How to configure Postfix with transport_maps and randmap? - postfix-mta

I'm currently using a postfix server with 4 IP (relay1, relay2, relay 3, relay4) for outgoing emails
I'm using transport_maps to define for each email domain (outlook.fr, orange.fr ...) the relay to use
It works well but I just realized that my postfix active queue was full, having mostly orange.fr emails, it gets quickly full as only 1 relay is defined to send emails for that domain.
What I'm trying to do is to load balance orange.fr emails between the 4 IP while keeping transport_maps to manage other email domains
I tried using sender_dependent_default_transport_maps = randmap:{relay1,relay2,relay3,relay4} for load balancing and it works but for all domains.
In postfix release notes a solution seems given but I cannot have it to work: http://postfix.cs.utah.edu/source/official/postfix-3.0.0-RC1.RELEASE_NOTES
/etc/postfix/main.cf:
transport_maps =
# Deliver my own domain as usual.
hash:/etc/postfix/transport
# Deliver other domains via randomly-selected relayhosts
randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com}
From my understanding postfix should read first transport_maps and if the domain is not found send using randmap. But in this case only randmap is working.
Summary:
If I use only transport file = emails are sent to specific relays but can't have one or more relays for a given domain
If I use only randmap = emails are sent using the 4 IP but i cant specify relays for specific domains
If I use transport and randmap = transport file seems ignored, only randmap is effective
Any idea how to do that?

I'm not sure how you configured your master.cf or your server so I'll just share my experience
My server has 5 IP (let's call them int1-int5)
First I configured these as interfaces in my master.cf
Example with int1
int1 unix - - n - - smtp
-o smtp_helo_name=int1.domain.com
-o syslog_name=postfix-int1
-o smtp_bind_address=x.x.x.x
My main.cf :
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport randmap:{int1,int2,int3,int4,int5}
smtp_connection_cache_on_demand = no
transport_maps = hash:/etc/postfix/transport
sender_dependent_default_transport_maps = randmap:{int1,int2,int3,int4,int5} : the load balancing
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport : specific relay for senders (mail from)
transport_maps = hash:/etc/postfix/transport : specific relay for recipients (mail to)
/etc/postfix/sender_transport or hash:/etc/postfix/transport example :
user#domain1.com int5:
domain2.com int5:

Related

Asterisk keeps confusing public and private IPs so calls have no audio when softphones are behind NAT

I'm trying to set up a voip system using asterisk and custom made mobile apps to make calls between users.
The system works perfectly when set up on the same network, but once deployed on the online server due to the fact that Softphones are behind NAT, audio is not going through but all SIP packets are properly received and softphones ring but when a call is open, no audio is heard on both endpoints.
I've looked everywhere about how to set up asterisk to work with endpoints behind NAT, but everything online talks about sip on the older versions of Asterisk. But i'm using the latest version of Asterisk which is using Pjsip.conf, i've tried different settings for the endpoints but RTP still confuses the IPs and tries to route the RTP packets to the private IP instead of the public IP.
I've tried rewrite_contact, direct_media, force_rport, ice_support, rtp_symmetric with different options, don't seem to find the perfect setting.
Has anyone done this before? do you have any documentation that i can look at for the latest versions of Asterisk?
Apparently it's not anything that needs to be done on the asterisk deployment. It was a client issue, the client sip phone needs to have RPORT for media enabled and I was using MizuDroid which did not have that feature. Once I switched to Zoiper and set that option on, everything started working properly.
In your transport of pjsip (type=transport used by your extensions) you have to set local_net, external_media_address, external_signaling_address :
[transport-udp-nat]
type = transport
protocol = udp
bind = 0.0.0.0
local_net = (your local network like 192.168.0.0/24)
external_media_address = (your external IP)
external_signaling_address = (your external IP)
Also, you have to use in your extensions:
rewrite_contact = yes
direct_media = no
force_rport = yes
rtp_symmetric = yes

Postfix: Allow a certain sender only from a certain IP address

I have a client who authenticates with SASL, and they keep getting their password stolen. Their legitimate mail is sent from one IP address, so I'd like to block all mail sent from their email unless it comes from that IP. Is this possible? I've tried to find a solution but I'm fairly new to postfix and inherited this setup. I can see how to do one or the other but not how to combine them without affecting other users. We're using postfix with amavis as content filter. Thank you.
Edited to add things I've tried: I created a local.cf rule for amavis/spamassassin, like this:
header __LOCAL_FROM_USER From =~ /me\#domain\.com/i
header __LOCAL_IP_USER Received =~ /11.22.33.44/
meta LOCAL_EMPIRE_RULE (__LOCAL_FROM_USER && !__LOCAL_IP_USER)
score LOCAL_EMPIRE_RULE 20.0
However, that doesn't work because the originating IP isn't in the Received headers. I guess that's due to the way it's passed through from postfix to amavis. So that blocks all mail from their address, even if it's from their IP.
So I tried adding their IP to mynetworks in postfix's main.cf. I'd be satisfied short-term with relaying all email from their IP and blocking everything from their address otherwise. I can't seem to stop it from getting spam filtered, though, even though I have this in amavisd.conf:
$policy_bank{'MYNETS'} = { # mail originating from #mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => undef, # don't query p0f for internal clients
};

How to route call from VoiceBlue Next device to Asterisk Server

I want to setup and IVR Menu i mean if a user calls to a particular GSM Number then the number should be redirected to Asterisk Server and the user needs to Get IVR Menu
I am using VoiceBlue Next firmware version 1.31.1.34.1 inserted working SIM Card
If i make a call to that particular number i am able to accept call,reject call and other options from VoiceBlueNext Web Interface.
I have made a SIP account in pjsip.conf file and created and extension as 100 in extensions.conf but unable to transfer the call to Asterisk Server
In asterisk server are there any other files to be changed or any settings in VoiceBlue Next
There are not many details to understand your scenario, I have not used VoiceBlue but on Asterisk if you want to receive calls, from your VoiceBlue or any other provider. You have to do two things, one you have to register this peer to allow receive calls, or you can also set allowguest=yes(but very dangerous anyone can send you calls) or add peers at end of pjsip.conf file as little secure way.
Next, you need to add dialplan, suppose if you get any number _X will be any number, now you can put Dial your extension to receive any number from the provider.
As for sip client to call out you have to register peer and both must be in the same context.
Sending outgoing calls, now if you call any number beginning 6 and 7 they will be forwarded to VoiceBlue
exten=>_6XXXXXXXX,1,Dial(SIP/${EXTEN:0}#10.0.0.20,,r)
exten=>_7XXXXXXXX,1,Dial(SIP/${EXTEN:0}#10.0.0.20,,r)
for incoming please add following in your pjsip.conf
[VoiceBlueNext]
type=peer
host=10.0.0.20
username=voiceblue
secret=password
fromdomain=10.0.0.20
and in same file on top put following general section
[general]
port = 5060
bindaddr = 0.0.0.0
allowgues=no
context = sip
disallow=all
allow=ulaw
Notice I allowguest = no , so you must provide peer VoiceBlue peer information to receive calls, but if you want to test, make it yes and you will get calls without any security.

Akka behind HAProxy

I have 2 systems: system 1 is running akka and HAProxy, system 2 is running REST components that make a request to akka.
Akka runs on port 4241 on system 1. System 2 is able to connect to System 1 when there is no HAProxy. After I installed HAProxy on system 1, the request from system 2 to system 1 errors out with the logs below:
ERROR[deal-akka.actor.default-dispatcher-18] EndpointWriter - dropping
message [class akka.actor.ActorSelectionMessage] for non-local
recipient [Actor[akka.tcp://akkaSystemName#Server1IP:42431/]] arriving at
[akka.tcp://akkaSystemName#Server1IP:42431] inbound addresses are
[akka.tcp://akkaSystemName#Server1IP:4241]
HAProxy runs on 42431.
The HAProxy configuration is the following:
listen akka_tcp :42431
mode tcp
option tcplog
balance leastconn
server test1 Server1IP:4241 check
server test2 Server1IP:4241 check
The akka configuration is this:
actor {
provider = "akka.remote.RemoteActorRefProvider"
}
remote {
netty.tcp {
hostname = "Server1IP"
port = 4241
transport-protocol = tcp
# Sets the send buffer size of the Sockets,
# set to 0b for platform default
send-buffer-size = 52428800b
# Sets the receive buffer size of the Sockets,
# set to 0b for platform default
receive-buffer-size = 52428800b
maximum-frame-size = 52428800b
}
}
Any suggestion would be appreciated.
Updated answer:
Probably the Akka Remoting is not supposed to work with a Load Balancer. Look at this part of its documentation:
Akka Remoting is a communication module for connecting actor systems
in a peer-to-peer fashion, and it is the foundation for Akka
Clustering. The design of remoting is driven by two (related) design
decisions:
1.Communication between involved systems is symmetric: if a system A can connect to a system B then system B must also be able to connect
to system A independently.
2.The role of the communicating systems are symmetric in regards to connection patterns: there is no system that only accepts connections,
and there is no system that only initiates connections.
The consequence of these decisions is that it is not possible to
safely create pure client-server setups with predefined roles
(violates assumption 2) and using setups involving Network Address
Translation or Load Balancers (violates assumption 1).
For client-server setups it is better to use HTTP or Akka I/O.
For your case it seems reasonable to use Akka HTTP or Akka I/O on system 1 to accept and answer requests from system 2.
Old answer:
You have to set the bind-port property in the Akka configuration. Here is the quote from the Akka documentation:
# Use this setting to bind a network interface to a different port
# than remoting protocol expects messages at. This may be used
# when running akka nodes in a separated networks (under NATs or docker containers).
# Use 0 if you want a random available port. Examples:
#
# akka.remote.netty.tcp.port = 2552
# akka.remote.netty.tcp.bind-port = 2553
# Network interface will be bound to the 2553 port, but remoting protocol will
# expect messages sent to port 2552.
For your ports it should be like that:
port = 42431
bind-port = 4241

Why do qmail mta have two interfaces to receive the mail

qmail MTA which can send/receive the mail have two starting points viz qmail-smtp and qmail-inject.
Why do we have two such different interfaces for mail delivery???
Am going through the tutorial of qmail referenced from: http://www.nrg4u.com/qmail/the-big-qmail-picture-103-p1.gif
The two different starting points/interfaces that you are talking about have significance importances:
qmail-smtpd: is responsible for accepting the mails from external world. It listens on port 25 and accepts the mail following the smtp protocol.
whereas
qmail-inject: is responsible for sending the mail maybe within same domain or to other domain.
(basically we call it a MUA)

Resources