pf + postfix + dspam puzzle

cbrace

cbrace

Hi all,

I could use an extra pair of eyes to solve a something in my mailserver configuration.

I've set up mail/postfix and mail/dspam in a way which is probably familiar to you. Postfix passes incoming emails to dspam, which scans them, and returns them to postfix on port 10026, whereupon they are delivered.

For outgoing mails on the server, such as from a webmail client or a CMS, I use "localhost 10026", thereby bypassing dspam. No need to scan outgoing mails, right?

One final piece: I'd also like to use port 10026 to send mail from my permanent IP number, but for some reason I can't configure postfix to accept incoming mail from a remote IP. I've added my IP number to the mynetworks parameter in master.cf:

But no luck. Full entry:
Code: 
localhost:10026 inet  n -       n       -       -        smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8,###.###.###.153/32

I've opened port 10026 in /etc/pf.conf
Code: 
pass in on vtnet0 inet proto tcp from any to any port = 10026

Nmap indicates it is open:
Code: 
PORT      STATE SERVICE
10026/tcp open  unknown
But if I try telnetting to 10026, I don't get the postfix prompt:
Code: 
$ telnet ####.### 10026
Trying ##.##.##.##...
Connected to #####.###.
Escape character is '^]'.

This is what I expect:
Code: 
Escape character is '^]'.
220 myhostname ESMTP Postfix
I expect the problem is here:
Code: 
-o mynetworks=127.0.0.0/8,##.###.###.153/32

Any ideas?
 
cbrace said:
I've opened port 10026 in /etc/pf.conf
Code: 
pass in on vtnet0 inet proto tcp from any to any port = 10026
Click to expand...
Hi @cbrace,

Since you are explicitly creating a "pass in" statement for port 10026, depending on how you have your "block" statement constructed you may need to also provide a "pass out".

Code: 
pass in on vtnet0 inet proto tcp from any to any port = 10026
pass out on vtnet0 inet proto tcp from any to any port = 10026
 
Last edited by a moderator:
Thanks for the reply. Shouldn't this cover it?
Code: 
pass out quick on $ext_if inet keep state
 
It's not covered by either and there's no need to have a matching out rule because of stateful tracking. The pass in rule creates a state that then allows the return traffic to leave the same interface the connection came in.
 
Back to the original problem, if I read this right the smtpd(8) is listening only on localhost port 10026, is this intended? You would need a port forward from the external address to localhost if you want to keep it that way and reach the port from the outside.

Code: 
rdr on $ext_if from any to $ext_if port 10026 -> localhost
 
Thank you very much. This works the way I wanted:
rdr pass on $ext_if proto tcp from any to $ext_if port 10026 -> localhost
Click to expand...
I will have to study this a little longer to figure out why it works and my line above didn't.
 
Yeah sorry proto tcp makes more sense, there's no UDP traffic involved.

The master.cf is what tells mail/postfix what services to start and the listening addresses/ports.
 
You must log in or register to reply here.
Back
Top