tested on slackware current (nov 2021)
what matters most for an relay / mail-forwarder / outbound MTA is its SMTP client IP reputation, esp. when talking to google and microsoft mail exchangers.
for that matter, we need to think not only about making the relay service highly available, but we also need to handle the outbound traffic originating source.
just proceed as with a normal relay but on TWO nodes, here postfix1 and postfix2. the difference here is that we rather have a public relay with ACLs, and also absolutely need to listen on all interfaces so the VRRP virtual IPs become served by it.
inet_interfaces = all
mynetworks = 127.0.0.1/32,
192.168.122.0/24
install Keepalived somehow e.g.
all nodes
sbopkg -i keepalived
–or–
wget https://lab.nethence.com/slackpkgs/keepalived-2.2.4-x86_64-1_SBo.tgz installpkg --terse keepalived-*.tgz
now setup a virtual default route with the src definition.
we’re assuming you’ve got a default route on the same subnet as the virtual IP will get, already.
postfix1
# we may restart the daemon at some point but that should take less than 10 seconds
vrrp_script check-postfix {
script "/sbin/pidof master"
interval 5
fall 2
rise 1
}
vrrp_instance MTA {
state BACKUP
interface xenbr0
virtual_router_id 225
priority 1
advert_int 1
# default route originates from virtual ip
virtual_ipaddress {
192.168.122.225/24
}
virtual_routes {
default via 192.168.122.1 src 192.168.122.225 dev xenbr0
}
track_script {
check-postfix
}
notify "/var/tmp/notify.bash"
}
cat > /var/tmp/notify.bash <<EOF
#!/bin/bash
echo `date` -- $HOSTNAME received $@ >> /var/tmp/keepalive.log
EOF
chmod +x /var/tmp/notify.bash
replicate the confs across the farm
scp /etc/postfix/main.cf postfix2:/etc/postfix/ scp /etc/keepalived/keepalived.conf postfix2:/etc/keepalived/ scp /var/tmp/notify.bash postfix2:/var/tmp/ scp /etc/rc.d/rc.local postfix2:/etc/rc.d/
postfix1
ls -lF /etc/rc.d/rc.postfix # already enabled grep rc.postfix /etc/rc.d/rc.M vi /etc/rc.d/rc.local # keepalived sysctl -w net.ipv4.ip_nonlocal_bind=1 /usr/sbin/keepalived --log-detail
status
tail -n0 -F /var/log/* /var/tmp/keepalive.log ip addr show xenbr0 | grep 'inet ' ip route | grep ^default mailq
restart
rc.postfix restart pkill keepalived keepalived --log-detail
workstation
ping 192.168.122.225 25 -c1 telnet 192.168.122.225 25
postfix1
ip addr show xenbr0 # currently holds the VIP pkill keepalived
postfix2
ip addr show xenbr0 # has taken over the VIP
workstation
ping 192.168.122.225 25 -c1 telnet 192.168.122.225 25
workstation
tcpdump -i virbr0 icmp
postfix2
ip route | grep ^default
gives two default gateways, with the prefered one at first
default via 192.168.122.1 dev xenbr0 proto keepalived src 192.168.122.225 default via 192.168.122.1 dev xenbr0
then try to ping the public network
ping -c1 opendns.com ping -c1 opendns.com ping -c1 opendns.com
workstation
==> always originates from virtual ip 192.168.122.225
If only src ip address in virtual route was changed then keepalived does not update virtual route after reloading config (old route will be in route table) #1390 https://github.com/acassen/keepalived/issues/1390
Outgoing traffic with virtualIP using Keepalived and Haproxy https://medium.com/@rajivsharma.2205/outgoing-traffic-with-virtualip-using-keepalived-and-haproxy-6fa5635dd4ec
https://serverfault.com/questions/257637/postfix-to-relay-mails-to-other-smtp-for-particular-domain
https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery
==> relay: