How do I get postfix to send mail on a VPN tunnel?
Running postfix 3.4.14 on Debian. I'm using the smtp_bind_address parameter in master.cf to tell postfix to bind on a VPN tunnel interface, labeled "tun45", that has IP address 10.8.0.8.
The daemons successfully bind in "listen" mode to this interface:
`# netstat -ntlp|grep master
tcp 0 0 10.8.0.8:587 0.0.0.0:* LISTEN 3172/master
tcp 0 0 10.8.0.8:465 0.0.0.0:* LISTEN 3172/master
tcp 0 0 10.8.0.8:25 0.0.0.0:* LISTEN 3172/master`
But when postfix sends outbound mail, it does not use this interface. The traffic goes out the default interface on the host, which is device enp1s0, with a 192.168 IP.
Has anyone been able to get Postfix to successfully send mail over a VPN tunnel that is not the default route on their host? It's starting to look to me as if the smtp_bind_address parameter does not work correctly for outbound connections if the specified interface is not a typical "device," but rather something else, like a tunnel in this case.
Btw, I do have routes in place to ensure that traffic from source IP 10.8.0.8 goes out the tunnel:
`# ip route get 1.1.1.1 from 10.8.0.8
1.1.1.1 from 10.8.0.8 dev tun45 table t1 uid 0
cache`
And other applications, such as netcat, will direct their traffic through this tunnel properly when told to do so. In the example below, I'm connecting to a foreign SMTP server over the same interface, using nc:
`# nc -s 10.8.0.8 198.199.107.159 25
220 mx-asp.jvlicenses.com ESMTP Postfix
QUIT
221 2.0.0 Bye`
But postfix doesn't seem to do this properly.
Master.cf file looks like this (sample entry):
`10.8.0.8:submission inet n - y - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_key_file=/etc/letsencrypt/live/domain/privkey.pem
-o smtpd_tls_cert_file=/etc/letsencrypt/live/domain/fullchain.pem
-o smtp_bind_address=10.8.0.8
-o myhostname=host.domain`
Anyone can spot what I'm missing?
1 Reply
Hi @mandrake98
When researching this topic I wasn't able to find much information. There is a post from a Postfix forum that you may find helpful. The post includes a few suggestions from users that advise to check the inet_interfaces
parameter in the main.cf
file, as well as defining a relayhost
within that file. I've also included a link to the official documentation for Postfix Configuration Parameters:
I hope this information will help get you pointed in the right direction!