0

It seems that Postfix does not allow hostnames in the smtp_bind_address config parameter. But it does allow hostnames in inet_interfaces.

For SPF I want to make sure which address SMTP-clients bind to and I wanted to do this with an IP-independent configuration (like I always do).

Is there a way to enable hostnames for smtp_bind_address or any other way around this? The point is to leave the IP out of the configuration file(s).

(There is no DNS/networking involved in resolving those hostnames via /etc/hosts.)

Robert Siemer
  • 542
  • 9
  • 19
  • @joeqwerty Yeah, maybe frustration was talking. But I found something interesting: if you set only a hostname in `inet_interfaces`, it seems to create a default for `smtp_bind_address` (with which it fails). That is at least a documentation bug, because it says that it picks from `inet_interfaces` only if you use _one IP address_ in it. – – Robert Siemer Dec 20 '21 at 02:38

1 Answers1

-1

The paramenter smtp_bind_address is used for smtpd postfix daemon to make outgoing connection to mailservers. Therefore it uses IP address from which the outgoing connection will be made. Refer to enter link description here

The parameter is also not for hostname but for IP addresses of the interfaces to listen. Refer to enter link description here

For SPF I want to make sure which address SMTP-clients bind to and I wanted to do this with an IP-independent configuration (like I always do).

In your instance where postfix is running you might have a few interfaces including loop-back. And also you may have several IP addresses set to one interface. And there is default gateway set for one of interfaces. By default inet_interfaces = all it will listen all IP addresses for incoming traffic. By default an outgoing traffic will be made using primary IP address on which default gateway is set unless you'll set smtp_bind_address to specific IP address.

SMTP-clients (MUA) will be connecting to one of the ports you've specified. Currently secure ports are 465 or 587. SPF won't be checked at any point between client and server.

SPF as well as DKIM and DMARC will be checked during communication between mailservers (MTA) which are connecting to 25 as destination port each other for email trasfer. And it will be connecting to one of IP addresses specified in inet_interfaces or if configured then to IP address specified in master.cf for it. (If your MTA behind Firewall NAT then setup of IP addresses should be appropriate to it).

Therefore in SPF you should include any IP address from which your MTA (or Loadbalancing/farm mailserver) connects to other mailservers in the Internet. Also if you use email gateway or external mail services which sends emails on behalf of your MTA include their hostnames into SPF. Then other mailservers (destination for email sent from your MTA) from Internet will perform validation of your SPF and IP or third party domain name. If SPF check will fail hen depending on the destination server/antispam configuration your email will be allowed&scored/quarantined/blocked.

Here are below 2 examples taken from email headers.

SPF TXT record: "v=spf1 mx ip4:xx.xx.42.61 ip4:xx.xx.210.85 a:antispam.domain.test ~all"
PTR record: xx.xx.42.61  mail.domain.test
MX record: domain.test antispam.domain.test
A record: mail.domain.test xx.xx.42.61

Accepted:

Received-SPF: pass (mx-inboundxx-xx.us-east-2a.xx.xx.cloudantispam.com: domain of test@domain.test designates xx.xx.42.61 as permitted sender)

Softfail because the IP doesn't match allowed ones:

Received-SPF: softfail (mx-inboundxx-xx.us-east-2b.xx.xx.cloudantispam.com: domain of transitioning test@domain.test does not designate xx.xx.42.34 as permitted sender)

If you have IPv6 verify if it's included in your configuration. HINT: Disable IPv6 if your ISP doesn't support it. Run zgrep "Network is unreachable" /var/log/mail.log.* to check if you have this issue already. Refer to What does it mean connect to aspmx.l.google.com:25: Network is unreachable?

Alexred
  • 68
  • 4