Skip to content
Jamen edited this page May 13, 2022 · 1 revision

Mixed Example (Primary Sender Based w/ Catch-all and Secondary IP Catch-all)

Use Case:

Let's say that we have a Sender Based Relay server (169.254.1.12) configured with the catch-all account of [email protected], but we also have devices on our network that don't have configuration settings for a 'From:' address. We want to receive mail from these devices, but we don't want them to appear as though they are from [email protected], we want them to appear as a different address, we'll use [email protected].

To differentiate between our regular senders and the important devices we can set up two xoauth2 enabled postfix relay instances on the same server to get the super important ones to be sent out from [email protected] when emails are sent to another IP address. We'll use 169.254.1.13 for the second instance of postfix.

Let's Start!

After a working relay server is configured with 169.254.1.12, we can add on to it with postmulti. That way, an xoauth2 account can be specified as the relay account to be used based on the IP address the message is sent to.

To begin, tell the server that you want to use postmulti

$ postmulti -e init

This allows the following command to be ran, creating the directories for the next instance of postfix. A group can be specified for control of instances by group. If groups are not going to be used, put in a description word.

$ postmulti -I postfix-2 -G postfix_group_2 -e create config_directory=/etc/postfix-2 queue_directory=/var/spool/postfix-2 data_directory=/var/lib/postfix-2

This puts some configuration lines at the end of the current /etc/postfix/main.cf file. Some of the configuration lines that are automatically placed there might need to be modified.

Make your /etc/postfix-2/main.cf file modifications, follow the readme to make a relay setup like you did for the first instance of postfix, they will be almost identical except for the new lines at the bottom.

Comment out these lines.

#master_service_disable = inet
#authorized_submit_users =

Add the interface lines.

inet_interfaces = 169.254.1.13

edit your original /etc/postfix/main.cf file

modify this line to make local (mail from this server) mail go out of this relay by default, and also on the primary IP address.

inet_interfaces = localhost, 169.254.1.12

If everything looks OK, enable the new instance.

$ postmulti -i postfix-2 -e enable

And then start it.

$ postfix -c/etc/postfix-2 start

A note for chroot

If you have multiple instances of postmulti, check out this gist for dynamically managing postmulti instances, this script covers everything below.

DNS will not be able to resolve without a resolv.conf file located in /var/spool/post-whatever directory, It might be a good idea to check the contents of this file first.

$ cp /etc/resolv.conf /var/spool/postfix-2/etc/resolv.conf

It will also need some library files that will not be created automatically.

$ cp /var/spool/postfix/lib/x86_64-linux-gnu /var/spool/postfix-2/lib -r

If these are not copied to the new instance /var/spool directory, you'll get an error when it comes time to get a new token.

TokenStore::GetAccessToken: token expired. refreshing.
Nov  2 15:23:39 relay sasl-xoauth2:   2020-11-02 15:23:39: TokenStore::Refresh: attempt 1
Nov  2 15:23:39 relay sasl-xoauth2:   2020-11-02 15:23:39: TokenStore::Refresh: request: client_id=xxx-xxxxxxx.apps.googleusercontent.com&client_secret=xxxxx-xxxx&grant_type=refresh_token&refresh_token=xxxxxxxx
Nov  2 15:23:39 relay sasl-xoauth2:   2020-11-02 15:23:39: TokenStore::Refresh: http error: Could not resolve host: accounts.google.com
Nov  2 15:23:39 relay sasl-xoauth2:   2020-11-02 15:23:39: Client::DoStep: new state 0 and err -5
Nov  2 15:23:39 relay sasl-xoauth2:   2020-11-02 15:23:39: Client: destroyed

Troubleshooting

list postmulti instances and their status. $ postmulti -l

-               -                 y         /etc/postfix
postfix-2        postfix_group_2  y         /etc/postfix-2

Check Netstat to see if it's running $ netstat -tulpn

The output should contain both IP addresses.

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1782/apache2
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      707/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      793/sshd: /usr/sbin
tcp        0      0 169.254.1.12:25      0.0.0.0:*                  LISTEN      28618/master
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      28485/master
tcp        0      0 169.254.1.13:25      0.0.0.0:*                  LISTEN      28485/master
udp        0      0 127.0.0.53:53           0.0.0.0:*                           707/systemd-resolve

Checking Mail Queues

regular postfix instance queues can be checked with

postqueue -p

Additional instances can be checked with postmulti

postmulti -i postfix-2 -x postqueue -p

Postmulti queues can be cleared with postmulti -i postfix-2 -x postsuper -d ALL