The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Re: Is your ISP blocking port 25? Here's a Postfix solution.
Author: Max P. 
Date:   26-03-07 10:03

Hi Dan,

This is a fantastic article: very well-written and easy to understand. It provides a very clever solution, utilizing those features of Postfix that one normally does not think about. I just have a few questions that I hope you can help me clarify, and perhaps consider updating your article on the web. The answers may be obvious to more experienced Postfix users, but I'll not one of those :)

1) In your article you described a set-up consisting of a public mail server, and a home mail server, in which the ISP blocks inbound port 25 to the home mail server. The public mail server essentially proxies the home mail server by forwarding all mails to the home mail server on an alternate (unblocked) port.

The fully-qualified domain name for this email system is Let's suppose that the public mail server is located at IP address xx.xx.xx.xx and the home mail server can be reached at IP address yy.yy.yy.yy, In your article does the example IP address correspond to the public server IP address (xx.xx.xx.xx) or the home mail server IP address (yy.yy.yy.yy)?

Your article states:

I started by adding the following line to /usr/local/etc/postfix/ on my Postfix mail server at home: inet n - n - - smtpd

where is the public IP address of my mail server [no, that's not really my IP address]. This instructs Postfix to listen on that IP address on port 587. This is known as the submission port:

It seems to be that should be the home mail server IP address (yy.yy.yy.yy) rather than public mail server IP address (xx.xx.xx.xx). The wording "where is the public IP address of my mail server" leaves this a little unclear to me. In most Postfix configurations I see, the relevant configuration line in is usually:

smtp inet n - n - - smptd

meaning that the Postfix listens on the local host at port 25 for incoming mail. Thus I would guess that should be IP address of the machine that mail server can be reached at---namely, the home mail server IP address (yy.yy.yy.yy).

Most people I know who run mail servers at home usually have a router such as a Linksys or Netgear that performs NATing and port forwarding. If the router can be configured so that the submission port 587 is forwarded to port 25 on the machine where the home mail server is running,

yy.yy.yy.yy:587 ------->

then doesn't that mean that no changes need be made to the file on the home mail server? Ie, when the public mail server forwards the email to yy.yy.yy.yy:587 the router, in turn, forwards it to so that the Postfix server need only listen to port 25 on localhost, as it usually does?

2) I also have a question about testing. You wrote:

Then I sent a test message from the public mail server

$ echo 'test' | mail

I confirmed that it was coming in on port 587 with this command on my mail server at home:

tcpdump -i fxp0 port 587

Where fxp0 is the outside NIC on my firewall (the one with IP as shown above.

Then, on the public mail server, I requeued all the messages, so they'd use the right transport:

postsuper -r ALL

It's magic!

All the messages were delivered to the right spot.

I really appreciate tips on testing a configuration, so I wanted to understand how this works. Unfortunately, I don't quite get it. Why is it necessary to execute:

postsuper -r ALL

at all? If the public mail server is configured properly then shouldn't any email message sent to get forwarded to the private mail server automatically. Why was it necessary to re-queue the messages?

3) Finally, in the command,

tcpdump -i fxp0 port 587

the network device fxp0 should correspond to the home mail server IP address (yy.yy.yy.yy) right? But what if, once again, the actual machine the home mail server is running on resides on a LAN behind a router performing NAT and port forwarding? Should the network device then correspond to the NATed address such as en0 (or perhaps the localhost device lo1)? Ie, would the following work?

tcpdump -i en0 port 25

tcpdump -i lo0 port 25

Thanks for writing such a great article. I learned a great deal from it.



 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Re: Is your ISP blocking port 25? Here's a Postfix solution.   new
Max P. 26-03-07 10:03 
 Re: Is your ISP blocking port 25? Here's a Postfix solution.   new
Dan 26-03-07 15:33 

 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum