Home / server / Questions / 861389
In Process
aSteve
Asked: 2017-07-11 14:08:44 +0800 CST

Prevent Postfix dispatching email over wrong network interface

  • 772

I have a Postfix mail server, running on a host with multiple network adapters, one of which is a virtual tun0 device. I need this mail server to accept connections on any adapter - and send email only on the virtual tun device.

I have a configuration, in line with the answer to this question, which defines smtp_bind_address=10.20.30.40 - where 10.20.30.40 is the address associated with the tun0 device. This server server doesn't support IPV6.

For years, this appeared to work perfectly - until, one day, the tun0 device died - and Postfix sent email over the default network device, eth0 (10.0.0,1) not tun0.

Is this expected behaviour? Are there settings I can change to ensure that Postfix only ever dispatches email over tun0 (10.20.30.40) - leaving messages in the queue if tun0 is not available?

In case it is relevant, this is on Ubuntu 16.04.2 LTS with Postfix version 3.1.0-3. tun0 is implemented using OpenVPN version 2.3.10-1ubuntu2.1

-- Edit to add extra details --

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.20.30.40     0.0.0.0         255.255.255.255 UH    0      0        0 tun0

This server runs several services - of which Postfix is only one. Only email needs to be routed over 10.20.30.40 - all the other services need to be routed over the default gateway.

email

3 Answers

  1. What happens is that postfix will use the configured smtp_bind_address first. In your case it's a static ip bound to tun0. It will pass out via tun0 when it's up. If tun0 is down then the client bind will fail causing postfix to fall back to the default behavior of not binding the client tcp endpoint and it will therefore will use the default route which is connected to eth0.

    It would seem that postfix does not provide a suitable override for smtp_bind_address failure.

    So the answer is to simply block outbound email on port 25 on interface eth0 using an IP tables rule. This will cause all email to queue up for a time before failing or until tun0 comes back.

    Something like the following should work:

    iptables -A OUTPUT -i eth0 -p tcp --dport 25 -j DROP

    That will prevent all email being sent out port 25 via eth0 and originating directly from your server (not routed). It will not block email traffic being sent via tun0.

    • 1

  2. From what I could gather and test in a lab, this appears to be working as intended. smtp_bind_address will failover to another inet_interface if not available.

    Maybe you could setup another Postfix instance that only has a single inet_interface of 10.20.30.40, and postmap/relay outgoing to that? Perhaps then you could receive via your multiple adapters, and force sending out over a single IP.

    • 0

  3. It's been a while since I had to mess around with postfix. But I think you should be using a smart host relay.

    A smart host is a type of email message transfer agent that allows a Simple Mail Transfer Protocol (SMTP) server to route email to an intermediate mailserver rather than directly to the recipient's server.

    The relay would be the mail server that corresponds to a sender SPF record in your mail domain. Your ISP should be able to act as a smarthost email relay for you.

    From memory it could be as simple as setting a setting in /etc/postfix/main.cf

    e.g. relayhost = mx1.mydomain.com:587

    Then you wouldn't need to care which interface mail is sent from.

    • 0