3

I would appreciate and thankful if anybody could suggest me regarding the following issue I am dealing with for the last 7 days.

Current Condition:

1 working mail server (collocation) that host for 5 domain names (no, we are not a hosting company, but it is a subsidiary company domain names), which has 3 IP Addresses.

  • OS: Centos 7
  • MTA: A single instance of Postfix version 2.10.1 with Virtual Mailbox / User

The current mail server runs well with Virtual User / Mailbox with 5 domains mentioned previously with a working very well postfix rate limiting that kept us away from getting marked as spam by gsuite accounts or yahoo business emails or Microsoft 365 users.

But there are these new exciting requirements :)

The New Requirement from Management:

  • 4 domains need to send with the current main IP address e.g: 1.2.3.4.5.11
  • 1 domain need to be applied to another additional IP address at e.g: 1.2.3.4.5.22 when sending message.
  • Rate limiting must be applied as well, for example:

gmail.com polite: yahoo.com polite: hotmail.com turtle: live.fr turtle: orange.fr turtle:

What I have done successfully until now:

  • Applied rate limiting using transport_maps in main.cf file
  • Switch IP Address for that intended 1 domain to send using different IP Address (1.2.3.4.5.22) by enabling sender_dependent_default_transport_maps in main.cf file. This probe had a positive and expected result: the IP changed to the additional IP as intended when sending with that 1 domain, and default IP were used as usual for other domains. All has a valid SPF and DKIM validation (tested it by sending the email to a free gmail account of my own).

The Issues that I am trying to figure out by asking your suggestion:

I cannot do both at the same time because when I use sender_dependent_default_transport_maps along with the transport_maps, it appears that Postfix ignores transport_maps, therefore the rate limiting does not work.

My Questions are:

  • Is it possible to get sender_dependent_default_transport_maps to work together with transport_maps in main.cf?

  • If it is possible, then how to get it working?

Please do not misjudged me that I have not been doing or searching anything previously. The fact that I have been searching and trying this and that on the net but still haven't succeeded on making the two work together, and so I am seeking for help here (hopefully!).

Thank you very much!

My main.cf basically has no relayhost, no relay_domains, what I am trying to ask is on this line here:

transport_maps = hash:/etc/postfix/transport

and

sender_dependent_default_transport_maps = hash:/etc/postfix/sender_dependent_transport_maps

I cannot get them both working together, but I can get each one of them to work separately when one of them is commented. I am not aware and unsure if this is postfix behavior, because usually with postfix anything is possible :)...there is always a way (I have good faith in postfix)

busythomas
  • 71
  • 2
  • 9
  • To get better help, can you please post your current configuration? You can hide your sensitive data like IP addresses / domain names, etc. – Khaled Oct 25 '18 at 12:32
  • Hi @Khaled, rather than posting my whole main.cf that is long, and uncomfortable to read, could you please inform what part do you need to look at main.cf or master.cf if you were me? Thank you! – busythomas Oct 25 '18 at 12:55
  • @PeterZhabin, in my /etc/postfix-secondary/main.cf, should I put master_service_disable with value inet or empty? I figured that when I left empty value to the master_service_disable=, I got error port 25 has been used... – busythomas Oct 27 '18 at 11:37
  • I thank you for your clues. I have now resolved the issues. Please read my UPDATES. – busythomas Oct 28 '18 at 06:52
  • @busythomas You should move the explanation of what you did to fix the problem into an answer, and clean up the question so that it's just a question. As it is now, it's very difficult to follow your long "question" that includes troubleshooting and solutions. – Ward - Reinstate Monica Oct 29 '18 at 05:56
  • dear @Ward thank you, but I wondered why the button Answer Your Question was just showed up as I received notification from serverfault a few minutes ago :P...I would then :). – busythomas Oct 29 '18 at 06:45

1 Answers1

1

Following a suggestion from a nice person named @Ward, so here is the how I did to the resolve the issued in question above.

A short answer to my previous question is:

Unfortunately, we cannot limit outgoing messages (smtp) using transport_maps while sender_dependent_default_transport_maps is enabled. (boooo ..., yeah I know). It must be either one of item that is active, even if you did postfix check and found no errors, but it doesn't work like that.

Also, if you feel not wasting more time to read this long answer and wanted to know more how I came up with it, then read the following answer... I know, it's kinda long,but it's worth it. I noted mostly during my trial errors and when found a way I posted it here to motivated my self to keep on going and not giving up on this Postfix setup thing :P.

[UPDATE OCT 27th, 2018] STILL SEEKING HELP FOR THIS ISSUE BUT WITH PROGRESS OF COURSE:

So, I have been following @PeterZhabin suggestion to setup another postfix instance which I did successfully setup a second instance of postfix running.

And before continue, I would like to let you know that I have decided not to use sender_dependent_default_transport_maps. I thought it would not be making any sense to use it again in an environment where multiple instance of postfix are running, where each of the postfix instances could have their own main.cf and master.cf. And therefore, I dropped the option to use sender_dependent_default_transport_maps and use transport_maps for both postfix instance.

Yes, the installation is a success, only a few glitch more I hope...the glitches were because I am using Amavisd too, so, I still need advices from you guys here on how to get this running.

Thank you for keep reading this and continue to help me, I would like you to know that I do really appreciate it.

So, let's continue the process ...

MULTIPLE INSTANCE OF POSTFIX

Below are the configs I changed related to this topic only:

Here is my main.cf in /etc/postfix/main.cf (1st postfix instance):

inet_interfaces = 1.2.3.4.5.11
myhostname = mail.thecompany.com
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_directories = /etc/postfix-second

And here is my main.cf in /etc/postfix-second/main.cf (2nd postfix instance):

inet_interfaces = localhost, 1.2.3.4.5.22
myhostname = mail2.thecompany.com
syslog_name = postfix-second
#master_service_disable = inet
#authorized_submit_users =
multi_instance_group = postfix
multi_instance_name = postfix-second
multi_instance_enable = yes
smtp_bind_address = 1.2.3.4.5.22

And in /etc/postfix-second/master.cf:

Changed the line so it won't conflict with the 1st postfix instance right on the line where:

127.0.0.1:10025 inet n - - - - smtpd

into

1.2.3.4.5.22:10025 inet n - - - - smtpd

so now, all of this section in /etc/postfix-second/master.cf looks like the following:

#127.0.0.1:10025 inet n - - - - smtpd
1.2.3.4.5.22:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8,1.2.3.4.5.22
        -o strict_rfc821_envelopes=yes
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

Then I added my second IP to my /etc/amavisd/amavisd.conf, so I won't get Blocked-MTA error:

@inet_acl = qw( 127.0.0.1 [::1] 1.2.3.4.5.22);

UPDATING DNS AND CREATED A REVERSE DNS MATCHING THE mail2.thecompany.com

Next, I restarted Amavisd and Postfix, went to my DNS Panel, and created a new A Record on thecompany.com DNS:

mail2.thecompany.com A 1.2.3.4.5.22

Then, I created a Reverse DNS to match the IP to the mail2.thecompany.com.

ADD A NEW MX RECORD TO DOMAIN5.COM AS INTENDED

Then, go to the DOMAIN5.COM DNS panel and also add another MX Record:

MX      10       mail.thecompany.com   
MX      15       mail2.thecompany.com

Once the DNS Resolved, I tested it by starting Postfix and no errors shown in the maillog.

Then in my Email Client (Thunderbird), I setup a mail busythomas@domain5.com using the SMTP & IMAP settings:

IMAP

host: mail2.thecompany.com
username: busythomas@domain5.com
pass: mypass

SMTP

host: mail2.thecompany.com
username: busythomas@domain5.com
pass: mypass

Finally, I sent a test email to my gmail account and saw on the log it came out from postfix-second/smtp, then I thought it's ok, until I figured the next lines came in where it said it was sent from postfix/smtp to gmail :(...Went to my gmail, and saw the email header, and I noticed that the email was sent using the default IP which is 1.2.3.4.5.11 and not 1.2.3.4.5.22.

Oh, the good news is the other 4 domains which they were set to mail.thecompany.com as IMAP and SMTP Settings are working normally, all mails are coming in and sending out :).

My question is now: How to set the domain5.com to be sent using IP 1.2.3.4.5.22 and not from IP 1.2.3.4.5.11?

[UPDATE OCT 28th, 2018] FINALLY, IT'S WORKING!

I would like to confirm that the configuration above on Oct 27th, 2018 was working after I have disabled the content_filtering in the 2nd instance of postfix, like the following:

in /etc/postfix-second/main.cf I commented the line:

#content_filter = smtp-amavis[1.2.3.4.5.22]:10024

and also comment the content_filter in /etc/postfix-second/master.cf

smtp      inet  n       -       n       -       -       smtpd
#       -o content_filter=smtp-amavis:1.2.3.4.5.22:10024

In order to really test if the second instance is working or not, I stopped all the postfix instances, then only start the 2nd postfix instance using the following command:

postmulti -i postfix-second -p start

And yes, the mail was sent and it also could received :).

Now, to answer my own question: How to set the **domain5.com to be sent using IP 1.2.3.4.5.22 and not from IP 1.2.3.4.5.11?**

I simply just setup the SMTP / OUTGOING SERVER in the Mail Client(Thunderbird) to mail2.thecompany.com. That's it, and it starts sending with the intended IP, and when I want to go back I setup the SMTP Server on Thunderbird to mail.thecompany.com, and still be able to send email.

And the advantage of this approach is when something happen to the mail2.thecompany.com (such as got blacklisted), then even the user himself can change the SMTP Settings to go back to mail.thecompany.com, and the mail will again work.

For those who felt this is enough then you can stop here.

But for me, I still wanted to know about how could I get the 2nd instance of postfix working along with content_filter enabled. But it will be another question.

Wish you luck.

[UPDATE OCT 29th, 2018] CONCLUSION & FINAL UPDATE:

This is my conclusion of this task. All requirements from the management are fulfilled, therefore this is done. Now that the domain5.com could be sent from other IP on the same server when Amavis content filter is BYPASS-ed for INTERNAL networks.

However, I do not feel OK with this approach because the Amavis need to do what it should do to protect both instances of Postfix running on the same machine.

With content filtering set to ON for Amavis, then Amavis would forward the smtp to the first instance of postfix after it has done scanning.

Although amavisd can be configured to listen to multiple TCP Ports, unfortunately it only support a single $notify_method and $forward_method that actually forwarded all mails sent from 2nd instance of postfix back to the 1st instance of postfix. And therefore, the IP changed back to 1.2.3.4.11 (the first IP) when the email was sent from the second instance.

The only way to keep Postfix 1 send from IP 1, Postfix 2 send from IP 2, is to BYPASS Amavis for content_filtering to INTERNAL networks. However, that would also mean, when malwares injected our server we would have no security to at least hold them from sending out emails to other servers, and this is unlikely (at least for me).

Finally, I took Server Virtualization approach, instead of creating postfix into another instance.

Hope this helps someone who have the same issue as mine.

Cheerio!

busythomas
  • 71
  • 2
  • 9