comp.os.linux.networking
back to index
From: Pascal Hambourg
Date: Thursday, March 13, 2008 10:20 AM
Subject: Re: bind outgoing mail connects to virtual ip address?
Hello,
Jack Snodgrass a écrit :
>
> I have a server running postfix ( don't think that the mail server
> software will make a difference )
The mail software does matter. I don't know about postfix, but exim has
an "interface" option which allows to specify the source adress for
outgoing SMTP connections.
> and it has a primary IP Address
> and a 2nd / virtual IP Address. The 2nd / virtual IP address is
> reverse mapped back to my domain so when I send mail, I want that
> IP Address to be associated with the connection. Normally, the main
> IP Address on the Interface is used.... this does not reverse back
> to my domain so I need to use the 2nd / virtual Ip address on the
> outgoing mail connects.
Why do you need 1) a second address and 2) that address reverse back to
your domain ?
> Some mail servers do a reverse lookup on
> the incoming connection and act differently if you say that you
> are 'y' but your reverse lookup says that you are 'x'.
Why not just set up postfix so the HELO/EHLO name matches the primary
address reverse name ?
> I am pretty sure that iptables is the answer... but I'm not sure
> if I want to mangle or snat or what....
Iptables may be one answer. First, you need to match packets sent from
postfix belonging to outgoing SMTP connections. Then you need to SNAT
those connections with the desired address.
If the postfix process runs as a specific user, you can match the user
id with the 'owner' match. You'll have to MARK the matching packets
because 'owner' is valid only in the OUTPUT chain and 'SNAT' is valid
only in the POSTROUTING chain.
iptables -t mangle -A OUTPUT -m owner --uid-owner
-j MARK --set-mark 0x1
iptables -t nat -A POSTROUTING -m mark --mark 0x1 \
-j SNAT --to-source
You can also just match the destination port 25.
iptables -t nat -A POSTROUTING -p tcp --dport 25 \
-j SNAT --to-source
Or both.
iptables -t mangle -A OUTPUT -m owner --uid-owner
-j MARK --set-mark 0x1
iptables -t nat -A POSTROUTING -p tcp --dport 25 -m mark --mark 0x1 \
-j SNAT --to-source
