Re: Postfix behind NAT -> failover IP -> wrong HELO

Tue, 30 Jun 2020 15:41:26 -0700 

Istvan Prosinger:
> 
> 
> On 6/30/20 10:34 PM, Wietse Venema wrote:
> > Istvan Prosinger:
> >>
> >> On 6/30/20 9:49 PM, Wietse Venema wrote:
> >>> Istvan Prosinger:
> >>>> Hi, I hope this letter finds you well,
> >>>>
> >>>> I have Postfix behind NAT, and added one failover IP to the main router.
> >>>>
> >>>> I wanted to "get by cheaply" by just doing something like
> >>>>
> >>>> iptbales -t nat -I POSTROUTING -p tcp --dport 25 -j DNAT --to <backup ip>
> >>>>
> >>>> on the firewall machine.
> >>>>
> >>>> So, all well, the only problem is that Postfix in this case has a wrong 
> >>>> HELO compared to the rDNS that I have defined
> >>>> for the <backup IP>
> >>>> It does throw a warning that the <backup IP> doesn't resolve to it's 
> >>>> hostname, but I'm not sure if I can define some
> >>>> kind of helo_host_maps ;) to resolve this.
> >>>> At this point, I wouldn't mind if someone pinpoints me to the right 
> >>>> direction.
> >>>
> >>> Postfix does not compare the HELO command argument with forward or
> >>> reverse DNS information.
> >>
> >> Antispam engines on the recipient side do
> > 
> > Thanks for clearing uo that 'It does throw a warning' is not
> > talking about Postfix.
> > 
> > Every MTA behind a NAT should send HELO to external hists using
> > the name of the outside NAT IP address. Use smtp_helo_name.
> 
> This is clear. But my problem is that I do the (pre)nating on the
> firewall, I don't change any config for Postfix.  To simplify the
> question, it's - is it possible to have it use the correct HELO
> depending on the outbound IP set on the firewall? I do not change
> any relay maps, I just default it to anouther outbound IP on the
> firewall.

Firewalls on a moving IP address? What has the world come to.

Assuming that Postfix runs on the firewall, otherwise you will need
to add telepathic vision to Postfix and also set smtp_proxy_address
to avoid "mail loops back to myself" errors.

    host1_mynetworks = 
        output from "postconf mynetworks" with external address 1
    bind1_address = 1.2.3.4
    bind2_address = 1.2.3.5

    smtp_helo_name = ${
        {$mynetworks} == {$host1_mynetworks} ? 
            {$bind1_address} : {$bind2_address} 
        }

It's really better to execute a command that sets both the
external address AND Postfix settings.

        Wietse

Reply via email to