Re: Postfix behind NAT -> failover IP -> wrong HELO

Tue, 30 Jun 2020 18:09:10 -0700 



On 6/30/20 6:40 PM, Wietse Venema wrote:

Istvan Prosinger:


On 6/30/20 10:34 PM, Wietse Venema wrote:

Istvan Prosinger:

On 6/30/20 9:49 PM, Wietse Venema wrote:

Istvan Prosinger:

Hi, I hope this letter finds you well,

I have Postfix behind NAT, and added one failover IP to the main router.

I wanted to "get by cheaply" by just doing something like

iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to <backup ip>

on the firewall machine.

So, all well, the only problem is that Postfix in this case has a wrong HELO 
compared to the rDNS that I have defined
for the <backup IP>
It does throw a warning that the <backup IP> doesn't resolve to it's hostname, 
but I'm not sure if I can define some
kind of helo_host_maps ;) to resolve this.
At this point, I wouldn't mind if someone pinpoints me to the right direction.

Postfix does not compare the HELO command argument with forward or
reverse DNS information.

Antispam engines on the recipient side do

Thanks for clearing uo that 'It does throw a warning' is not
talking about Postfix.

Every MTA behind a NAT should send HELO to external hists using
the name of the outside NAT IP address. Use smtp_helo_name.

This is clear. But my problem is that I do the (pre)nating on the
firewall, I don't change any config for Postfix.  To simplify the
question, it's - is it possible to have it use the correct HELO
depending on the outbound IP set on the firewall? I do not change
any relay maps, I just default it to anouther outbound IP on the
firewall.

Firewalls on a moving IP address? What has the world come to.

Assuming that Postfix runs on the firewall, otherwise you will need
to add telepathic vision to Postfix and also set smtp_proxy_address
to avoid "mail loops back to myself" errors.

     host1_mynetworks =
        output from "postconf mynetworks" with external address 1
     bind1_address = 1.2.3.4
     bind2_address = 1.2.3.5

     smtp_helo_name = ${
        {$mynetworks} == {$host1_mynetworks} ?
            {$bind1_address} : {$bind2_address}
        }

It's really better to execute a command that sets both the
external address AND Postfix settings.

        Wietse

Wietse's solution is better.  what he said.

--Curtis






















					Reply via email to