LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 02-05-2004, 06:23 PM   #1
mishunimi
LQ Newbie
 
Registered: Feb 2004
Location: Israel
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
closing a postfix open relay behind a NAT


I have 2 PCs on a LAN:
A - (192.168.0.1) Windows, ADSL to the Internet, WinGate NAT.
B - (192.168.0.4) Mandrake 9.2, Postfix.

My question in a nutshell: is there a way to configure Postfix so that
I can send mail from a client on the Windows machine to the Internet,
and at the same time not be an open relay?

Although I followed all the good advice I found in the documentations,
in various FAQs and in verious posts, Postfix remains an open relay.

I think the problem lies in the LAN topology - from Postfix standpoint,
all connections to port 25 arrive from 192.168.0.1, which is part of
$mynetworks, and there is no way to tell which connection originated
in the LAN and which originated from the Internet.

Allowing only $myhostname to send mail is too restrictive, because I
want to be able to send mail from a mail client running on the Windows
machine. Receiving mail can be restricted to the local machine only,
but I don't see how this can help me.

If I allow sending mail from machine A to the world, then anybody
on the Internet can send mail to anybody anywhere.

- Can I do what I want with just configuring Postfix?
- Is Qmail any better in solving this problem?
- Can I do it without changing the network topology (like moving the
ADSL connection from the Windows machine to the Linux one)?


Here is what an open relay test shows:
$ telnet relay-test.mail-abuse.org
Trying 168.61.4.13...
Connected to relay-test.mail-abuse.org (168.61.4.13).
Escape character is '^]'.
Connecting to xxx.xxx.xxx.xxx ...
<<< 220 xxxx.xxxxxx.xxxxxx.xxx ESMTP Postfix (2.0.13) (Mandrake Linux)
>>> HELO cygnus.mail-abuse.org
<<< 250 xxxx.xxxxxx.xxxxxx.xxx
:Relay test: #Quote test
>>> mail from: <spamtest@DSLxxx-xxx-xxx-xxx.xx.xxxx.xxx>
<<< 250 Ok
>>> rcpt to: <"nobody@mail-abuse.org">
<<< 250 Ok
>>> rset
<<< 250 Ok
:Relay test: #Test 1
>>> mail from: <nobody@mail-abuse.org>
<<< 250 Ok
>>> rcpt to: <nobody@mail-abuse.org>
<<< 250 Ok
>>> QUIT
<<< 221 Bye
Tested host banner: 220 xxxx.xxxxxx.xxxxxx.xxx ESMTP Postfix (2.0.13) (Mandrake Linux)
System appeared to accept 1 relay attempts
Connection closed by foreign host.
$


These are the log lines generated by the above test:
postfix/smtpd[30013]: connect from unknown[192.168.0.1]
postfix/smtpd[30013]: AC28A10C73: client=unknown[192.168.0.1]
postfix/smtpd[30013]: 8FFFA10C73: client=unknown[192.168.0.1]
postfix/smtpd[30013]: disconnect from unknown[192.168.0.1]

This is the Postfix configuration I had during that test:

$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
disable_vrfy_command = yes
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
masquerade_domains = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain
mynetworks = 192.168.0.0/24, 127.0.0.0/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
proxy_interfaces = 192.168.0.4
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
recipient_delimiter = +
relay_domains = $mynetworks
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrake Linux)
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject
unknown_local_recipient_reject_code = 450
$
 
Old 02-05-2004, 06:32 PM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 65
http://postfix.state-of-mind.de/patr...tter/smtpauth/
 
Old 02-05-2004, 06:32 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
WinGate is a pretty sorry firewall/proxy from my experience, but any way...

Seems like your main.cf doesn't have the original comments...
Code:
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network.  Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
By the way, I would really not recommend testing your MTA with a tester from an RBL. That's a good way to end up on a blacklist that will be difficult to get off of. Test it by hand. All you need is a shell on an outside host. how to test open relay by hand

Last edited by chort; 02-05-2004 at 06:40 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Postfix/SMTPD] Getting no AUTH from server; open relay superhausi Linux - Security 2 11-19-2008 05:37 PM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 03:22 PM
Postfix - Open relay or not? darklogik_org Linux - Software 2 01-29-2004 05:30 AM
How to avoid making postfix setup an open relay??! lucastic Linux - Software 16 11-11-2003 11:38 AM
Problems closing open sendmail relay noisybastard Linux - Networking 4 06-16-2003 01:01 PM


All times are GMT -5. The time now is 08:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration