[pfx] Re: inet_interfaces documentation
Viktor Dukhovni via Postfix-users:
> > So I would assume from that setting inet_interfaces to empty has the
> > same effect as setting it to all (it will listen on all interfaces)?
>
> No, it does not. Rather, it leaves zero listener addresses enabled,
> which only works if all "inet" services are disabled or all use explicit
> IP endpoints:
>
> May 05 03:43:45 amnesiac postfix/postfix-script[2812173]: starting the
> Postfix mail system
> May 05 03:43:45 amnesiac postfix/master[2812175]: fatal:
> /etc/postfix/master.cf: line 12: no valid IP address found: smtp
> May 05 03:43:47 amnesiac postfix/postfix-script[2812176]: fatal: mail
> system startup failed
>
> This is rarely what you want. I'd be inclined to require that the
> "inet_interfaces" parameter be non-empty (though it could still be
> effectively empty as a list by setting it to be a mixture of spaces and
> at least one comma).
There is code in Postfix that allows an empty inet_interfaces value.
That supports a valid use case, for example, an MTA that sends email
only.
Rather than tinkering with inet_interfaces semantics, I have
improved the error message a bit:
postfix/master[10639]: fatal: /etc/postfix/master.cf: line 79:
service definition requires valid host name or address, or
non-empty inet_interfaces setting
With master.cf line 79 containing
smtp inet n - n - 1 postscreen
The improved error message should be actionable enough.
Wietse
--- /var/tmp/postfix-3.9-20230504/src/master/master_ent.c 2021-01-08
20:19:30.0 -0500
+++ src/master/master_ent.c 2023-05-05 13:45:44.747539001 -0400
@@ -367,10 +367,17 @@
inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
} else {
- MASTER_INET_ADDRLIST(serv) =
- strcasecmp(saved_interfaces, INET_INTERFACES_ALL) ?
- own_inet_addr_list() : /* virtual */
- wildcard_inet_addr_list(); /* wild-card */
+ if (strcasecmp(saved_interfaces, INET_INTERFACES_ALL) == 0) {
+ MASTER_INET_ADDRLIST(serv) = wildcard_inet_addr_list();
+ /* Errors, and no interface found, are fatal. */
+ } else {
+ MASTER_INET_ADDRLIST(serv) = own_inet_addr_list();
+ /* Errors are fatal, but inet_interfaces can be empty. */
+ if (MASTER_INET_ADDRLIST(serv)->used == 0)
+ fatal_with_context("service definition requires valid"
+ " host name or address, or non-empty"
+ " %s setting", VAR_INET_INTERFACES);
+ }
inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
}
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On Fri, May 05, 2023 at 02:34:53PM +1000, Sean Gallagher via Postfix-users wrote: > That makes sense, and is exactly what I would expect, but it still needs > to be documented. > > But it does raise another question in my mind. Many places in the > documentation state that the "Local" domain class consists of $mydomain, > $inet_interfaces and $proxy_interfaces. Correct, when the recipient is an address literal user@[ip]. > Presumably any listen address specified in master.cf would also be in > the "Local" domain. Actually, no, that's not the case, sorting of recipients into address classes should not (and does not) depend on the message entry point. This classification is performed by trivial-rewrite(8), which is not aware of or sensitive to the list endpoints of various master.cf services, its decisions are based on inet_interfaces and proxy_interfaces alone (one could have custom overrides of these for the trivial-rewrite service in master.cf, if feeling sufficiently masochistic, but really, don't). Complex configuratoins with multiple views of what's local and what's not are best handled via multiple-instances, where each instance listens on and considers local exactly the address in inet_interfaces, and there are no explicit host/address-specific entries in master.cf. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
That's a non-issue. With that, Postfix will only listen on IPv4 as specified, when the "inet" endpoint only specifies the port. That makes sense, and is exactly what I would expect, but it still needs to be documented. But it does raise another question in my mind. Many places in the documentation state that the "Local" domain class consists of $mydomain, $inet_interfaces and $proxy_interfaces. presumably any listen address specified in master.cf would also be in the "Local" domain - but I have never heard or even considered this until today. Something else that needs to be documented somewhere.. -- This email has been checked for viruses by AVG antivirus software. www.avg.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On Fri, May 05, 2023 at 01:57:19PM +1000, Sean Gallagher via Postfix-users wrote: > > This is rarely what you want. I'd be inclined to require that the > > "inet_interfaces" parameter be non-empty (though it could still be > > effectively empty as a list by setting it to be a mixture of spaces and > > at least one comma). > > You need to be careful what "empty" means. If inet_interfaces has only > IPv4 addresses and inet_protocols includes "ipv6", then it is > effectively "empty" from the ipv6 point of view, but it is clearly not > "empty" That's a non-issue. With that, Postfix will only listen on IPv4 as specified, when the "inet" endpoint only specifies the port. In other words: - The *primary* purpose of "inet_interfaces" is to specify the listen IP address for services with no explicit hostname or ip address specified. - A secondary, convenience function, is that the same addresses, when exactly one non-loopback, per address family, are also used as the default bind address for the associated family. An empty setting is fine for outbound connections (no fixed address), but not so good for inbound services unless you really mean to always use explicit hostname/ip prefixes for all "inet" services and want "postfix start" to fail if any are lax. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
This is rarely what you want. I'd be inclined to require that the "inet_interfaces" parameter be non-empty (though it could still be effectively empty as a list by setting it to be a mixture of spaces and at least one comma). You need to be careful what "empty" means. If inet_interfaces has only IPv4 addresses and inet_protocols includes "ipv6", then it is effectively "empty" from the ipv6 point of view, but it is clearly not "empty" -- This email has been checked for viruses by AVG antivirus software. www.avg.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On Fri, May 05, 2023 at 02:08:29PM +1200, Peter via Postfix-users wrote: > On 5/05/23 11:33, Wietse Venema via Postfix-users wrote: > > An empty inet_interfaces means that there is no constraint for the > > SMTP client source IP address. I am adding some text for that. > > I think the question is, what effect does it have on the server > listening address. This is from inet_listen.c: > > /* .IP addr > /* The communication endpoint to listen on. The syntax is "host:port". > /* Host and port may be specified in symbolic form or numerically. > /* A null host field means listen on all network interfaces. > > So I would assume from that setting inet_interfaces to empty has the > same effect as setting it to all (it will listen on all interfaces)? No, it does not. Rather, it leaves zero listener addresses enabled, which only works if all "inet" services are disabled or all use explicit IP endpoints: May 05 03:43:45 amnesiac postfix/postfix-script[2812173]: starting the Postfix mail system May 05 03:43:45 amnesiac postfix/master[2812175]: fatal: /etc/postfix/master.cf: line 12: no valid IP address found: smtp May 05 03:43:47 amnesiac postfix/postfix-script[2812176]: fatal: mail system startup failed This is rarely what you want. I'd be inclined to require that the "inet_interfaces" parameter be non-empty (though it could still be effectively empty as a list by setting it to be a mixture of spaces and at least one comma). This is roughly what I expected, but did had not yet checked. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On 5/05/23 11:33, Wietse Venema via Postfix-users wrote: An empty inet_interfaces means that there is no constraint for the SMTP client source IP address. I am adding some text for that. I think the question is, what effect does it have on the server listening address. This is from inet_listen.c: /* .IP addr /* The communication endpoint to listen on. The syntax is "host:port". /* Host and port may be specified in symbolic form or numerically. /* A null host field means listen on all network interfaces. So I would assume from that setting inet_interfaces to empty has the same effect as setting it to all (it will listen on all interfaces)? Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
Sean Gallagher via Postfix-users: > It was more a rhetorical question in the context of documentation > improvement. Specifically, the documentation doesn't actually say what > [blank] means. I think something like the following would be an > improvement.. > > Specify "all" to receive mail on all network interfaces (default), > "loopback-only" to receive mail on loopback network interfaces only > (Postfix version 2.2 and later) or leave blank to disable the reception > of email (i.e. outgoing service only). > > By contrast, leaving smtp_bind_address blank does NOT disable outgoing > emails. The meaning of blank is NOT obvious to the uninitiated. An empty inet_interfaces means that there is no constraint for the SMTP client source IP address. I am adding some text for that. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On Fri, May 05, 2023 at 07:01:03AM +1000, Sean Gallagher via Postfix-users wrote: > Specify "all" to receive mail on all network interfaces (default), > "loopback-only" to receive mail on loopback network interfaces only > (Postfix version 2.2 and later) or leave blank to disable the reception > of email (i.e. outgoing service only). Actually, mail can still be received when the master.cf entry specifies an explicit address:port. There is just no implicit wildcard listen address (or is a configuration error reported?). I don't know what actually happens when "inet_interfaces" is explicitly blank. To actually disable inet services, use the "master_service_disable" parameter. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
It was more a rhetorical question in the context of documentation improvement. Specifically, the documentation doesn't actually say what [blank] means. I think something like the following would be an improvement.. Specify "all" to receive mail on all network interfaces (default), "loopback-only" to receive mail on loopback network interfaces only (Postfix version 2.2 and later) or leave blank to disable the reception of email (i.e. outgoing service only). By contrast, leaving smtp_bind_address blank does NOT disable outgoing emails. The meaning of blank is NOT obvious to the uninitiated. On 4/05/2023 11:10 pm, Wietse Venema via Postfix-users wrote: Sean Gallagher via Postfix-users: how is "inet_interfaces = all" different to "inet_interfaces = " (i.e. blank)? One says that Postfix will provide network service on all IP addresses, the other does not, and all this is subject to overrides in master.cf. Neither constrains the SMTP client source IP address. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- This email has been checked for viruses by AVG antivirus software. www.avg.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
Sean Gallagher via Postfix-users: > how is "inet_interfaces = all" different to "inet_interfaces = " (i.e. > blank)? One says that Postfix will provide network service on all IP addresses, the other does not, and all this is subject to overrides in master.cf. Neither constrains the SMTP client source IP address. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
I'm wondering if there should be "all-ipv4" and "all-ipv6" values to complement the "all" value and allow independent configuration of IPv4 and IPv6 without having to specify literal IP addresses. This would make "all" equivalent to "all-ipv4, all-ipv6". Just a thought bubble... On 4/05/2023 6:58 am, Sean Gallagher via Postfix-users wrote: how is "inet_interfaces = all" different to "inet_interfaces = " (i.e. blank)? By supplying an IP4 address and not an IPv6 address, you are effectively leaving the IPv6 setting blank. What happens with a blank field needs to be specified. how is "inet_interfaces = all" different to "inet_interfaces = 0.0.0.0 ::" The docs mention setting smtp_bind_address to 0.0.0.0 but don't say what will happen if inet_interfaces is set to 0.0.0.0 [::]. by having the "all" option, it seems to imply that receiving mail can be disabled on either stack by not supplying an address. Is that what will actually happen, or will Pf default to something? Sean -- This email has been checked for viruses by AVG antivirus software. www.avg.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On 5/3/23 15:23, Viktor Dukhovni via Postfix-users wrote: Though perhaps this level of attention to phrasing is only applicable in Talmud scholarship... Hey, six thousand years of Talmudic scholarship can't all be wrong! :D -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On 4/05/23 08:31, Wietse Venema via Postfix-users wrote: Peter via Postfix-users: Is this behavior of inet_interfaces overridden by smtp_bind_address? From the way it's worded it looks to me like the inet_interfaces setting overrides smtp_bind_address but this isn't clear to me. Can that be clarified (one way or the other)? In the mean time I the text further. It should address that question. Wietse When smtp_bind_address and/or smtp_bind_address6 are not specified, the inet_interfaces setting may constrain the source IP address for an outbound SMTP or LMTP connection. Actually I brain-farted and didn't see that you already specified that. Sorry for the noise. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On 4/05/23 08:31, Wietse Venema via Postfix-users wrote: Peter via Postfix-users: Is this behavior of inet_interfaces overridden by smtp_bind_address? From the way it's worded it looks to me like the inet_interfaces setting overrides smtp_bind_address but this isn't clear to me. Can that be clarified (one way or the other)? In the mean time I the text further. It should address that question. Wietse When smtp_bind_address and/or smtp_bind_address6 are not specified, the inet_interfaces setting may constrain the source IP address for an outbound SMTP or LMTP connection. Thanks, that looks perfect. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
how is "inet_interfaces = all" different to "inet_interfaces = " (i.e. blank)? By supplying an IP4 address and not an IPv6 address, you are effectively leaving the IPv6 setting blank. What happens with a blank field needs to be specified. how is "inet_interfaces = all" different to "inet_interfaces = 0.0.0.0 ::" The docs mention setting smtp_bind_address to 0.0.0.0 but don't say what will happen if inet_interfaces is set to 0.0.0.0 [::]. by having the "all" option, it seems to imply that receiving mail can be disabled on either stack by not supplying an address. Is that what will actually happen, or will Pf default to something? Sean On 4/05/2023 6:31 am, Wietse Venema via Postfix-users wrote: Peter via Postfix-users: Is this behavior of inet_interfaces overridden by smtp_bind_address? From the way it's worded it looks to me like the inet_interfaces setting overrides smtp_bind_address but this isn't clear to me. Can that be clarified (one way or the other)? In the mean time I the text further. It should address that question. Wietse When smtp_bind_address and/or smtp_bind_address6 are not specified, the inet_interfaces setting may constrain the source IP address for an outbound SMTP or LMTP connection. * When inet_interfaces specifies one IPv4 address, and that is not a loopback address, the Postfix SMTP client uses that as the source address for outbound IPv4 connections. * Otherwise, the Postfix SMTP client does not constrain the source IPv4 address, and connect using a system-chosen source IPv4 address. This includes the cases where inet_interfaces specifies all, or no IPv4 address, or one IPv4 address that is a loopback address, or multiple IPv4 addresses. * The same reasoning as above applies to the IPv6 protocol and to the Postfix LMTP client. To disable IPv4 or IPv6 support in the Postfix SMTP and LMTP client, use inet_protocols. A Postfix SMTP client may fail to reach some remote SMTP servers when the client source IP address is constrained explicitly with smtp_bind_address or smtp_bind_address6, or implicitly with inet_interfaces. This can happen when Postfix runs on a multi-homed system such as a firewall, the Postfix SMTP source client IP address is constrained to one specific network interface, and the remote SMTP server must be reached through a different interface. Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- This email has been checked for viruses by AVG antivirus software. www.avg.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
Peter via Postfix-users: > Is this behavior of inet_interfaces overridden by smtp_bind_address? > From the way it's worded it looks to me like the inet_interfaces > setting overrides smtp_bind_address but this isn't clear to me. Can > that be clarified (one way or the other)? In the mean time I the text further. It should address that question. Wietse When smtp_bind_address and/or smtp_bind_address6 are not specified, the inet_interfaces setting may constrain the source IP address for an outbound SMTP or LMTP connection. * When inet_interfaces specifies one IPv4 address, and that is not a loopback address, the Postfix SMTP client uses that as the source address for outbound IPv4 connections. * Otherwise, the Postfix SMTP client does not constrain the source IPv4 address, and connect using a system-chosen source IPv4 address. This includes the cases where inet_interfaces specifies all, or no IPv4 address, or one IPv4 address that is a loopback address, or multiple IPv4 addresses. * The same reasoning as above applies to the IPv6 protocol and to the Postfix LMTP client. To disable IPv4 or IPv6 support in the Postfix SMTP and LMTP client, use inet_protocols. A Postfix SMTP client may fail to reach some remote SMTP servers when the client source IP address is constrained explicitly with smtp_bind_address or smtp_bind_address6, or implicitly with inet_interfaces. This can happen when Postfix runs on a multi-homed system such as a firewall, the Postfix SMTP source client IP address is constrained to one specific network interface, and the remote SMTP server must be reached through a different interface. Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
Is this behavior of inet_interfaces overridden by smtp_bind_address? From the way it's worded it looks to me like the inet_interfaces setting overrides smtp_bind_address but this isn't clear to me. Can that be clarified (one way or the other)? Peter On 4/05/23 04:48, Wietse Venema via Postfix-users wrote: I updated the inet_interfaces documentation anmd clarified its relationship with smtp_bind*_address and system-chosen source IP addresses. Wietse When smtp_bind_address and/or smtp_bind_address6 are not specified, the inet_interfaces setting may constrain the source IP address for out- bound connections over IPv4 and/or IPv6. Support for IPv6 is available in Postfix version 2.2 and later. o When inet_interfaces specifies one IPv4 address, and that is not a loopback address, the Postfix SMTP client uses that as the source address for outbound IPv4 connections. o Otherwise, the Postfix SMTP client does not constrain the source IPv4 address, and connects using a system-chosen source IPv4 address. This includes the cases where inet_interfaces specifies all, or no IPv4 address, or one IPv4 address that is a loopback address, or multiple IPv4 addresses. o The same reasoning as above applies to IPv6. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: inet_interfaces documentation
On Wed, May 03, 2023 at 12:48:28PM -0400, Wietse Venema via Postfix-users wrote: > I updated the inet_interfaces documentation anmd clarified its > relationship with smtp_bind*_address and system-chosen source IP > addresses. > > Wietse > >When smtp_bind_address and/or smtp_bind_address6 are not specified, the >inet_interfaces setting may constrain the source IP address for out- >bound connections over IPv4 and/or IPv6. Support for IPv6 is available >in Postfix version 2.2 and later. > >o When inet_interfaces specifies one IPv4 address, and that is not > a loopback address, the Postfix SMTP client uses that as the > source address for outbound IPv4 connections. I would perhaps change "one IPv4 address" to "only one IPv4 address (along with zero or more IPv6 addresses)", to make it crystal clear that the IPv4 behaviour is independent of the presence or absence of any IPv6 addresses on the list. The parenthetical clause is perhaps redundant if a careful reader would infer from "only one IPv4" that this does not restrict the count of IPv6 addresses, while "specifies one IPv4 address" could be read to mean also no IPv6 addresses. Though perhaps this level of attention to phrasing is only applicable in Talmud scholarship... -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
