2

I have a Postfix mail server configured for outbound email, on a dual stack (IPv4 + IPv6) server.

The IPv4 address is private as it's shared with other services on the same connection (SNATed to public IPv4) and the IPv6 address is public and unique (global scope, internet routable).

In this situation, it is common to have the public IPv4 and IPv6 addresses to have different reverse DNS (PTR record), so I'd like Postfix to use the HELO in its SMTP client to match the reverse DNS. It is good practice to have this matching, because aggressive mail filtering triggers on having this set up asymmetrical.

My situation:

  • IPv4 10.0.3.12 - SNATed to 212.XX.XX.22 (PTR - srv1.example.com, A of srv1.example.com points to 212.XX.XX.22)

  • IPv6 of the host (not used here), 2001:XX:XX::1 (PTR - srv1.example.com, AAAA of srv1.example.com points to 2001:XX:XX::1)

  • IPv6 of the Postfix container, 2001:XX:XX::12 (PTR - srv1-postfix.example.com, AAAA of srv1-postfix.example.com points to 2001:XX:XX::12)

The HELO hostname used must depend on the address family the SMTP client uses to set up the connection. If it is sending via IPv4, the HELO must be srv1.example.com, and if the client is sending via IPv6 the HELO must be srv1-postfix.example.com in order to be compliant with SMTP best practices.

How it can be done? I'd like to avoid any form of NATing on IPv6.

I've seen this: postfix multiple IP SMTP banner. It is not very helpful here, because it explains how to set up domain-specific banner on the listening sockets (smtpd) rather than the SMTP client (smtp).

gertvdijk
  • 3,362
  • 4
  • 30
  • 46
Kirill Shatalaev
  • 29
  • 2
  • Possible duplicate of [Postfix: Set custom SMTP Banner based on address used to access server](https://serverfault.com/questions/698256/postfix-set-custom-smtp-banner-based-on-address-used-to-access-server) – Dusan Bajic Nov 01 '17 at 09:51
  • No, it is not duplicate, my question is not about smtpd. This question about domain-specific HELO is not very helpfull too... https://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner – Kirill Shatalaev Nov 01 '17 at 09:56
  • That link you provided yourself shows exactly how to provide different settings to `smtp` and `smtpd` instances running on different addresses. You can use that to provide a different banner on IPv4 and IPv6. – Sander Steffann Nov 01 '17 at 13:34
  • 4
    Possible duplicate of [postfix multiple IP SMTP banner](https://serverfault.com/questions/650057/postfix-multiple-ip-smtp-banner) – Sander Steffann Nov 01 '17 at 13:34
  • @SanderSteffann for example, I can write: `smtp-v4 unix - - n - - smtp` and `smtp-v6 unix - - n - - smtp` on master.cf but it will not work by default, i have to add **sender_dependent_default_transport_maps** directive and create specific obvious rules. – Kirill Shatalaev Nov 01 '17 at 13:55
  • @SanderSteffann no, I don't think this is a duplicate of that one, as the other is talking about hosting multiple email domains. Kirill only needs 1 name for HELO, and that has little to do with what email domain(s) is being hosted. – BeowulfNode42 Dec 17 '19 at 07:24

1 Answers1

2

Your problem is essentially that for mail it is important that forward and reverse lookups of hostname and IP-address align. (Please note that for most other services that is much less important.)

Currently the hostname your mail server will appear with on IPv4 is different from the one it is seen using on IPv6.

The easiest solution is to simply align your server names so that mail server will be known by the same hostname on both IPv4 and IPv6.

In other words: give the host a new name, and change the hostname your Postfix is using from srv1-postfix to srv1 and update the IPv6 records accordingly.

Then you get the usual situation where your Postfix host has a single hostname srv1.example.com, one IPv4 address (192.0.2.1) and one IPv6 2001:db8:0:0:0:0:0:1 address and all forward and reverse mappings resolve to a the same srv1.example.com

The necessary DNS records for receiving and sending mail would then be

example.com.        IN MX 1 srv1.example.com.
srv1.example.com.   IN A    192.0.2.1
srv1.example.com.   IN AAAA 2001:db8:0:0:0:0:0:1

and the corresponding reverse records are

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR srv1.example.com. 
1.2.0.192.in-addr.arpa. IN PTR srv1.example.com.

Then in your postfix you could simply use myhostname = srv1.example.com and everywhere where a hostname is needed (such as in a EHLO banner) that hostname will be used and align correctly.

Bob
  • 5,335
  • 5
  • 24
  • How is this an answer? This is the situation that `2001:db8:0:0:0:0:0:1` is the address of a router basically. I can't use it for Postfix, unless I do NAT from that address on IPv6... – gertvdijk Dec 12 '19 at 23:54