This is the scheme
e.g:
I got 5 Public IPs. i’m Gonna configure them, so Postfix can use multiple interfaces/ips for outgoing smtp connections.
First we need creating Interface aliases for those 5 public IPs.
In my system, using fedora:
Edit ifcfg-eth0:1
3 | DEVICE=eth0 <-- default device |
4 | HWADDR=XX:XX:XX:XX:XX:XX |
8 | IPADDR=202.XXX.XX.2 <-- default eth0 IP address |
Change DEVICE and IPADDR parameters
1 | DEVICE=eth0:1 <-- device alias |
2 | HWADDR=XX:XX:XX:XX:XX:XX |
6 | IPADDR=202.XXX.XX.3 <-- IP alias |
We can continue with next interfaces for IP aliases same way as mention above.
when we were done, bring those IP aliases up.
Check if interfaces is up
2 | eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX |
3 | inet addr:202.XXX.XX.2 Bcast:202.XXX.XX.255 Mask:255.255.255.0 |
4 | inet6 addr: fe80::20c:29ff:feb0:e91/64 Scope:Link |
5 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
6 | RX packets:598678 errors:0 dropped:0 overruns:0 frame:0 |
7 | TX packets:26348 errors:0 dropped:0 overruns:0 carrier:0 |
8 | collisions:0 txqueuelen:1000 |
9 | RX bytes:49088016 (46.8 MiB) TX bytes:7707579 (7.3 MiB) |
11 | eth0:1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX |
12 | inet addr:202.XXX.XX.3 Bcast:202.XXX.XX.255 Mask:255.255.255.0 |
13 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
15 | eth0:2 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX |
16 | inet addr:202.XXX.XX.4 Bcast:202.XXX.XX.255 Mask:255.255.255.0 |
17 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
19 | eth0:3 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX |
20 | inet addr:202.XXX.XX.5 Bcast:202.XXX.XX.255 Mask:255.255.255.0 |
21 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
There’s no particular configuration need to adjust in postfix.
Now the iptables part.make sure your iptables support for statistic match module.
5 | statistic match options: |
6 | --mode mode Match mode (random, nth) |
8 | --probability p Probability |
10 | --every n Match every nth packet |
11 | --packet p Initial counter value (0 <= p <= n-1, default 0) |
Next continue with iptables rule for rotating source IP addresses.
done
note: this guide based on someone’s post on postfix-users mailing list
Does the rotating IPs via a IP table actually work? If so how would I configure this in Ubuntu? Let me know thanks. I have my email server using post fix for bulk email for my clients email marketing needs.
Thanks
Mageler
yes it work, i’m using it on one of smtp outgoing farm for my customer, it work on ubuntu i guess, if it support iptables statistic module.
thanks for this great article i try it in ubuntu 9.10 and work like charm
thanks
I tried this solution and it worked, except that it doens't change the hostname. This kind of mess up the delivery rate.
Do you know a solution to make it use the correct reverse dns for each IP?
i’m afraid it cannot be done, postfix will always using same helo name, if it’s what you meant.
postfix cannot change helo name dynamically on the fly.
or you were asking about how to setup dns reverse?it just setting ptr record in dns server in that case.
Any idea why I am getting a “No chain/target/match by that name” on this one with a Parallels VPS?
iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o venet0 -m statistic –mode nth –every 5 -j SNAT –to-source xx.xx.xx.xx
To answer my own question on this – the statistic module was not enabled by the host – so make sure the needed modules are enabled if you are trying this on a VPS!
yes, or you can build your own iptables. i’m using centos 5
1# cat /etc/redhat-release2CentOS release 5.4 (Final)i’ve compiled iptables manualy using fedora 12’s iptables
1iptables-1.4.3.2-2.fc12.src.rpmi’m not found any glitch yet
How do you compile iptables-1.4.3.2-2.fc12.src.rpm
for CentOS 5.5? Do you have a procedure?
Thanks
Once again I got some questions for you
I’ve implemented this strategy on a new server that has 60 IPs – but…
Some IPs seem to be way more used than others, especially the ones that are “first” in the IPtables rules… Any ideas on this?
Secondly – I was wondering, when analyzing mail logs, is there any way to include which IP postfix used in that situaiton? Cause else an error on one IP would be a bit like looking for a needle in a stack somewhere…
When your MTA send 5 mail sessions simultaneously, when hit iptables rules in nat table sequence, statistic module will distributed the connection in round-roubin fashion. so those 5 mail session only hit the upper 5 iptables rules.(i’m not realy sure how this nth sequence work either)..hehe
1-m statistic --mode nth --every ...when your mail traffic never burst large scale simultaneous connection, it will never reach all iptables statistic rules.
alternatively, you can play with –mode random (i’ve never tried this) or set
1smtp_connection_cache_on_demand = offi’t’s enabled by default, this will avoid one session hanging on the same connection.
about second question, i’m afraid i don’t know how to log which ip used by postfix outgoing session.
i’m just change the syslog name for outgoing smtp
1slow unix - - n - - smtp2-o syslog_name=postfix-to-rotatorVery interesting – I guess the random-mode would work best? Or would the smtp_connection_cache work the exact same way? Because the smtp_connection:cache would be an easy fix to implement on machines that are already setup with the nth mode?
For new setups, i just need to figure out now, if the probability setting takes an input with 2 decimals – since 0.1 would be 10% and that would be to much for a setup with more than 10 IPs.
i’m using 29 IPs using –-mode nth and smtp_connection_cache_on_demand = off. here’s is my statistic
1Chain POSTROUTING (policy ACCEPT 68M packets, 3977M bytes)2pkts bytes target prot opt in out source destination338293 2106K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.247436972 2036K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.248535697 1964K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.50634467 1899K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.51733278 1828K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.52832130 1768K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.539--- snip ----1017084 941K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.701116495 909K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.401215926 876K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.2451315377 846K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.2461414847 817K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.1161514335 787K SNAT tcp -- * eth0 2xx.x.x.121 0.0.0.0/0 state NEW tcp dpt:25 statistic mode nth every 29 to:2xx.x.x.249with average/low traffic lower iptables rules will not so often reached.
With the smtp_connection.. = off, my postfix installation just queues all mails, and never starts to send anything out – so i implemented -mod random instead…
But I need to wait a couple of days for some SNDS data to update, it seems to bee the easiest way to check if IPs are used randomly or if some of them are preferred by the iptables…
Hello,
I am a newbie
I would like to add this to my VPS.
How can I enable nat on iptables.
I have Fedora 13 and iptables-1.4.7-2.
thanks
fedora 13 should be supporting nat by default. just follow the instruction..
When I try to add the iptables rule for rotating source IP addresses, I have this error message:
iptables: No chain/target/match by that name.
I have
Fedora13 32 bits
iptables-1.4.7-2
kernel 2.6.18
Also, I initialized iptables table ‘nat’
# iptables -t nat -nvL
But Iptables cannot add those rules.
Any idea?
How can I enable the statistic module?
“To answer my own question on this – the statistic module was not enabled by the host – so make sure the needed modules are enabled if you are trying this on a VPS”
1$ iptables -m statistic --helpWell, It is not very helpful.
Thanks anyway
i still don’t get what you mean, statistic module should be there by default.(AFAIK)
was iptables_nat modules loaded?
1# lsmod | grep nat2iptable_nat 7456 03nf_nat 22372 1 iptable_natwas iptables modules xt_statistic loaded?
1# lsmod | grep statistic2xt_statistic 2008 1upss, sorry i didn’t notice that you have kernel 2.6.18.
in my older machine using that kernel, statistic module is not supported.
i’m affraid the only solution is upgrade to newer kernel.
Which versions of Kernel, Fedora and iptables do you have?
1# cat /etc/redhat-release2Fedora release 12 (Constantine)1[root@dev ~]# uname -a2Linux dev.corp.3g-net.net 2.6.31.5-127.fc12.x86_64#1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux1[root@dev ~]# iptables -v2iptables v1.4.5: nocommandspecifiedAnother questions
Which server virtualisation technology do you have?
XEN or OPENVZ?
some installed barely on machines, some using vmware esxi
Hello,
If I want to change to “every” .. what should I do?
I mean, should I flush iptables? or just enter the iptables rules again.
Thanks
1# iptables -t nat -R POSTROUTING bla blaHow do you compile iptables-1.4.3.2-2.fc12.src.rpm
for CentOS 5.5? Do you have a procedure?
I got those errors
[root@kme src]# rpmbuild –rebuild iptables-1.4.3.2-2.fc12.src.rpm
Installing iptables-1.4.3.2-2.fc12.src.rpm
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
error: unpacking of archive failed on file /usr/src/redhat/SOURCES/iptables-1.4.
3.1-cloexec.patch;4dad5990: cpio: MD5 sum mismatch
error: iptables-1.4.3.2-2.fc12.src.rpm cannot be installed
try
1# rpm -Uvh iptables-1.4.3.2-2.fc12.src.rpm --nomd52# cd `rpm --eval '%{_specdir}'`3# rpmbuild -ba iptables.specWhat I did wrong?
I did
# rpm -Uvh iptables-1.4.3.2-2.fc12.src.rpm –nomd5
# cd `rpm –eval ‘%{_specdir}’`
# rpmbuild -ba iptables.spec
# cd /usr/src/redhat/RPMS/i386
# rpm -Uvh iptables-1.4.3.2-2.i386.rpm
# rpm -qa | grep iptables
iptables-1.4.3.2-2
# service iptables restart
iptables: Applying firewall rules: FATAL: Could not load /lib/modules/2.6.18-164
.11.1.el5.028stab068.3PAE/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-164.11.1.el5.028stab068.3PAE/modules.d
ep: No such file or directory
Just try run
1# depmod -aas root
# depmod -a
WARNING: Couldn’t open directory /lib/modules/2.6.18-164.11.1.el5.028stab068.3PAE: No such file or directory
FATAL: Could not open /lib/modules/2.6.18-164.11.1.el5.028stab068.3PAE/modules.dep.temp for writing: No such file or directory
Any ideas?
What is in /lib/modules/2.6.18-164.11.1.el5.028stab068.3PAE/ ?
Is that the kernel release you are running?
If not include the kernel release as an argument:
1sudo/sbin/depmod -a `uname-r`Hello,
I Tried this method and it works fine.
Do you know if there is a way to rotate
hostnames after –every XXX emails?
you can read my article about randomize outgoing mail using tcp_table and perl
Hi,
I tried to upgrade my centos 5 iptables 1.3.5 using the following cmds but I got error as follows:
# rpm -Uvh iptables-1.4.3.2-2.fc12.src.rpm –nomd5
# cd `rpm –eval ‘%{_specdir}’`
# rpmbuild -ba iptables.spec
# cd /usr/src/redhat/RPMS/i386
# rpm -Uvh iptables-1.4.3.2-2.i386.rpm
Errors: error: Failed dependencies:
iptables = 1.3.5 is needed by (installed) iptables-ipv6-1.3.5-5.3.el5_4.1.i386
iptables = 1.3.5 is needed by (installed) iptables-devel-1.3.5-5.3.el5_4.1.i386
Please any idea what might be wrong? My Iptables details as follows:
rpm -qa | grep iptables
iptables-1.3.5-5.3.el5_4.1
iptables-ipv6-1.3.5-5.3.el5_4.1
iptables-devel-1.3.5-5.3.el5_4.1
try this:
1# rpm -Uvh iptables-*wow. Worked like chram. Many thanks
you’re welcome buddy
I have tested “–every n”. With same “n”, packets aren’t evenly distributed.
N should be like N, N-1, N-2 ….
not even and packet drop
5 276 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
4 232 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
3 152 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
2 100 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
2 104 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
5 256 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
evenly
29 1608 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 5
29 1524 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 4
28 1488 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 3
28 1440 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 2
28 1460 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 statistic mode nth every 1
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Hi friend,
I want to ask you is it possible to send emails from proxy ip’s and get inboxing.
Hi leenoux,
Can you install this on my server? I need ip rotation so I can send unlimeted mails.
Your post is nice but i want ip rotation in postfix such that ip’s are rotated every hour how can i achieve this.
i dunno, maybe this is what you want
http://www.kutukupret.com/2011/11/15/postfix-changing-outgoing-ip-by-time-interval-using-tcp_table-and-perl/
http://www.kutukupret.com/2010/12/06/postfix-randomizing-outgoing-ip-using-tcp_table-and-perl/
This is a post i see in reference of ip rotation with per hour changing ip’s of outgoing mails in postfix is it right if i follow this post to achieve my goal.
http://www.kutukupret.com/2011/11/15/postfix-changing-outgoing-ip-by-time-interval-using-tcp_table-and-perl/
I have 2 question and please answer me
1-
Is it possible to configure VPS for IPV6 for ip rotation ?
how is it possible?
2-is it possible assign IPV6 for vmware for VPS
1. technicaly, yes. just figure out how to setup ipv6 aliasing at your VPS (lots of tutorial/howto out there).
2. yes. i’ve been running my ipv6 on my VPS for years.