postfix wont send on failover ip

Discussion in 'ISPConfig 3 Priority Support' started by babydunk, Jun 9, 2016.

  1. babydunk

    babydunk Member

    Hello All

    hotmail have my main server ip on their blacklist and will not migrate it for love nor money :(. i have a group of failover ip's which have been migrated for a trail bases by hotmail. ( hotmail is the only provider i am having trouble with)
    i have tried changing my server domain to one of these failover, which would be good for not only the email trouble but for the future of i ever needed to move servers. would just be amatter of cloning my setup and getting the failover ip's transfered to the new box.

    i had change these setting but have since reverted back as it didnt make any change to the send ip from posfix.

    i changed server ip:
    all failover's are already listed in /etc/network/interfaces

    i also changed the ip in system/server config/server name/server/ip address.
    all of which block any mail from being sent.

    i even tried
    # Bind to an ip address
    smtp_bind_address = xx.xx.xx.xx
    inet_interfaces = xx.xx.xx.xx,

    which also broke the emails.

    any help is much appreciated.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    babydunk likes this.
  3. babydunk

    babydunk Member

    Hi Till

    thanks for the reply but the above recommendation has broke the email altogether.

    now im try to figure out how to remove
    iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source xx.xx.xx.xx
    sometimes it goes easy, other times you just wanna pull out what hair you have left.

    i cant even find that table i put in
    root@server1:~# iptables -t nat --line-numbers -L
    Chain PREROUTING (policy ACCEPT)
    num  target     prot opt source               destination
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    Chain POSTROUTING (policy ACCEPT)
    num  target     prot opt source               destination
    Last edited: Jun 10, 2016
  4. babydunk

    babydunk Member

    i have noticed that when the system is rebooted it loss the iptable record. so if that is the case why does it not go back to original settings.
    what else could be wrong. all other settings have all been returned to the original settings, i am starting to form a my queue :(

    root@server1:~# postconf -n
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    content_filter = amavis:[]:10024
    dovecot_destination_recipient_limit = 1
    greylisting = check_policy_service inet:
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = domain.tld, localhost, localhost.localdomain
    myhostname = domain.tld
    mynetworks = [::1]/128
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    owner_request_special = no
    policy-spf_time_limit = 3600s
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    relayhost =
    sender_bcc_maps = proxy:mysql:/etc/postfix/
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
    smtpd_error_sleep_time = 1s
    smtpd_hard_error_limit = 20
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/ , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/, check_sender_access regexp:/etc/postfix/
    smtpd_soft_error_limit = 10
    smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/
    virtual_gid_maps = mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_transport = dovecot
    virtual_uid_maps = mysql:/etc/postfix/
    Last edited: Jun 10, 2016
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The iptable settings are reset on reboot, so the post routing must be gone after a server reboot. Please post the exact error messages from mail log file.
  6. babydunk

    babydunk Member

    i was just about to post back. i got my mail server working . when i changed all the settings back yet again i forgot to reboot the system to allow the hostname to change :confused:

    im gonna retry that iptables line again . . will post back
  7. babydunk

    babydunk Member

    right . i resubmitted
    iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source xx.xx.xx.xx
    and emails are being received with the chosen ip address.

    what is best practice for me now.
    • do i edit /etc/resolv.conf and change the nameserver to this ip.
    • then change the ns1 and ns2 at the domain provider.
    • also do i change the ip for the email gateway domain for all mail sent in the dns zones. ( meaning all my email get sent through one ip and one mail.domain.tld)
    • change my rDNS for this ip to correspond with my gateway domain
    • then since changing the ns1 and ns2 ip . change the ns records for all other domains on server.
    i dont think i need to change hosts or and any settings in :ispconfig/system/server settings

    please correct me if i am wrong
    thanks in advance
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I would just do this step. What matters is that the email providers get a correct rdns answer when they query the new IP.
  9. babydunk

    babydunk Member

    i have placed this
    #Ip routing for email  delivery
    /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source xx.xx.xx.xx
    /usr/local/ispconfig/server/ and trying to set cronjob
    * * * * * /usr/local/ispconfig/server/

    can you check to see if this is good or if i need to change anything


    nope this doesnt work.

    i have also tried
     iptables-save > /etc/iptables_rules 
    and added
    /sbin/iptables-restore < /etc/iptables_rules
    to /etc/rc.local but that doesnt work either lol

    doesnt even work if you load with /etc/network/if-up.d/iptables

    this iptables line just does not want to load at boot :(
    Last edited: Jun 10, 2016
  10. babydunk

    babydunk Member

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I would just add the line:

    /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source xx.xx.xx.xx

    in rc.local. Or do you use a firewall on the server that might remove the rule?
    babydunk likes this.
  12. babydunk

    babydunk Member

    i willl give that a go. :) no want it change permanantly

    thanks till
  13. babydunk

    babydunk Member

    when i restart the machine and run iptables -t nat -L the does show .

    does it matter where in /etc/rc.local i place that line ?
    #!/bin/sh -e
    # rc.local
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    # In order to enable or disable this script just change the execution
    # bits.
    # By default this script does nothing.
    true > /etc/motd
    /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source xx.xx.xx.xx
  14. till

    till Super Moderator Staff Member ISPConfig Developer


    Please post the output of:

    iptables -L
  15. babydunk

    babydunk Member

  16. till

    till Super Moderator Staff Member ISPConfig Developer

  17. babydunk

    babydunk Member

    thanks you till

    that done the job ;) now i can stop worrying about the mail being routed to the wrong ip.

  18. babydunk

    babydunk Member

  19. babydunk

    babydunk Member

    Last edited: Jun 13, 2016
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Bastille is a normal iptables firewall script, so it is fine to use that.

Share This Page