On 1/10/14, 9:18 AM, Andy Rowe wrote:
Hello:
I have a production mail / web server for a couple very low volume
domains. (CentOS 6.4, apache, postfix) I have a production exchange
server for another small domain. I want to set the CentOS server up to
serve mail to its current clients as well as act as a gateway for
content filtering for the Exchange server. I set up a lab server to
test configurations and have everything working well. I've transferred
the set up to the production CentOS server and everything seems to work.
I have two DSL connections, each with its own router and static IP.
Each router has a pinhole configured to forward traffic on port 25 to
one of the two servers. While testing, I could change the IP address
for the pinhole configured on the Exchange server's router to the lab
server and mail traffic would flow to the lab server. It would serve
mail to its own clients as well as except mail for the exchange server
and relay it after filtering. Now when I try to configure the pinholes
of both routers to send port 25 to the CentOS production server, mail
from one router continues to flow but the other does not. When I try
to telnet into the server through the one router's IP, it times out.
Firewall issues and other non-postfix related trouble aside, is there
any reason this shouldn't work?
Inet_interface is set to all. Proxy address is set to the two static IPs
Postconf --n below
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination =
mydomain = smila.net
myhostname = mail.smila.net
mynetworks = 127.0.0.0/8, 192.168.0.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 74.169.65.249, 68.153.211.65
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost = 192.168.0.5:25
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_enforce_tls = no
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining,
reject_rbl_client sbl-xbl.spamhaus.org permit
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining, permit
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
permit_auth_destination, reject_unauth_destination,
reject_unknown_recipient_domain, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit
smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
master.conf
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_timeout=300s
-o smtpd_proxy_options=speed_adjust
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
dovecot unix - n n - - pipe flags=DRhu
user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
#
I understand that you want to keep the connection on that belongs to
each router right?
if so your issue is because you have asymmetric routing and may be your
firewall is blocking the connection because it doesn't have the
connection on the state table of the default gateway router. I suggest
as a quick solution to source NAT the connections (for an IP that you
have on L2), in that case your server will answer the request to the L2
ip that initiate the connection.
Cons: you are going to see the routers internal interface on every
connection, this configuration discards any filter or rate that you may
use based on IP address.
By the way this is a networking issue, not a postfix issue.
Regards.
Alfonso.
