Separate Submission Instance on Same IP as MX
in [Postfix]
|
Prev: routing all mails to customized processor, without individual mail directory
Next: Providing SMTP relay access to roaming laptop without creating anopen relay...
From: Mike Morris on 31 Jul 2010 22:11 Hi, I'm working on a mail server deployment that will only have one server for MX and SASL submission purposes. Generally I like to have separate Postfix instances to handle a specific task. In this case I'm running in to problems when the submission instance uses the same IP address as the MX instance. (Due to a limited IP address pool there is currently only one routable IP address assigned to this server.) Using the submission instance to send a message to a recipient address for which the server is also the MX host triggers Postfix' loop detection. Mail for foreign addresses is relayed correctly. I realize this can be done easily enough without using multiple instances. Is there a way to work around this so that an MX instance and submission instance can share single IP address? I've gotten used to the queue, logging, and configuration separation provided by multiple instances and would rather like to use that approach here if I can. Configuration and debugging information follow. In this example, the server is the MX host for both domains 'example.com' and 'example.org'. mike(a)mail[~]$ nc 127.0.0.1 587 220 smtp.example.com ESMTP Postfix EHLO test 250-smtp.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN blahblahblah 235 2.7.0 Authentication successful MAIL FROM:<mike(a)example.com> 250 2.1.0 Ok RCPT TO:<mike(a)example.org> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> test .. 250 2.0.0 Ok: queued as 098981BF0969 quit 221 2.0.0 Bye Corresponding log entries for above transaction: Jul 31 18:27:48 mail postfix-submission/smtpd[13440]: connect from localhost.localdomain[127.0.0.1] Jul 31 18:27:56 mail postfix-submission/smtpd[13440]: 098981BF0969: client=localhost.localdomain[127.0.0.1], sasl_method=PLAIN, sasl_username=mike(a)example.com Jul 31 18:27:59 mail postfix-submission/cleanup[13442]: 098981BF0969: message-id=<20100801012756.098981BF0969(a)smtp.example.com> Jul 31 18:27:59 mail postfix-submission/qmgr[13433]: 098981BF0969: from=<mike(a)example.com>, size=348, nrcpt=1 (queue active) Jul 31 18:27:59 mail postfix-submission/smtp[13443]: 098981BF0969: to=<mike(a)example.org>, relay=none, delay=4.7, delays=4.6/0.09/0/0, dsn=5.4.6, status=bounced (mail for example.org loops back to myself) Jul 31 18:27:59 mail postfix-submission/cleanup[13442]: AB7021BF096B: message-id=<20100801012759.AB7021BF096B(a)smtp.example.com> Jul 31 18:27:59 mail postfix-submission/qmgr[13433]: AB7021BF096B: from=<>, size=2151, nrcpt=1 (queue active) Jul 31 18:27:59 mail postfix-submission/bounce[13445]: 098981BF0969: sender non-delivery notification: AB7021BF096B Jul 31 18:27:59 mail postfix-submission/qmgr[13433]: 098981BF0969: removed Jul 31 18:27:59 mail postfix-submission/smtp[13443]: AB7021BF096B: to=<mike(a)example.com>, relay=none, delay=0.15, delays=0.15/0/0/0, dsn=5.4.6, status=bounced (mail for example.com loops back to myself) Jul 31 18:27:59 mail postfix-submission/qmgr[13433]: AB7021BF096B: removed Jul 31 18:28:02 mail postfix-submission/smtpd[13440]: disconnect from localhost.localdomain[127.0.0.1] postconf -c /etc/postfix-submission -n: alias_database = alias_maps = config_directory = /etc/postfix-submission data_directory = /var/lib/postfix-submission default_database_type = cdb local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable multi_instance_enable = yes multi_instance_name = postfix-submission mydestination = mydomain = example.com myhostname = smtp.example.com myorigin = $mydomain parent_domain_matches_subdomains = queue_directory = /var/spool/postfix-submission smtpd_client_restrictions = permit_sasl_authenticated reject smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated reject smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain strict_rfc821_envelopes = yes unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 mail_version = 2.8-20100707 In master.cf for the postfix-submission instance, the "smtp inet ... smtpd" entry is commented out, and "submission inet ... smtpd" is enabled. Thanks, Mike
From: Jeroen Geilman on 1 Aug 2010 05:37 On 08/01/2010 04:11 AM, Mike Morris wrote: > Hi, > > I'm working on a mail server deployment that will only have one server > for MX and SASL submission purposes. Generally I like to have separate > Postfix instances to handle a specific task. Why ? It's totally useless in this case. SMTP runs on port 25, and rejects anything not_invented_here. Submission runs on port 587, and requires SASL. Simple. > In this case I'm running > in to problems when the submission instance uses the same IP address as > the MX instance. (Due to a limited IP address pool there is currently > only one routable IP address assigned to this server.) > > Using the submission instance to send a message to a recipient address > for which the server is also the MX host triggers Postfix' loop > detection. Mail for foreign addresses is relayed correctly. I realize > this can be done easily enough without using multiple instances. Indeed. > Is > there a way to work around this so that an MX instance and submission > instance can share single IP address? You're going to have to do a lot better than "I want to do this". Use a single instance, and save yourself some time. > I've gotten used to the queue, > logging, and configuration separation provided by multiple instances and > would rather like to use that approach here if I can. > Since submission is a separate transport, it does log separately. > mail_version = 2.8-20100707 > UNSTABLE. sheesh.
From: Wietse Venema on 1 Aug 2010 12:29 Mike Morris: > Hi, > > I'm working on a mail server deployment that will only have one server > for MX and SASL submission purposes. Generally I like to have separate > Postfix instances to handle a specific task. In this case I'm running > in to problems when the submission instance uses the same IP address as > the MX instance. (Due to a limited IP address pool there is currently > only one routable IP address assigned to this server.) > > Using the submission instance to send a message to a recipient address > for which the server is also the MX host triggers Postfix' loop > detection. Mail for foreign addresses is relayed correctly. I realize > this can be done easily enough without using multiple instances. Is > there a way to work around this so that an MX instance and submission > instance can share single IP address? I've gotten used to the queue, If you use different MTAs, then use different myhostname AND different inet_interfaces settings. Otherwise it is just too easy to screw up and have a high-speed mail system meltdown/explosion/etc. Postfix is not just about "secure" for some vague definition of secure, it is about making a safe to use, so that it does not rip off your arms and legs when you make a trivial mistake. Wietse
From: Mike Morris on 1 Aug 2010 14:42 On 08/01/2010 02:37 AM, Jeroen Geilman wrote: > On 08/01/2010 04:11 AM, Mike Morris wrote: >> Hi, >> >> I'm working on a mail server deployment that will only have one server >> for MX and SASL submission purposes. Generally I like to have separate >> Postfix instances to handle a specific task. > > Why ? > It's totally useless in this case. > SMTP runs on port 25, and rejects anything not_invented_here. > Submission runs on port 587, and requires SASL. > Simple. I don't believe it is "totally useless" to use separate instances for distinct services. Configurations can get complex. Outgoing mail may be handled differently than incoming mail. Using multiple instances can simplify the task. While it may not *work* in this case, using multiple instances for MX and submission services is far from *useless*. > >> mail_version = 2.8-20100707 >> > > UNSTABLE. > sheesh. > Plenty of people would argue that Postfix experimental releases are quite stable. In this case I would like to test and make use of postscreen.
From: Mike Morris on 1 Aug 2010 14:47
On 08/01/2010 09:29 AM, Wietse Venema wrote: > Mike Morris: >> Hi, >> >> I'm working on a mail server deployment that will only have one server >> for MX and SASL submission purposes. Generally I like to have separate >> Postfix instances to handle a specific task. In this case I'm running >> in to problems when the submission instance uses the same IP address as >> the MX instance. (Due to a limited IP address pool there is currently >> only one routable IP address assigned to this server.) >> >> Using the submission instance to send a message to a recipient address >> for which the server is also the MX host triggers Postfix' loop >> detection. Mail for foreign addresses is relayed correctly. I realize >> this can be done easily enough without using multiple instances. Is >> there a way to work around this so that an MX instance and submission >> instance can share single IP address? I've gotten used to the queue, > > If you use different MTAs, then use different myhostname AND > different inet_interfaces settings. Otherwise it is just too easy > to screw up and have a high-speed mail system meltdown/explosion/etc. > > Postfix is not just about "secure" for some vague definition of > secure, it is about making a safe to use, so that it does not rip > off your arms and legs when you make a trivial mistake. > > Wietse Fair enough. I'll see what can be done about a second IP address. -Mike |