Postfix configuration question

9 posts / 0 new
Last post
#1 Mon, 02/23/2009 - 13:15
tbirnseth

Postfix configuration question

I recently was attacked by a hole in the roundcube mail reader. Unfortunately, I'm still trying to unwind the message delivery issues as a result. Yahoo, att.net, etc. all reject or defer email coming from my system even though I've removed the IP from the CBL.

Is there a way to configure postfix to use the domain associated with the IP that was connected to as the domain/IP sent to the receiving SMTP site? I.e.

hostname = abc.example.com virutal host on system = xyz.com

Mail client connects vi SMTP to send mail by connecting to xyz.com and authenticating with correct user/password.

Currently, all mail coming from this system uses the IP and hostname of abc.example.com regardless of what IP the SMTP connection was made on.

What I would like is for Postfix to "act on behalf of" the IP/domain that was connected to and to only use the local hostname/IP when connected via localhost, otherwise it should send email from the virtual host domain/IP.

Can anyone point me to any info on how this is done? As it stands right now, anyone using the server for email regardless of what domain they connect to gets penalized for problems associated with any other domain. A real pain to try and explain to clients.

Any help is appreciated.

Mon, 02/23/2009 - 13:33
andreychek

First, it's possible to get off those lists, but you'll often have to contact the sites directly, they include contact info in the reject message in your email logs.

However, you can change the IP it goes out as by either changing your primary IP address to be something else, or by using Postfix's smtp_bind_address option:

http://www.postfix.org/postconf.5.html#smtp_bind_address

Mon, 02/23/2009 - 13:52 (Reply to #2)
tbirnseth

So this isn't something the can be handled by virtualmin when a new server is created? I have to go in and update this with the IP each time a server is added/deleted? I'm guessing too that if I did it this manual way, that I'd have a separate instance of Postfix running on each IP address on the server... Sounds a little heavy!

Mon, 02/23/2009 - 13:57 (Reply to #3)
andreychek

It's a system-wide setting -- you specify one IP that emails go out on for your entire server.

I'm not aware of a way to set it up with a different IP per domain, though that doesn't mean it's not possible :-)

You might be able to do it with an outgoing policy server, but I'm not entirely certain how that'd work.
-Eric

Mon, 02/23/2009 - 14:04 (Reply to #4)
tbirnseth

Hmm... Well, this is killing me at the moment and I'd sure like to find a solution that would have Postfix represent the virtual server(s) rather than "the system".

Mon, 02/23/2009 - 20:35 (Reply to #5)
sfatula

It's a system wide setting, but why not change it for the whole system to one of your other IP addresses until you are SURE you are removed from all lists AND each mail provider can send mail to you again. A lot of them download the lists, so, it could be a while before their copy is updated.

Mon, 02/23/2009 - 20:46 (Reply to #6)
tbirnseth

Well, that's exactly what I did! I added a -o smtp_bind_address=w.x.y.z to the smtp configuration in master.cf.

But it sure seems more natural (even though not currently possible) to have an SMTP connection respond with the IP/domain that it was connected via. Especially for a virtual machine.

Oh well, at least the mail is not all deferred or rejected now.

Yahoo actually cleared up pretty quick (att.net never cleared), but as you say, some of my client's suppliers must download the list. It took almost a day for some of them to clear.

Mon, 02/23/2009 - 23:47 (Reply to #7)
sfatula

Great news. You can actually do that with qmail (set outbound IP based on domain), but, unless you have used it before, you don't want to go that route! (I have and do though).

Make sure your current IP address you send mail from has a reverse DNS record with the provider as some mail will bounce otherwise due to aggressive spam checkers.

You can always switch it back next week.

Sometimes, they end up blocking an entire subnet. Which is why any machine I ever get always uses at least 2 subnets!

Tue, 02/24/2009 - 08:31 (Reply to #8)
tbirnseth

Well, now it appears that it is NOT working!!
I added the -o smtp_bind_address=a.b.c.d to the options in master.cf for the inet line for smtp. But it is still sending the remote SMTP servers the base system address (eth0). Hence, all Yahoo mail is getting deferred for hours and then delivered to the clients junk mail folders.

UGH!

Topic locked