The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Re: Is your ISP blocking port 25? Here's a Postfix solution.
Author: Max P. 
Date:   26-03-07 10:03

Hi Dan,

This is a fantastic article: very well-written and easy to understand. It provides a very clever solution, utilizing those features of Postfix that one normally does not think about. I just have a few questions that I hope you can help me clarify, and perhaps consider updating your article on the web. The answers may be obvious to more experienced Postfix users, but I'll not one of those :)


1) In your article you described a set-up consisting of a public mail server, and a home mail server, in which the ISP blocks inbound port 25 to the home mail server. The public mail server essentially proxies the home mail server by forwarding all mails to the home mail server on an alternate (unblocked) port.

The fully-qualified domain name for this email system is myserver.example.org. Let's suppose that the public mail server is located at IP address xx.xx.xx.xx and the home mail server can be reached at IP address yy.yy.yy.yy, In your article does the example IP address 10.34.0.1 correspond to the public server IP address (xx.xx.xx.xx) or the home mail server IP address (yy.yy.yy.yy)?

Your article states:

------------------------------------------------------------------------------------
I started by adding the following line to /usr/local/etc/postfix/master.cf on my Postfix mail server at home:

10.34.0.1:587 inet n - n - - smtpd

where 10.34.0.1 is the public IP address of my mail server [no, that's not really my IP address]. This instructs Postfix to listen on that IP address on port 587. This is known as the submission port:
------------------------------------------------------------------------------------


It seems to be that 10.34.0.1 should be the home mail server IP address (yy.yy.yy.yy) rather than public mail server IP address (xx.xx.xx.xx). The wording "where 10.34.0.1 is the public IP address of my mail server" leaves this a little unclear to me. In most Postfix configurations I see, the relevant configuration line in master.cf is usually:

smtp inet n - n - - smptd

meaning that the Postfix listens on the local host at port 25 for incoming mail. Thus I would guess that 10.34.0.1 should be IP address of the machine that mail server can be reached at---namely, the home mail server IP address (yy.yy.yy.yy).

Most people I know who run mail servers at home usually have a router such as a Linksys or Netgear that performs NATing and port forwarding. If the router can be configured so that the submission port 587 is forwarded to port 25 on the machine where the home mail server is running,

yy.yy.yy.yy:587 -------> 192.168.1.2:25

then doesn't that mean that no changes need be made to the master.cf file on the home mail server? Ie, when the public mail server forwards the email to yy.yy.yy.yy:587 the router, in turn, forwards it to 192.168.1.2:25 so that the Postfix server need only listen to port 25 on localhost, as it usually does?


2) I also have a question about testing. You wrote:

-------------------------------------------------------------------------
Then I sent a test message from the public mail server

$ echo 'test' | mail me@myserver.example.org

I confirmed that it was coming in on port 587 with this command on my mail server at home:

tcpdump -i fxp0 port 587

Where fxp0 is the outside NIC on my firewall (the one with IP 10.34.0.1) as shown above.

Then, on the public mail server, I requeued all the messages, so they'd use the right transport:

postsuper -r ALL

It's magic!

All the messages were delivered to the right spot.
-------------------------------------------------------------------------

I really appreciate tips on testing a configuration, so I wanted to understand how this works. Unfortunately, I don't quite get it. Why is it necessary to execute:

postsuper -r ALL

at all? If the public mail server is configured properly then shouldn't any email message sent to me@myserver.example.org get forwarded to the private mail server automatically. Why was it necessary to re-queue the messages?



3) Finally, in the command,

tcpdump -i fxp0 port 587

the network device fxp0 should correspond to the home mail server IP address (yy.yy.yy.yy) right? But what if, once again, the actual machine the home mail server is running on resides on a LAN behind a router performing NAT and port forwarding? Should the network device then correspond to the NATed address 192.168.1.2 such as en0 (or perhaps the localhost 127.0.0.1 device lo1)? Ie, would the following work?


tcpdump -i en0 port 25

tcpdump -i lo0 port 25



Thanks for writing such a great article. I learned a great deal from it.

Appreciatively,

Max



Reply To This Message
 
 Re: Is your ISP blocking port 25? Here's a Postfix solution.
Author: Dan 
Date:   26-03-07 15:33

Max P. wrote:

> Your article states:
>
> ------------------------------------------------------------------------------------
> I started by adding the following line to
> /usr/local/etc/postfix/master.cf on my Postfix mail server at
> home:

At home.. this is my home server.

>
> 10.34.0.1:587 inet n - n - - smtpd
>
> where 10.34.0.1 is the public IP address of my mail server [no,
> that's not really my IP address]. This instructs Postfix to
> listen on that IP address on port 587. This is known as the
> submission port:

That is the public IP address of my gateway.... that is, the one facing the ISP, not the one facing my internal LAN.

> ------------------------------------------------------------------------------------
>
>
> It seems to be that 10.34.0.1 should be the home mail server IP
> address (yy.yy.yy.yy) rather than public mail server IP address
> (xx.xx.xx.xx). The wording "where 10.34.0.1 is the public IP
> address of my mail server" leaves this a little unclear to me.
> In most Postfix configurations I see, the relevant
> configuration line in master.cf is usually:
>
> smtp inet n - n - - smptd
>
> meaning that the Postfix listens on the local host at port 25
> for incoming mail. Thus I would guess that 10.34.0.1 should be
> IP address of the machine that mail server can be reached
> at---namely, the home mail server IP address (yy.yy.yy.yy).

I see the confusion. But read above carefully, with my comments. Got it now.

> Most people I know who run mail servers at home usually have a
> router such as a Linksys or Netgear that performs NATing and
> port forwarding. If the router can be configured so that the
> submission port 587 is forwarded to port 25 on the machine
> where the home mail server is running,
>
> yy.yy.yy.yy:587 -------> 192.168.1.2:25
>
> then doesn't that mean that no changes need be made to the
> master.cf file on the home mail server? Ie, when the public
> mail server forwards the email to yy.yy.yy.yy:587 the router,
> in turn, forwards it to 192.168.1.2:25 so that the Postfix
> server need only listen to port 25 on localhost, as it usually
> does?

I am not redirecting incoming SMTP to an internal mail server. The MTA is on the firewall.

> 2) I also have a question about testing. You wrote:
>
> -------------------------------------------------------------------------
> Then I sent a test message from the public mail server
>
> $ echo 'test' | mail me@myserver.example.org
>
> I confirmed that it was coming in on port 587 with this command
> on my mail server at home:
>
> tcpdump -i fxp0 port 587
>
> Where fxp0 is the outside NIC on my firewall (the one with IP
> 10.34.0.1) as shown above.
>
> Then, on the public mail server, I requeued all the messages,
> so they'd use the right transport:
>
> postsuper -r ALL
>
> It's magic!
>
> All the messages were delivered to the right spot.
> -------------------------------------------------------------------------
>
> I really appreciate tips on testing a configuration, so I
> wanted to understand how this works. Unfortunately, I don't
> quite get it. Why is it necessary to execute:
>
> postsuper -r ALL
>
> at all? If the public mail server is configured properly then
> shouldn't any email message sent to me@myserver.example.org get
> forwarded to the private mail server automatically. Why was it
> necessary to re-queue the messages?

The messages were already queued for delivery via port 25. The requeue made Postfix notice they were to be sent to port 587.

> 3) Finally, in the command,
>
> tcpdump -i fxp0 port 587
>
> the network device fxp0 should correspond to the home mail
> server IP address (yy.yy.yy.yy) right? But what if, once
> again, the actual machine the home mail server is running on
> resides on a LAN behind a router performing NAT and port
> forwarding? Should the network device then correspond to the
> NATed address 192.168.1.2 such as en0 (or perhaps the localhost
> 127.0.0.1 device lo1)? Ie, would the following work?
>
>
> tcpdump -i en0 port 25
>
> tcpdump -i lo0 port 25

Sounds right, given a redirect. But I am not redirecting.

--
Webmaster

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org