# Postfix w/ Multiple Domains and IPs

## CobraNMU

I've successful got our new postfix server up and running with approx 200 domains on it. Using virtual IPs on a single interface, i have approx 20 IPs listening for mail. However, I've run into a potential problem.

Is there a way to get smtp traffic to go out an IP based on the domain? I have the /etc/hosts all set up with the domains. I also have the users using the correct IPs when they connect to us for their outgoing mail, but it appears all traffic is going out over the first IP address on the interface.

So I'd like to be able to say....

DomainA

mail.domainA.com

pop & smtp use: 208.100.100.1

DomainB

mail.domainB.com

pop & smtp use: 208.100.100.2

----------

## cassiol

Helooo...

 Try to resolve with dns...

----------

## elgato319

 *Quote:*   

> 
> 
> Is there a way to get smtp traffic to go out an IP based on the domain?
> 
> 

 

Possible, but very difficult.

You would need to edit master.cf and create several transports, each with an diffrent "smtp_bind_address".

Then, if a client is sending an email, a filter mechanism must decide which transport tu use based on the domain name.

----------

## CobraNMU

If DNS isn't possible, what about this? I found it the other day but haven't seen anyone else post it.

http://www.jpuddy.net/2008/05/19/how-to-email-from-specific-ips-using-linux-and-postfix/

It involves creating multiple postfix instances. I'm a bit concerned about that because they all will reach from the same database and use the same file system. I don't want any locking issues, etc.

What do you think?

----------

## kashani

You're not going to create any more locking issues than you already have on your database. You're not increasing the number of queries, just the number of places they are coming from. That guide has you create a /var/postfixXX/spool for each instance so you shouldn't have any queue corruption either. elgato's suggestion looks to be far cleaner and easier to maintain if you can get over the initial technical hump of actually making it work. 

kashani

----------

## CobraNMU

Thanks for the input. I've actually already gotten it working on my backup mx server. The only nasty bit would be if you wanted more than a handful of IPs running, you'd need the same number of config/spool directories. I'm getting the company away from windows boxes running mailmax (which is a terrible program, but does allow for easy configuration of IP to Domain link up). Its always nice to bring Gentoo/Linux into the Window's users world. They're all .NET programmers here.

----------

## kashani

Alright, this was way way harder to figure out than I expected. 

1. Configure your IP addresses on server. In this case we're going to have

```
lo0   127.0.0.1

eth0    10.10.10.10

eth0:0  10.10.10.11
```

2. edit your main.cf

You're going to change inet_interface=all to use just l00 and eth0. You don't want the primary instance listening on all IPs. Make sure ALL your IPs are in mynetwork because you're going to want them to be able to talk to each other without having to jump through extra hoops. 

```

myhostname = mail01.badapple.net

inet_interfaces = 127.0.0.1 10.10.10.10                                                        

mydestination = $myhostname, localhost.$mydomain, localhost,                   

mynetworks_style = subnet                                                                           

mynetworks = 127.0.0.0/8 10.10.10.10/32 10.10.10.11/32
```

3. restart Postfix and make sure everything still works. 

4. Now we're going to edit your master.cf

We're going to copy the first line and then add the IP of eth0:0 with some -o statements which will override the main.cf settings for that smtp instance.

```

#                                                                                                   

# =================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args      

#               (yes)   (yes)   (yes)   (never) (100)                                             

# =================================================

smtp      inet  n       -       n       -       -       smtpd 

10.10.10.11:smtp      inet  n       -       n       -       -       smtpd 

        -o myhostname=mail02.badapple.net -o smtp_bind_address=10.10.10.11
```

5. restart postfix and make sure your main instance still works. Also verify that you see port 25 bound to lo0, eth0, and eth0:0 using netstat -ptln 

6. Test it.

You should see this in your incoming logs.

```

from test.home.badapple.net (test.home.badapple.net [10.20.20.20])

by mail02.badapple.net (Postfix) with SMTP id 2370F15001B   for <xxxxx@xxxxxxt>; Wed,  9 Jul 2008 22:31:49 -0700 (PDT)
```

and this on outgoing. You'll notice it starts from your virtual IP, but does the actual send off the machine through the normal IP. You might be able to do something about that, but it doesn't seem worth the bother unless you really want mail being sent from the virtual IPs for some reason.

```

Received: from mail01.badapple.net (mail01.badapple.net [10.10.10.10])

by test.home.badapple.net (8.13.8/8.13.8/y.in) with ESMTP id m6A5DR35030637   for <xxxxx@xxxxxx.xxxx>; Wed, 9 Jul 2008 22:13:27 -0700 (PDT)

Received: from mail02.badapple.net (mail02.badapple.net [10.10.10.11])

by mail02.badapple.net (Postfix) with SMTP id 46A2226F4002   for <xxxxx@xxxxxx.xxx>; Wed,  9 Jul 2008 22:13:06 -0700 (PDT)
```

This appears to be the simplest way to do vanity smtpd servers without having to manage a ton of config files. For each vhost you will create a line in your /etc/postfix/master.cf and restart Postfix. Well you need to add the domains to whatever virtual system you're using as well. These extra smptd instances will all call the normal internal Postfix binaries through the master Postfix process so we should not have to worry about locking, queues, etc. Additionally we don't need to handle custom configs per instance because each instance is using your normal config other than faking the name which we are setting on the command line. 

You could probably get much more complicated than this with access hashes and transports, but the documentation for this sort of stuff isn't great. I'd do the above and quit while you're ahead.  :Smile: 

kashani

----------

## CobraNMU

I like the detail. But I have one followup question.

What about Blacklisting of IPs? The reason I'd like to put people on different IPs (about 200 domains split amongst 7 or 8 IPs) is due to some of them getting Blacklisted from time to time. If Customer A is dumb, I just want to limit the affect they'll have on the rest of the network.

So the way I was doing it (multiple confs) does force the traffic out over the virtual IP, which is good, but I'm running into issues trying to figure out how to make amavis work with that (since it runs on localhost:10024 and 10025). 

Rob

----------

## kashani

That was on of the reasons I came up with the extra smptd process within a single Postfix instance. Things like greylisting and all my header_checks just work since I'm still ultimately using the same config I'm just overriding the name depending on the IP. Things like TLS might be a bit interesting. I would actually update to Postfix 2.5.x before trying to get individual TLS certs per instance since there are some changes in the newer version that make dealing with TLS easier.

I might do some more research over the weekend because it's an interesting problem, but you should probably try a few things yourself. I didn't do much testing and you might find the current config would actually work in a normal system. 

kashani

----------

## CobraNMU

I've actually been playing with the configs for awhile. I think I'm getting close though. I have amavis listening on localhost to anyone from my subnet (which covers all of my IPs). Then you can tell amavis to return to * instead of localhost. It (in theory) should return to the IP that it recieved it from. Then in the master file, I have it go to localhost:10024 and list for the return on the public IP:10025. I just need to have a firewall in place to ensure no one can send via that method except for me. I'll keep you posted (planning on finishing it up tomorrow)..

Rob

----------

