OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: RBL in Postfix with Load Balancing

From: Wietse Venema (wietseporcupine.org)
Date: Sun Jan 06 2008 - 17:18:13 CST

Carlos Jim?nez:
> > -----Original Message-----
> > From: owner-postfix-userspostfix.org [mailto:owner-postfix-
> > userspostfix.org] On Behalf Of Wietse Venema
> > Sent: Thursday, January 03, 2008 1:14 AM
> > To: Postfix users
> > Subject: Re: RBL in Postfix with Load Balancing
> >
> > Victor Duchovni:
> > > > if the load balancer implements the XCLIENT command (by sending it
> > with
> > > > infos on the original client), then postfix would get the IP.
> > >
> > > The load balancer we do this with can have a customizable
> > conversation
> > > with the server before it yields control to the client.
> > >
> > > Client->LB: Connect
> > > LB->Server: Connect, wait for banner
> > > Server->LB: 220 ...
> > > LB->Server: XCLIENT ADDR=...
> > > Server->LB: 250 ...
> > > LB->Client: 220 ...
> > > ... LB yields connection to client ...
> > >
> > > various error handling ...
> >
> > (forget about two server replies after XCLIENT; there is only one)
> >
> > I never thought of using XCLIENT this way.
> >
> > Does the load balancer provide the client hostname with the XCLIENT
> > command? If not, then Postfix will use (and log) the real client
> > address with the load balancer's hostname. It's not a big deal, it
> > just means you can't have access rules based on the client hostname.
>
>
> We have checked it and it not seems to support XCLIENT command. We believe
> it is because this is an old CSS model.
> I thought it could be any way to "bypass" this issue to obtain original
> client IP/hostname. In fact, we are interested in obtaining sender IP (not
> load balancer one) to have filtering rules based on it (i. e. Greylisting,
> RBL...).
> If our purpose of obtaining the IP is not possible, do you know any method
> to implement some efficient (or similar) access rules?

Postfix supports one mechanism to override the source IP address,
and that is the XCLIENT command.

Everything else requires major changes in the load balancer, so
that forwards connections without altering the source IP address.

Why use a load balancer in the first place? Contrary to what some
people seem to believe, SMTP is not HTTP, and unless you have a
shortage of IP addresses, avoid SMTP running servers behind a NAT.

        Wietse