Multiple instances of Postfix

13 posts / 0 new
Last post
#1 Thu, 06/12/2008 - 12:55
velvetpixel

Multiple instances of Postfix

Anybody here running multiple instances of Postfix on the same server with each instance set up for different IPs?

If so have you run into any problems?

I am intsrested in having different virtual hosts with dedicated IPs each with their own instance.

If I do this would I be able to give each instance it's own unique hostname rather than having the machine hostname in the Received from?

Example: Say may machine hostname is server1.example.net Say that machine has some virtual hosts.

Currently any domain that sends adds a header: Received: from server1.example.net

With multiple instances of postfix each tied to the dedicated IP for each domain could I set a hostname for each instance unique to that domain to achieve something more like the following.

Email account associated with virtual host foo.com sends an email. Would the header look like this: Received: from mail.foo.com

Does doing something like this interfere in any way with future postfix upgrade path through virtualmin/webmin?

Thu, 06/12/2008 - 13:32
Joe
Joe's picture

I'm having a hard time imagining why you'd want to do this? I mean, I see that you want to alter the received from field--and this would be the only way to do it--but why do you care what's in the received field? It doesn't even show up when people read mail--they have to delve into the headers, which nobody ever does (if you've ever worked tech support for any email related service, you'll know that you have to beg and plead with people to get them to include headers in any support request--and you have to explain in vivid detail how to get the headers before they'll even know how to get at them). I just don't see the point of going to all that trouble to change one invisible field in your sent messages. ;-)

And, to answer your question: No way is this going to be easy, and no way are we going to try to implement something like this in Virtualmin. It'll be a huge maintenance burden. Though, with virtualization and VM2, you could have <i>completely</i> separate virtual hosts for your users...if total isolation and total independence of all services is your goal, that's the best way to go about it. Virtualization is resource-intensive, but so is running a bunch of extra services (though to a lesser degree than virtualization).&lt;br&gt;&lt;br&gt;Post edited by: Joe, at: 2008/06/12 13:33

--

Check out the forum guidelines!

Thu, 06/12/2008 - 14:29 (Reply to #2)
velvetpixel

Most humans don't read (or even know about) mail headers but receiving mail servers such as hotmail do.

Thu, 06/12/2008 - 14:35 (Reply to #3)
Joe
Joe's picture

<div class='quote'>Most humans don't read (or even know about) mail headers but receiving mail servers such as hotmail do.</div>

Now you've got me really curious! What does that mean? I mean, why do you care if Hotmail knows your customers email comes from your server?

--

Check out the forum guidelines!

Thu, 06/12/2008 - 14:52 (Reply to #4)
velvetpixel

hotmail loves to put newsletter messages in junk mail or not deliver at all. Even if the newsletter is opt-in, even if SPF for sending domain is correctly set, even if the sending mail server does not allow relay, even if all your ducks are in a row ......

I am trying to eliminate all variables so that from the receiving mail servers perspective there is only one domain associated with this mail server. I want From, Received and Return-path to all have matching domains.

My main business is <a href='http://www.strangemonster.com/home.php' target='_blank'>tee shirts</a> and of the thousands of teenage girls that sign up for my phplist based newsletter over 70% use hotmail.

Thu, 06/12/2008 - 15:46 (Reply to #5)
Joe
Joe's picture

Ah, OK, so you just need <i>one</i> extra SMTP server? And possibly only temporarily. That's a lot easier and a lot less scary to think about! ;-)

But, I actually suspect there's something else at play here...though Scott was saying in another thread that Hotmail wants to see all names matching up, we have had no trouble sending to Hotmail addresses from our server (and our PTR address doesn't match our received from, for example, and I never care about Received headers and such). The thing is that 70-80% of email on the Internet comes from servers that don't have matching received headers and From: header. It's just the way email is used--so it seems really unlikely that it could be a factor at all in considering something &quot;spammy&quot;. That's actually what SPF is for, to tell the world that your host is permitted to send mail on behalf of your domain. If people only ever sent from the exactly matching host and reverse DNS always matched, SPF would be mostly useless (because although IPs can be spoofed in some circumstances, several other aspects of the transaction cannot).

I don't know anyone at Hotmail, but I've talked on several occasions with the creator of Gmail (my girlfriend is also on the Gmail team at Google, though she never tells me anything because of her NDA). Anyway, I know how they're filtering their email, and I suspect Hotmail is similar.

So, the first step would be making sure you have the following bits right (because I suspect you're chasing a red herring in worrying about having the received headers match):

1. RFC compliance. Have you done anything odd in your Postfix configuration? Are you sure your newsletter isn't being sent out by some oddball PHP SMTP library that isn't compliant rather than Postfix? Make sure you're using your real SMTP server for the actual delivery rather than any amateur-developed library.

2. Politeness. Are you sending 1000 messages per minute to hotmail addresses? This is an *extremely* spammy looking characteristic. You will be filtered if you're hitting them hard in bursts. Spread it out--sort your list such that it doesn't send to all the hotmail users at once, and then sleep between each message. Spammers send thousands of messages per hour and try to spew them as fast as possible. You don't want to look like that...take your time, even if it means your newsletter jobs take all day to send. Historically, there were efficiency mechanisms for pushing large volumes of mail to users on the same server, but those were abused so badly by spammers that it can no longer be trusted. So, everyone with real spam problems prevents it.

3. Are you sure your users aren't clicking &quot;Report as spam?&quot; when they get your messages? At Gmail, reputation is about 80% of their spam filtering system--I imagine it also plays a big role at Hotmail--if your recipients are clicking &quot;this is spam&quot; rather than clicking the unsubscribe link in your messages, you will get filtered. It doesn't take many such reports to kill your ability to send to those addresses completely. Make sure your users know how to unsubscribe on every single mailing, and make sure you're unsubscribing them immediately when they ask.

4. Check your IP in all of the major DNSBLs. I doubt MS or any other major email provider is using external BLs (because it could be a DoS vector, causing them to reject mail that is legitimate but pisses off the person or organization running the DNSBL). But, if your IP has a past reputation for spam, it'll be reflected in the DNSBLs, and that's something you'd want to know about.

So, if none of those are problems, then maybe you do want to continue down the more complex path:

First step is to set Postfix to listen on one of your addresses--whatever one is currently used in all of your virtual hosts. This will remain in service as your receiving MTA, and as the send server for all hosts that aren't having problems sending to Hotmail.

Setup a second &quot;send only&quot; server for use by your newsletter software (and maybe other messages from this domain). You'll need to make a new /etc/postfix2 directory--copy the existing /etc/postfix, and go through and change the various addresses and names and such to be what you want--make sure the address it lives on resolves to the name you want to claim to be coming from (mail.strangemonster.com or whatever). You'll need to change the paths for the pid and such, as well, and make a copy of /etc/init.d/postfix to include the new postfix2 configuration.

Also note that in Webmin you can clone the Postfix module, and do all of your configuration via Webmin--you just need to create a Postfix2 module and modify the Module Configuration to point to the new /etc/postfix2 directory. You may need to make sure all commands in Webmin include the -c configuration option to be sure to use the right config directory. This is probably not the default for postconf and the queue commands, but is all configurable.

--

Check out the forum guidelines!

Thu, 06/12/2008 - 19:59 (Reply to #6)
velvetpixel

Joe thanks a ton for the time and detailed response!
It is very appreciated :)

Yeah I have always followed good netiquette for my newsletters.

I use phplist and added phpmailer to handle metered sending and smtp functionality.

All my newsletters are subscribe with opt-in only. Nobody automatically gets signed up for anything by clicking (or not clicking) some little checkbox somewhere. I have a separate signup page so people know what they are requesting.

Also each newsletter has a unique ID unsubscribe link and my customers know that. They also know not to mark the newsletters as spam.

My issue before was I was on a shared server that would occasionally get blacklisted. Not for my actions but for some other reseller on the server letting someone on that sent garbage. I always had a unique IP from my domains but the mail server was shared.

My new IPs are squeeky clean.

Now that I am more in control I want to use that control to give the domains I want their own mail server and be done with it! :)

I am a little different than most Vrtualmin customers I guess in that I am not a host and am only managing my own 10 domains on my install and I only want custom mail sending for 3 of those. There is no way I would want to try to set up a system to manage that for hundreds of customers virtual hosts!

I already knew the basic how to of creating a separate instance of Postfix and creating a separate spool directory and pointing the new instance to it's own spool. I didn't know that there was a way to manage this in webmin so THAT ROCKS!!! :)

Looks like I have something to do this evening.

Thu, 06/12/2008 - 23:47 (Reply to #7)
sgrayban

Best and the most complete RBL check is http://www.blacklistalert.org/

It's very simple to use.

And I hate hotmail. They have caused many of my emails to my parents to just not show up or gets trashed in the junk folder. I quit sending emails to any hotmail/live/msn user because of this.

And hotmail DOES check the HELO to the reverse IP that is connecting.

Thu, 06/12/2008 - 23:49 (Reply to #8)
sgrayban

Oh ya hotmail will blacklist ANY server IP that does not have a reverse set EG; NX Domain reply or the HELO gives a wrong/incorrect reply.

Fri, 06/13/2008 - 11:04
velvetpixel

OK I'm almost there but I need a little more help.

I was able to duplicate
etc/postfix
var/spool/postfix

Change ownership of directories in duplicate spool to postifx (had to find a post from Wietse on that one)

set new PID in the new PID

In webmin create a clone of postfix module and it correctly connects to my copied directories and reads the correct main.cf and is pointed to the copied spool.

Allocated a new IP to the test domain.

Now how do I direct the second instance of postfix to use that IP?

Fri, 06/13/2008 - 12:45 (Reply to #10)
velvetpixel

<div class='quote'>Now how do I direct the second instance of postfix to use that IP?</div>

OK I must have been up too late and my mind has turned to mush :)

This is handled by the DNS entry isn't it?

Fri, 06/13/2008 - 13:37 (Reply to #11)
velvetpixel

OK That's not it.

When I add a new mail user to the virtual host on the new IP it gets added to the virtual file in the original etc/postfix/virtual file rather than etc/postfi2/virtual so the domain is still connected to the original instance of postfix.

How do I point the virtual host to the new instance?

Fri, 06/13/2008 - 14:13 (Reply to #12)
Joe
Joe's picture

<div class='quote'>How do I point the virtual host to the new instance? </div>

You don't. If you're following my advice from earlier, you're not going to be receiving mail via the second instance--only sending, since sending is where you're having problems.

To bind to a specific IP, you edit the master.cf file. Where it says:

smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

Change it to:

192.168.1.1:smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

This will need to be done for all of the services that you're keeping and for both Postfix instances--since a network bind command is either &quot;all addresses&quot; or &quot;this address&quot;. This also probably introduces a lot of pain with regard to localhost mail clients that expect to connect on 127.0.0.1, which won't be bound unless you create a second directive for the services you need on localhost. This is actually getting really ugly!

Also, nothing but the system route determines the outgoing IP, and won't be different no matter which Postfix instance is sending. I'm not sure you can change that. Though your goal was to make the Postfix instance claim to be a specific hostname, and that doesn't require a different IP.

I'm thinking maybe the pains of trying this experiment are more than the results they'll provide (which I expect very strongly will be &quot;nothing good&quot;).

Have you asked Hotmail what's triggering your messages being trashed? I know that Gmail and Yahoo are both pretty helpful about such things (actual spammers probably don't get treated nicely, of course, but legitimate mail users do usually get answers). If your problem were with Gmail, I could get you in touch with someone who could help, but I don't know anybody on the Hotmail team. ;-)

--

Check out the forum guidelines!

Topic locked