From: mouss (mlist.onlyfree.fr)
Date: Wed Jan 02 2008 - 17:33:13 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carlos Jiménez wrote:
>> -----Original Message-----
>> From: owner-postfix-userspostfix.org [mailto:owner-postfix-
>> userspostfix.org] On Behalf Of Victor Duchovni
>> Sent: Wednesday, January 02, 2008 10:31 PM
>> To: postfix-userspostfix.org
>> Subject: Re: RBL in Postfix with Load Balancing
>>
>> On Wed, Jan 02, 2008 at 10:20:35PM +0100, Ralf Hildebrandt wrote:
>>
>>> * Carlos Jim??nez <zuberoteleline.es>:
>>>> Hello, everybody:
>>>>
>>>>
>>>>
>>>> I have two server with Postfix running as a Mail Gateway with
>> antispam
>>>> filtering. These two computers are connected to a load balancer
>> (hardware
>>>> appliance). Unfortunately, this device receives all SMTP traffic
>> and
>>>> modifies IP value of the sender with its own (load balancer IP). We
>> have
>>>> configured a filtering based on RBL???s, but it doesn???t work
>> because this IP
>>>> address is a valid one.
>>> Lose the load balancer and use 2 MX hosts.
>>> Or replace the load balancer with something not quite as broken.
>>>
>> There are other reasons to expose multiple MX hosts rather than a
>> single
>> load balancer IP:
>>
>> - TLS session caching will work better with non-Postfix TLS clients
>> (Postfix clients usually work well even with a load balancer in the
>> way).
>>
>> - Messages that that temp-fail the first MX may be delivered
>> directly
>> at a second MX host, but with both behind a load balancer, clients
>> will
>> defer the mail for a re-try.
>>
>> - If one of the two hosts behind the load balancer is overloaded
>> and mail transactions time out, Postfix clients may experience
>> bursts of errors and declare the site dead. With separate MX
>> hosts, this won't happen.
>>
>> This said, it may be possible to configure the load balancer to use
>> XCLIENT. Works well with an F5 in front of some Postfix MSAs here.
>> The load balancer is authorized to send the XCLIENT command. With
>> Postfix 2.4 or later, this is available and safe (the right to use
>> XCLIENT is lost once the new IP identity becomes active).
>>
>> --
>> Viktor.
>>
>> Disclaimer: off-list followups get on-list replies or get ignored.
>> Please do not ignore the "Reply-To" header.
>>
>> To unsubscribe from the postfix-users list, visit
>> http://www.postfix.org/lists.html or click the link below:
>> <mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
>>
>> If my response solves your problem, the best way to thank me is to not
>> send an "it worked, thanks" follow-up. If you must respond, please put
>> "It worked, thanks" in the "Subject" so I can delete these quickly.
>
>
>
> Thank you for your help.
> Otherwise, I don't understand the last part:
>
>> This said, it may be possible to configure the load balancer to use
>> XCLIENT. Works well with an F5 in front of some Postfix MSAs here.
>> The load balancer is authorized to send the XCLIENT command. With
>> Postfix 2.4 or later, this is available and safe (the right to use
>> XCLIENT is lost once the new IP identity becomes active).
>
> We are using a Cisco CSS and Postfix v2.2.
> Do you mean that the load balancer should not use XCLIENT command in order
> not to change the original e-mail sender IP? Or maybe should sender use
> XCLIENT command?
> I looked for it in http://www.postfix.org/XCLIENT_README.html but I don't
> understand how it affects in this scenario.
>

if the load balancer implements the XCLIENT command (by sending it with
infos on the original client), then postfix would get the IP.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]