How do I get postfix to send mail on a VPN tunnel?

Running postfix 3.4.14 on Debian. I'm using the smtp_bind_address parameter in master.cf to tell postfix to bind on a VPN tunnel interface, labeled "tun45", that has IP address 10.8.0.8.

The daemons successfully bind in "listen" mode to this interface:

`# netstat -ntlp|grep master

tcp 0 0 10.8.0.8:587 0.0.0.0:* LISTEN 3172/master

tcp 0 0 10.8.0.8:465 0.0.0.0:* LISTEN 3172/master

tcp 0 0 10.8.0.8:25 0.0.0.0:* LISTEN 3172/master`

But when postfix sends outbound mail, it does not use this interface. The traffic goes out the default interface on the host, which is device enp1s0, with a 192.168 IP.

Has anyone been able to get Postfix to successfully send mail over a VPN tunnel that is not the default route on their host? It's starting to look to me as if the smtp_bind_address parameter does not work correctly for outbound connections if the specified interface is not a typical "device," but rather something else, like a tunnel in this case.

Btw, I do have routes in place to ensure that traffic from source IP 10.8.0.8 goes out the tunnel:

`# ip route get 1.1.1.1 from 10.8.0.8

1.1.1.1 from 10.8.0.8 dev tun45 table t1 uid 0

cache`

And other applications, such as netcat, will direct their traffic through this tunnel properly when told to do so. In the example below, I'm connecting to a foreign SMTP server over the same interface, using nc:

`# nc -s 10.8.0.8 198.199.107.159 25

220 mx-asp.jvlicenses.com ESMTP Postfix

QUIT

221 2.0.0 Bye`

But postfix doesn't seem to do this properly.

Master.cf file looks like this (sample entry):

`10.8.0.8:submission inet n - y - - smtpd -v

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_sasl_type=dovecot

-o smtpd_sasl_path=private/auth

-o smtpd_reject_unlisted_recipient=no

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

-o smtpd_tls_key_file=/etc/letsencrypt/live/domain/privkey.pem

-o smtpd_tls_cert_file=/etc/letsencrypt/live/domain/fullchain.pem

-o smtp_bind_address=10.8.0.8

-o myhostname=host.domain`

Anyone can spot what I'm missing?

1 Reply

Hi @mandrake98

When researching this topic I wasn't able to find much information. There is a post from a Postfix forum that you may find helpful. The post includes a few suggestions from users that advise to check the inet_interfaces parameter in the main.cf file, as well as defining a relayhost within that file. I've also included a link to the official documentation for Postfix Configuration Parameters:

I hope this information will help get you pointed in the right direction!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct