On Wed, Jun 17, 2015 at 06:25:10AM -0700, Jithesh AP wrote:
> >>Received: from 54.183.212.207 (ip-172-31-5-33.us-west-1.compute.internal
> >>[172.31.5.33])
> >> by ml.w8timez.com (Postfix) with SMTP id 24B0841557;
> >> Tue, 16 Jun 2015 21:22:33 -0700 (PDT)
> >>Message-ID: <hvqgivvdndkqtrnegxgkm...@163.com>
> >
> >Sure looks like your router used source NAT to mask the real origin
> >IP address, which was perhaps "54.183.212.207".
>
> My server is on amazon AWS, and my private ip starts is the same except for
> last one (172.31.5.xxx). I dont know what the router does as that is
> controlled by amazon, i do have an external ip, which is 54.183.xxx.yyy. So
> mostly the guy who is running it is on amazon and with private ip of
> 172.31.5.33 with external ip of 54.183.212.207
OK, so Amazon is likely doing you the "favour" of enabling source
NAT. With Amazon many implementations use the HAPROXY protocol:
http://www.postfix.org/postconf.5.html#smtpd_upstream_proxy_protocol
which conveys the upstream IP addresses to the SMTP server.
Otherwise, ask Amazon to disable source NAT (you'll need to have
a default route to the Internet). Without these your MTA has no
idea where the mail is coming from and you can't do IP based access
control.
> > main.cf:
> > mynetworks = 127.0.0.0/8, [::1]/128
> > proxy_interfaces = <external IP address of router>
> >
> > Router:
> >
> > Turn off source NAT for inbound traffic when doing port forwarding!
> > Leave the external IP addresses as-is!
>
> what does proxy_interfaces do? (so i will be providing my external ip
> there).
It is not surprisingly documented:
http://www.postfix.org/postconf.5.html#proxy_interfaces
--
Viktor.
