Issue with the postfix package



  • Hi

    I work at a IT suport company, and we have been using pfSense in several production enviroments for a couple of months now. In one of this instalations we are using pfSense as a mail gateway for an Exchange server. It is working fine, but there is an issue that is requiring some aditional atention when altering any of the postfix settings on the webConfigurator.

    My setup is as follows:

    pfSense 2.0.1 (i386)
    Postfix Forwarder Package v.2.3.4_1
    Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
    2 NICS:
      NIC 1: Public IP.
      NIC 2: Private subnet, where the Exchange server resides.

    Postfix is listening on both NIC's, and relay messages fom the cloud to the Exchange server and vice-versa.

    The issue is that, when I enable the postscreen service, the public NIC listens and relays messages without errors, but the internal NIC gets unresponsive, taking up to 1 hour sometimes to relay a message to the cloud. If i disable the postscreen service, the situation is reversed, and the messages from the cloud take up to 1 hour to be relayed to the Exchange.

    The IP of the Exchange server is listed on the My Networks filed under Access Lists.

    I've managed to go around the issue by manualy editing the master.cf file, and disabling postscreen only for the internal interface, but every time that I change any of the postfix settings on the webConfigurator, it generates a new master.cf file from the database and I have to change it again manualy.

    I would realy apreciate if someone could help me understand why this is happening, and to request, if possible, that future versions of the postfix package include an option to enable the postscreen service on a per NIC basis, with would avoid the issue alltogether.

    Best regards and thanks in advance,

    Pedro Tonini
    RJ - Brasil



  • @ptonini:

    I would realy apreciate if someone could help me understand why this is happening

    Did you tried to include your internal addresses on Client access list CIDR field?

    postscreen_access_list = permit_mynetworks,
    			cidr:/usr/local/etc/postfix/cal_cidr
    


  • Yes, it is. We just moved the mailboxes from a postfix internal server to the Exchange server. Both of then are on the CIDR list, and both of then suffered the same problem.



  • On my setup(high mail volume per day) I have one pool for incoming mail and another pool on virtual machines for outgoing mail.

    Can you check on postfix logs what is happening with these messages?

    Postscreen should forward whitelisted ips mail direct to postfix.



  • This server has a high load too, around 10.000 messages per day. Tonight I'll undo my workaround and try to collect some logs for you (can't do it during workhours).

    I didn't find any clues on the log the last time. I verified the error using telnet: with postscreen enable I didn't get the helo message on the internal NIC and whit it disabled I didin't get the helo message on the external NIC.


Locked