to DigitalOcean and it seems they may consider allowing the secondary IP to act more like the normal one where you could toggle the default network in the control panel.
Getting this to work would have been a nice to have but it would appear, in their current implementation, floating IPs are not really useable and I will just stick to using the primary IP for now.
Thanks for trying to help though.
Robin
Thanks but I have already tried this and have again spent hours on various configurations and nothing seems to work.
I have given feedback to DigitalOcean and it seems they may consider allowing the secondary IP to act more like the normal one where you could toggle the default network in the control panel.
Getting this to work would have been a nice to have but it would appear, in their current implementation, floating IPs are not really useable and I will just stick to using the primary IP for now.
Thanks for trying to help though.
Robin
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Because of this, it's displayed as a resolved issue