I'm pretty sure that this has been asked before... but I googled a bit
and could not find an answer....

I have a server running postfix ( don't think that the mail server
software will make a difference ) and it has a primary IP Address
and a 2nd / virtual IP Address. The 2nd / virtual IP address is
reverse mapped back to my domain so when I send mail, I want that
IP Address to be associated with the connection. Normally, the main
IP Address on the Interface is used.... this does not reverse back
to my domain so I need to use the 2nd / virtual Ip address on the
outgoing mail connects. Some mail servers do a reverse lookup on
the incoming connection and act differently if you say that you
are 'y' but your reverse lookup says that you are 'x'.

I am pretty sure that iptables is the answer... but I'm not sure
if I want to mangle or snat or what....

Thanks - jack

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

Jack Snodgrass wrote:
> I'm pretty sure that this has been asked before... but I googled a bit
> and could not find an answer....
>
> I have a server running postfix ( don't think that the mail server
> software will make a difference ) and it has a primary IP Address
> and a 2nd / virtual IP Address. The 2nd / virtual IP address is
> reverse mapped back to my domain so when I send mail, I want that
> IP Address to be associated with the connection. Normally, the main
> IP Address on the Interface is used.... this does not reverse back
> to my domain so I need to use the 2nd / virtual Ip address on the
> outgoing mail connects. Some mail servers do a reverse lookup on
> the incoming connection and act differently if you say that you
> are 'y' but your reverse lookup says that you are 'x'.
>
> I am pretty sure that iptables is the answer... but I'm not sure
> if I want to mangle or snat or what....
>
> Thanks - jack
>

In postfix main.cf set (according to man 5 postconf
[http://linux.die.net/man/5/postconf])
inet_interfaces = <virtual ip adress>

HTH
/peter

On Thu, 13 Mar 2008 13:58:25 +0100, Peter Ludikovsky wrote:

> Jack Snodgrass wrote:
>> I'm pretty sure that this has been asked before... but I googled a bit
>> and could not find an answer....
>>
>> I have a server running postfix ( don't think that the mail server
>> software will make a difference ) and it has a primary IP Address
>> and a 2nd / virtual IP Address. The 2nd / virtual IP address is
>> reverse mapped back to my domain so when I send mail, I want that
>> IP Address to be associated with the connection. Normally, the main
>> IP Address on the Interface is used.... this does not reverse back
>> to my domain so I need to use the 2nd / virtual Ip address on the
>> outgoing mail connects. Some mail servers do a reverse lookup on
>> the incoming connection and act differently if you say that you
>> are 'y' but your reverse lookup says that you are 'x'.
>>
>> I am pretty sure that iptables is the answer... but I'm not sure
>> if I want to mangle or snat or what....
>>
>> Thanks - jack
>>
>
> In postfix main.cf set (according to man 5 postconf
> [http://linux.die.net/man/5/postconf])
> inet_interfaces = <virtual ip adress>
>
> HTH
> /peter

thanks... but that is for incoming mail... that tells postfix which
ip addresses you want to listen on... when it send mails, it goes
out the default iface and uses the main ip address associated with
it...

jack

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

Hello,

Jack Snodgrass a écrit :
>
> I have a server running postfix ( don't think that the mail server
> software will make a difference )

The mail software does matter. I don't know about postfix, but exim has
an "interface" option which allows to specify the source adress for
outgoing SMTP connections.

> and it has a primary IP Address
> and a 2nd / virtual IP Address. The 2nd / virtual IP address is
> reverse mapped back to my domain so when I send mail, I want that
> IP Address to be associated with the connection. Normally, the main
> IP Address on the Interface is used.... this does not reverse back
> to my domain so I need to use the 2nd / virtual Ip address on the
> outgoing mail connects.

Why do you need 1) a second address and 2) that address reverse back to
your domain ?

> Some mail servers do a reverse lookup on
> the incoming connection and act differently if you say that you
> are 'y' but your reverse lookup says that you are 'x'.

Why not just set up postfix so the HELO/EHLO name matches the primary
address reverse name ?

> I am pretty sure that iptables is the answer... but I'm not sure
> if I want to mangle or snat or what....

Iptables may be one answer. First, you need to match packets sent from
postfix belonging to outgoing SMTP connections. Then you need to SNAT
those connections with the desired address.

If the postfix process runs as a specific user, you can match the user
id with the 'owner' match. You'll have to MARK the matching packets
because 'owner' is valid only in the OUTPUT chain and 'SNAT' is valid
only in the POSTROUTING chain.

iptables -t mangle -A OUTPUT -m owner --uid-owner <posfix_user_id> \
-j MARK --set-mark 0x1
iptables -t nat -A POSTROUTING -m mark --mark 0x1 \
-j SNAT --to-source <secondary_address>

You can also just match the destination port 25.

iptables -t nat -A POSTROUTING -p tcp --dport 25 \
-j SNAT --to-source <secondary_address>

Or both.

iptables -t mangle -A OUTPUT -m owner --uid-owner <posfix_user_id> \
-j MARK --set-mark 0x1
iptables -t nat -A POSTROUTING -p tcp --dport 25 -m mark --mark 0x1 \
-j SNAT --to-source <secondary_address>

Jack Snodgrass wrote:
> On Thu, 13 Mar 2008 13:58:25 +0100, Peter Ludikovsky wrote:
>
>> Jack Snodgrass wrote:
>>> I'm pretty sure that this has been asked before... but I googled a bit
>>> and could not find an answer....
>>>
>>> I have a server running postfix ( don't think that the mail server
>>> software will make a difference ) and it has a primary IP Address
>>> and a 2nd / virtual IP Address. The 2nd / virtual IP address is
>>> reverse mapped back to my domain so when I send mail, I want that
>>> IP Address to be associated with the connection. Normally, the main
>>> IP Address on the Interface is used.... this does not reverse back
>>> to my domain so I need to use the 2nd / virtual Ip address on the
>>> outgoing mail connects. Some mail servers do a reverse lookup on
>>> the incoming connection and act differently if you say that you
>>> are 'y' but your reverse lookup says that you are 'x'.
>>>
>>> I am pretty sure that iptables is the answer... but I'm not sure
>>> if I want to mangle or snat or what....
>>>
>>> Thanks - jack
>>>
>> In postfix main.cf set (according to man 5 postconf
>> [http://linux.die.net/man/5/postconf])
>> inet_interfaces = <virtual ip adress>
>>
>> HTH
>> /peter
>
> thanks... but that is for incoming mail... that tells postfix which
> ip addresses you want to listen on... when it send mails, it goes
> out the default iface and uses the main ip address associated with
> it...
>
> jack
>

Quote postconf(5), under inet_interfaces:
When inet_interfaces specifies just one IPv4 and/or IPv6 address that
is not a loopback address, the Postfix SMTP client will use this
address as the IP source address for outbound mail....
...
Setting $inet_interfaces to a single IPv4 and/or IPV6 address is
primarily useful with virtual(5,8) host- ing of domains on secondary IP
addresses

HTH
/peter