PostFix What Does "inet_interfaces " exactly mean?
I'm installing a Postfix Server and some people say that I have to change the
inet_interfaces = all
to
inet_interfaces = loopback-only
So now I am wondering, what does inet_interfaces
exactly mean (and what is it doing) and what's the difference between all
and loopback-only
?
From the manpage
inet_interfaces (default: all) The network interface addresses that this mail system receives mail on. Specify "all" to receive mail on all network interfaces (default), and "loopback-only" to receive mail on loopback network interfaces only (Postfix version 2.2 and later). The parameter also controls delivery of mail to user@[ip.address].
Note 1: you need to stop and start Postfix when this parameter changes.
Note 2: address information may be enclosed inside [], but this form is not required here.
When inet_interfaces specifies just one IPv4 and/or IPv6 address that is not a loopback address, the Postfix SMTP client will use this address as the IP source address for outbound mail. Support for IPv6 is available in Postfix version 2.2 and later.
On a multi-homed firewall with separate Postfix instances listening on the "inside" and "outside" interfaces, this can prevent each instance from being able to reach remote SMTP servers on the "other side" of the firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6.
A better solution for multi-homed firewalls is to leave inet_interfaces at the default value and instead use explicit IP addresses in the master.cf SMTP server definitions. This preserves the Postfix SMTP client's loop detection, by ensuring that each side of the firewall knows that the other IP address is still the same host. Setting $inet_interfaces to a single IPv4 and/or IPV6 address is primarily useful with virtual hosting of domains on secondary IP addresses, when each IP address serves a different domain (and has a different $myhostname setting).
See also the proxy_interfaces parameter, for network addresses that are forwarded to Postfix by way of a proxy or address translator.
Examples:
inet_interfaces = all (DEFAULT) inet_interfaces = loopback-only (Postfix version 2.2 and later) inet_interfaces = 127.0.0.1 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later) inet_interfaces = 192.168.1.2, 127.0.0.1
When is this useful?
You can manipulate the master.cf file and bind port 25 to multiple IP addresses to have slightly different configurations.
When would I use loopback-only
When you want to use postfix simply to queue emails for your application to be forwarded to another email system, handling smtp in an app is easy, handling queues, delays and encryption is less easy. Many devs will add postfix to handle this for you, similarly to using nginx for SSL.
This also prevent systems that do not additionally have a firewall (Centos vs Ubuntu) to protect against other localnet systems from using your relay to spam/phish.
You would not use this setting in docker as you'd generally link them with docker-compose and would not want to make this change as it is not longer local only.