WIP: Use postfix options for routing mails through tunnel #45
Loading…
Reference in New Issue
No description provided.
Delete Branch "enable-mail-proxy-and-tunnel"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Once tested, new users can be created to improve security of the ssh tunnel process.Already tested with VM and simple SMTP server that prints headers and source IP.
Just needs
wg-quick genkey
andwg-quick pubkey
on nixbld side.Things tested:
@ -1179,0 +1193,4 @@
@m-labs.hk :
@m-labs.ph :
@193thz.com :
@malloctech.fr :
Does postfix require all domains to be listed there, even those without a relay host?
As in examples at https://www.postfix.org/transport.5.html , a wildcard is probably a better way
Use postfix options for routing mails through ssh tunnelto WIP: Use postfix options for routing mails through ssh tunnel@ -219,0 +235,4 @@
address = "0.0.0.0";
prefixLength = 0;
via = "5.78.86.156";
options.table = "2";
Already in use, please pay attention.
@ -1190,0 +1245,4 @@
services.postfix = {
config = {
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
postscreen_upstream_proxy_protocol = "haproxy";
What?
@ -219,0 +223,4 @@
ttl = 255;
type = "tun";
};
interfaces.intl0 = {
call it
trump0
, he's the one who started this shit.684c63bb49
to568d6ccfb1
568d6ccfb1
to6a46388d68
WIP: Use postfix options for routing mails through ssh tunnelto WIP: Use postfix options for routing mails through tunnel6a46388d68
toebe55e2fa6
@ -230,0 +237,4 @@
interfaces.intl0 = {
ipv4.addresses = [
{
address = "10.42.0.2";
That's a private class A address. Again this is never going to work.
AX.25 is also in the kernel. Why not use that instead?
@ -249,0 +256,4 @@
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "5.78.86.156:51820";
persistentKeepalive = 25;
TODO: needs disabling routing tables (
Table = off
in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the trafficYou need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.
@ -248,1 +248,4 @@
};
wireguard.interfaces = {
intl0 = {
ips = [ "10.42.0.2/32" ];
I think you'd want /31 and then route the default traffic on table 3 through 10.42.0.1 (which would be the VPS)?
I suppose you are then using a regular NAT on the VPS to forward that to the internet and also do the port redirections? Sounds hacky but should work.
This IP is to acquire.
But for now its a draft anyway, I'll test and update.
If you use /32 then you can't reach any other hosts.
Also with a /31 the last digits should be .0 and .1, .2 is not going to work.
What does that mean anyway?
It corresponds to Interface.Address in the wg.conf, which results in
ip -4 address add 10.42.0.2/32 dev intl0
. Routes are done separately.And to where will you route? I repeat: with a /32 address you cannot reach any other host.
For example
ip route add 10.42.0.0/30 dev wg0
.The current problem with nix configuration is to ensure that it doesn't route too much by default, as it happens wg.conf (but it can be disabled by disabling tables).
And why not just set the correct netmask in the first place?
Regarding the routing tables: You complain about strongswan (despite having been provided with fully working configuration files where you just had to change the IP addresses), but you should note that it doesn't mess up the routing tables. Your private network/NAT hack would also work with strongswan.
6382326316
toaddc202345
Step 1:
From your project repository, check out a new branch and test the changes.Step 2:
Merge the changes and update on Gitea.