The problem is when postfix tries to relay mail to my internal mail server. When the rules are up, mail cannot find a route. When the rules are down, it works perfectly.
Someone please correct me if I'm wrong, but the "no route" error is what pf returns when a packet sourced from the local machine (ie, your OpenBSD host) is blocked by pf.
Here is the snip from the maillog:
Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)
[ snip ]
And here is a snippet from my pflog:
Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 10.0.1.80.30123 > 192.168.1.165.25: S 3073788046:3073788046(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0> (DF)
Quick note: 10.0.1.80 is the OpenBSD mail gateway. 192.168.1.165 is the internal mail server.
To get to the mail server from the mail gateway, packets go out which interface? It would seem packets are going out fxp0 which is your external interface, however, you've setup this rule:
table <NoRouteIPs> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 }
block out log quick on $ext_if from any to <NoRouteIPs>
As that pflog snippet above shows, this rule is blocking connections to the mail server. Now, you've included !192.168.0.0/24 in the table, I assume to allow packets to the mail server through, but from the mail log snippet you posted, the mail server is in 192.168.1.0/24.
I tried removing 10.0.0.0/8 from the table, but it did not work?
Packets are being denied because they are going _to_ an address in <NoRouteIPs> so no, removing 10/8 wouldn't help in this case.
.joel
