Problem: If user X is sending mail from IP XYZ than this mail will be scanned by amavis. Amavis output this mail to postfix, but with default IP of the server instead using IP XYZ. ISPConfig / Postfix is using Softfail for SPF record, but other servers will bounce that mail. Code: Received-SPF: Softfail (domain owner discourages use of this host) identity=mailfrom; Question: How can Postfix and Amavis be used to use the right IP? Expected result: Use IP XYZ.XYZ.9.236.19 instead of XYZ.XYZ.74.118. Mail header: Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.RECEIVER.TLD (Postfix) with ESMTP id BF7C268007C for <[email protected]>; Thu, 20 Apr 2017 08:02:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at server0.RECEIVER.TLD Received: from mail.RECEIVER.TLD ([127.0.0.1]) by localhost (server0.RECEIVER.TLD [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Sl9D6Z0p1Gf for <[email protected]>; Thu, 20 Apr 2017 08:02:03 +0200 (CEST) Received-SPF: Softfail (domain owner discourages use of this host) identity=mailfrom; client-ip=XYZ.XYZ.74.118; helo=mail.DOMAIN.TLD; [email protected]; [email protected] Received: from mail.DOMAIN.TLD (server0.DOMAIN.TLD [XYZ.XYZ.74.118]) by server0.RECEIVER.TLD (Postfix) with ESMTPS id 80E97680030 for <[email protected]>; Thu, 20 Apr 2017 08:02:03 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.DOMAIN.TLD (Postfix) with ESMTP id 3F78678131E for <[email protected]>; Thu, 20 Apr 2017 08:02:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at server0.DOMAIN.TLD Received: from mail.DOMAIN.TLD ([127.0.0.1]) by localhost (server0.DOMAIN.TLD [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id iwB6bEnaZ3iU for <[email protected]>; Thu, 20 Apr 2017 08:02:02 +0200 (CEST) Received: from [192.168.1.XYZ] (<DSL-Hostname> [<DSL-IP>]) (Authenticated sender: [email protected]) by mail.DOMAIN.TLD (Postfix) with ESMTPSA id 9C5D726F9A for <[email protected]>; Thu, 20 Apr 2017 08:02:02 +0200 (CEST) To: [email protected] From: WV WIlster <[email protected]> Subject: MRrhFbWF Message-ID: <[email protected]> Date: Thu, 20 Apr 2017 08:01:46 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 main.cf: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_CAfile = /scripts/ssl/rapidssl_ca.crt smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.DOMAIN.TLD alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = mail.DOMAIN.TLD, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes # smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service unix:private/policy-spf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service unix:private/policy-spf smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps # smtpd_sender_restrictions = reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_sender_restrictions = reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 inet_protocols = all smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_helo_required = yes # smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_invalid_helo_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_invalid_helo_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_data_restrictions = reject_unauth_pipelining smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL strict_rfc821_envelopes = yes smtpd_delay_reject = yes policy-spf_time_limit = 3600s
master.cf: Code: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== #smtp inet n - - - - smtpd localhost:smtp inet n - - - - smtpd -o myhostname=server0.DOMAIN.TLD XYZ.XYZ.74.118:smtp inet n - - - - smtpd -o myhostname=server0.DOMAIN.TLD XYZ.XYZ.197.49:smtp inet n - - - - smtpd -o myhostname=server0-01.DOMAIN.TLD XYZ.XYZ.197.50:smtp inet n - - - - smtpd -o myhostname=server0-02.DOMAIN.TLD XYZ.XYZ.197.51:smtp inet n - - - - smtpd -o myhostname=server0-03.DOMAIN.TLD XYZ.XYZ.197.52:smtp inet n - - - - smtpd -o myhostname=server0-04.DOMAIN.TLD XYZ.XYZ.197.53:smtp inet n - - - - smtpd -o myhostname=server0-05.DOMAIN.TLD XYZ.XYZ.197.54:smtp inet n - - - - smtpd -o myhostname=server0-06.DOMAIN.TLD XYZ.XYZ.236.17:smtp inet n - - - - smtpd -o myhostname=server0-07.DOMAIN.TLD XYZ.XYZ.236.18:smtp inet n - - - - smtpd -o myhostname=server0-08.DOMAIN.TLD XYZ.XYZ.236.19:smtp inet n - - - - smtpd -o myhostname=server0-09.DOMAIN.TLD XYZ.XYZ.236.20:smtp inet n - - - - smtpd -o myhostname=server0-10.DOMAIN.TLD XYZ.XYZ.236.21:smtp inet n - - - - smtpd -o myhostname=server0-11.DOMAIN.TLD XYZ.XYZ.236.22:smtp inet n - - - - smtpd -o myhostname=server0-12.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::2]:smtp inet n - - - - smtpd -o myhostname=server0.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::49]:smtp inet n - - - - smtpd -o myhostname=server0-01.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::50]:smtp inet n - - - - smtpd -o myhostname=server0-02.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::51]:smtp inet n - - - - smtpd -o myhostname=server0-03.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::52]:smtp inet n - - - - smtpd -o myhostname=server0-04.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::53]:smtp inet n - - - - smtpd -o myhostname=server0-05.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::54]:smtp inet n - - - - smtpd -o myhostname=server0-06.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::17]:smtp inet n - - - - smtpd -o myhostname=server0-07.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::18]:smtp inet n - - - - smtpd -o myhostname=server0-08.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::19]:smtp inet n - - - - smtpd -o myhostname=server0-09.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::20]:smtp inet n - - - - smtpd -o myhostname=server0-10.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::21]:smtp inet n - - - - smtpd -o myhostname=server0-11.DOMAIN.TLD [XYZ:XYZ:XYZ:XYZ::22]:smtp inet n - - - - smtpd -o myhostname=server0-12.DOMAIN.TLD submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks # -o smtpd_bind_address=127.0.0.1 dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf Telnet with correct IP: Code: USER@SERVER05:/tmp$ telnet smtp.CUSTOMER.TLD 25 Trying XYZ.XYZ.236.19... Connected to mail.CUSTOMER.TLD. Escape character is '^]'. 220 server0-09.DOMAIN.TLD ESMTP Postfix (Debian/GNU) ehlo [email protected] 250-server0-09.DOMAIN.TLD 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
you can disable the milters: -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks, no_milters your postfix sends the mails to localhost:10024 and receives the mails from amavis on localhost:10025
You need to setup sender_dependent_default_transport_maps so smtp connections for each customer domain originate from the correct ip address. See https://www.howtoforge.com/community/threads/different-ip-for-email.70582/#post-332222
Look e.g. at this line: Code: X.Y.74.118:smtp inet n - - - - smtpd -o myhostname=server0.DOMAIN.TLD I think it's nearly the same without external maps. Adding Code: -o smtp_bind_address=A.B.C.D should help? I'll try that. //edit: No success. Wrong IP, either first IPv4 or last IPv6 is used.
You need to setup sender_dependent_default_transport_maps. By default email is sent out using the "default" ip address that postfix will choose (probably the first ip address configured on the server, and apparently XYZ.XYZ.74.118 in your case), and sender dependent transport maps is how you configure postfix to use a different transport map depending on what the sender's address is.
