You are here
:: News (German)
:: Projects
:: Postfix-Dialup
The solution will avoid the pitfalls described in other howtos I have seen in various places. Namely, it is not possible to loose mail or deliver mail to the wrong host.
This is about getting realtime mail delivery to a dialup host with a dynamic ip adress from a rootserver. I assume you have the following:
My solution will use encryption between the two postfix installations and authentication via certificates. No mail destined to your domain will be delivered to the wrong host.
First, get a dyndns account for your dialup host, in this howto it will be "dialup.dyndns.org". Make sure that your hardware-firewall will forward connections from port 25 to your dialup host. You can choose another port to obscure your smtp-service if you like. Later on, just replace port 25 with the choosen one.
The host with the permanent internet connection and fixed ip - referred to as rootserver - should be the mx-host for your registered domains "example.com" and "moredomains.de". The host itself is called "mail.example.com". Some DNS registrars will allow you to specify the mx record of the DNS record: make sure they are pointing to"mail.example.com"!
Create certificates for the two hosts. There are many HowTos available how to do that with the cli, I
recommend using a somewhat easier gui called tiny-ca for this.
It is a great little tool and saves a lot of typing. You can install the rpms or get it
directly here:http://tinyca.sm-zone.net.
It is important to put the hostname
"mail.example.com" and "dialup.dyndns.org" into the respective certs.
Put the created certs in the following places:
Rootserver:
/etc/postfix/ssl/mail.example.com.cert
/etc/postfix/ssl/mail.example.com.key
/etc/postfix/ssl/CA-example.com.cert
Dialup host:
/etc/postfix/ssl/dialup.dyndns.org.cert
/etc/postfix/ssl/dialup.dyndns.org.key
/etc/postfix/ssl/CA-example.com.cert
If you have more than one
registered domain for which you would like to receive mail for or your
mailserver has a different domainname, create
/etc/postfix/relay_domains:
example.com RELAY moredomains.de RELAY ....
Commandline:
# postmap /etc/postfix/relay_domains
dialup.dyndns.org postfix:secret
example.com smtp:[dialup.dyndns.org]:25
moredomains.de smtp:[dialup.dyndns.org]:25
The Brackets will cause postfix to disable MX (mail exchanger) DNS lookups, which is important, since the MX record is pointing to mail.example.com.
Create /etc/postfix/tls_per_site:
dialup.dyndns.org MUST
Now on to the Postfix main.conf file: Edit /etc/postfix/main.cf
.... # This makes sure that postfix accepts mail to domains which are not # listed in $mydestination. You can leave this and the creation of the # file relay_domains if you have only one domain. relay_domains = $mydestination, hash:/etc/postfix/relay_domains # tls stands for transport layer security and the next two statements assure that only # with certificate authenticated hosts can connect to postfix to deliver mail. This is for # mail which is coming from the dialup host into the rootserver to be delivered to # the outside world or mail from the outside world into the rootserver # masterswitch for enabling tls: smtpd_use_tls = yes smtpd_enforce_tls = no # when smtpd_tls_enforce_tls is set, AUTH will only be announced and accepted # once the TLS layer has been activated via the STARTTLS protocol. # this will avoid the exchange of user/password pairs unencrypted smtpd_tls_auth_only = yes # insert line in individual mail messages to reflect the delivery via tls smtpd_tls_received_header = yes # you can increase the following for troubleshooting purposes to 3 smtpd_tls_loglevel = 0 smtpd_tls_cert_file = /etc/postfix/ssl/mail.example.com.cert smtpd_tls_key_file = /etc/postfix/ssl/mail.example.com.key smtpd_tls_CAfile = /etc/postfix/ssl/CA-example.com.cert # here is the configuration for mail which is delivered to the dialup host smtp_use_tls = yes smtp_enforce_tls = no # if a tls connection is made, make sure that the connected machine is # the host for which his certificate stands for. smtp_tls_enforce_peername = yes smtp_tls_per_site = hash:/etc/postfix/tls_per_site smtp_tls_note_starttls_offer = yes # you can increase the following for troubleshooting purposes to 3 smtp_tls_loglevel = 0 smtp_tls_cert_file = /etc/postfix/ssl/mail.example.com.cert smtp_tls_key_file = /etc/postfix/ssl/mail.example.com.key smtp_tls_CAfile = /etc/postfix/ssl/CA-example.com.cert
Commandline:
# rcpostfix restart
To tell postfix that the final destination of mail to "example.com" is here, edit /etc/postfix/virtual:
example.com virtualdomain @example.com others@localhost moredomains.de virtualdomain joe@moredomains.de joe@localhost @moredomains.de others@localhost
You can specify here if some mail will be delivered to specific users. See the comments in this file for detailed info if you need to do things different!
Edit /etc/postfix/sasl_passwd:
mail.example.com postfix:secret
Create /etc/postfix/main.cf:
... virtual_maps = hash:/etc/postfix/virtual relayhost = mail.example.com disable_dns_lookups = no smtpd_client_restrictions = permit_sasl_authenticated, smtpd_recipient_restrictions = permit_tls_clientcerts, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = dialup smtpd_use_tls = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_cert_file = /etc/postfix/ssl/certs/hill-gotdns-org-mail.crt smtpd_tls_key_file = /etc/postfix/ssl/certs/hill-gotdns-org-mail.key smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtp_sasl_auth_enable = yes smtp_use_tls = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem smtp_tls_cert_file = /etc/postfix/ssl/dialup.dyndns.org.cert smtp_tls_key_file = /etc/postfix/ssl/dialup.dyndns.org.key
Now, reload the postfix configuration and try it out!
In Germany, DSL Dialup hosts are getting disconnected every 24h -
it is called Zwangstrennung. If mail arrives while the dialup host is
reconnecting or the dyndns entry is pointing to the old ip address,
your mailserver will try to connect to the wrong machine. As this
machine doesn't have the right certificate, mail will NOT be delivered
to this wrong machine. But postfix will remember that the dialup host
is not reachable and put the mail on hold for some time. Default is
30min if I remeber correctly. To force the delivery of the held mail
and to tell postfix that the dialup host is available again, you will
need to add some crontab entries.
First, to disconnect at a defined time add the following to your crontab of the dialup host or its firewall:
# fcrontab -e
45 5 * * * /etc/rc.d/rc.red stop 46 5 * * * /etc/rc.d/rc.red start
And on your rootserver, add this:# crontab -e
52 5 * * * /usr/sbin/sendmail -q
If you found this guide useful, have comments or want to correct my writing ;-)
please feel free to mail me at:
