On 2022-05-21 09:09, Jeremy Hansen wrote:
I realize I need to provide better context and information. I’ll
do my best.
thats a good start
The mail configuration is like this, and again, this is just something
that’s already in place and unfortunately it’s not within my
control to make a ton of changes.
proff to fail dokumented now
I don’t think what I’m asking
for is impossible and I understand that it looks irregular.
...
Two MTAs, one is running Ciphermail. The ciphermail host relays mail
to the “permanent home” MTA where mail gets delivered to users and
dovecot runs for retrieval of mail.
basicly you have backup mx with all that problem it gives :/
The hosts are internal only
hosts.
...
SSH port forwarding is being used to basically export port 25
from the Ciphermail host to an externally accessible AWS node.
when you here say ssh, is ssh binded to port 22 or 25 ?
mta host should not really need ssh of any kind, not even for iptables
dnat rule to work
I
guess the idea is if the instance gets compromised, they’re not
actually on the real MTA.
i can asure you if you have ssh open on port 22 you will see bots are
ready to password brute force check it, dont use port 22 for email at
all
This, again, is where I’m saying
“don’t do that” isn’t really in my control and I’d like to
just make this work without trying to alter the overall design.
in that case you cant solve it, dont do email if others control it in
any part of the game
What I experience when the port forward is enabled is suddenly
“things” out there are attempting to just email random addresses
at the AWS instance hostname.
if you have logs ?
Logs from Ciphermail (using links because majordomo doesn’t like the
number of characters I’m pasting):
http://skidrowstudios.com/mta/cmx01-logs.txt
Logs from "dovecot server”:
http://skidrowstudios.com/mta/mx1-logs.txt
At this point you can see the mail looping and it continues as such
until I stop the port forward.
it loops imho since destination mta try to deliver it to mx, so final
mta must not do forwarding via mx lookup when its the final mx, in
postfix one need to define what wan ips is the mx ips so it at that
place do not forward again to wan ips
hope you got that at least understanded
proxy_interfaces=1.2.3.4
replace 1.2.3.4 with mx wan ip
Here is my conf’s for each MTA. The goal is to basically stop the
loop or just flat out reject mail being sent to the aws domain
pattern.
Ciphermail host:
http://skidrowstudios.com/mta/cmx01.txt
that is postconf -d not postconf -n, we need postconf -n to help you
Dovecot host:
http://skidrowstudios.com/mta/mx1.txt
not postconf -n either
try if postconf -nf works, if it do post this to maillist
postconf -Mf is not yet needed :=)
Please let me know what other information is useful and I appreciate
the help. Thank you!
-jeremy
see above
