Encryption Management Server Mail Proxy routes mail via unexpected Network Interface

book

Article ID: 169584

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

If Encryption Management Server has multiple network interfaces that are on the same subnet, email traffic is sent via the NIC eth0 rather than via a higher numbered NIC.

This can cause problems if the mail server that Encryption Management Server is proxying to expects to receive the proxied traffic from a specific IP address.

Cause

If Encryption Management Server has two or more IP addresses on the same subnet, traffic will be routed on the lowest numbered NIC in compliance with standard Linux routing.

Environment

Encryption Management Server 3.3 and above with Mail Proxies enabled and two or more IP addresses on the same subnet.
 

Resolution

Ensure that if Encryption Management Server has more than one IP address, each IP address is on a separate subnet. This will force mail traffic to be sent on a specific network interface.

For example, Encryption Management Server may have the following network configuration:

  1. Interface 1, eth0, 192.168.1.100, subnet mask: 255.255.255.0
  2. Interface 2, eth0:0, 192.168.1.101, subnet mask: 255.255.255.0
  3. Default gateway: 192.168.1.1

In such a configuration, a Mail Proxy on Interface 2 will route traffic via Interface 1 and the receiving mail server will see a connection from 192.168.1.100. Interface 2 will not be used.

The solution to the above example is to configure Encryption Management Server using settings similar to the following, with IP addresses on separate subnets:

  1. Interface 1, eth0, 192.168.1.100, subnet mask: 255.255.255.0
  2. Interface 2, eth1, 192.168.2.100, subnet mask: 255.255.255.0
  3. Default gateway: 192.168.1.1
  4. Static route file /etc/sysconfig/network-scripts/route-eth1 with a rule to route traffic to the IP of a remote mail server via a gateway reachable only from Interface 2. The gateway might be 192.168.2.1.

In the above configuration, a Mail Proxy on Interface 2 will route traffic via Interface 2 and the receiving mail server would see a connection from 192.168.2.100.