2 mailservers at 2 vpn-locations can't deliver mail to each other

Hello all,

I’m trying to get a second mailserver running on a UCS domain but I have trouble delivering email from one mailserver to the other.

Both mailservers run on ucs-slaves connected through different openvpn servers to the ucs-master/backup. So both slaves are joined to the domain and can talk to the master but there is no (internal) route from one slave to the other.

Postfix will read ldap.transport and detect the right ‘mail home server’ but cannot connect to 10.x.y.1 as there is no route to it.

I can think of two directions for solving this issue:

1. creating the necessary routes for the slaves
2. or telling postfix to not use slave1.int.domain.tld but mail.domain.tdl as destination for the domain user.

I would prefer the No2 solution but cannot figure out a (postfix-/ucs-)way to do this.

Thank you,
Bernd

This is some sort of bump - but also a follow up:

Using a pfsense firewall where the openvpn-servers terminate for ucs-master/backup I first tried to follow this guide: https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html
but that didn’t work and all attempts to solve the auth issues weren’t successful.

The solution I’ve got working was to configure a new openvpn peer-to-peer (server2server) from one slave to the other so that postfix is able to use the internal IPs. This is possibly the easiest solution as only two slave servers are involved - so one more peer-to-peer vpn is needed.

I would still be interested if anyone can point in those directions:

1. Anyone has a site-to-site ssl/tls server on pfsense/opnsense working?
2. Anyone tried already a wireguard vpn solution with ucs?
3. What adjustments to the postfix configuration would have been possible to route through the external-IP addresses. Or would an entry in /etc/hosts be sufficent?

Thanks,
Bernd