LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-30-2010, 01:44 AM   #1
thumbelina
LQ Newbie
 
Registered: Oct 2006
Location: USA
Distribution: CentOS,Mint,openSuSE,Ubuntu,FBSD
Posts: 12

Rep: Reputation: 5
with iptables, how-to redirect outgoing mail from port 25 to port 587


The issue is that the ISP has recently blocked port 25 outgoing.

But, incoming port 25 is still open and incoming mail is properly received.

Now, for a single machine, I can simply change the <sendmail> configuration and have that machine <submit> the mail to port 587, which is NOT blocked by the ISP. However, there are several machines, all of which send some mail out to the Internet. Thus, I would have to be reconfiguring other unfamiliar mail servers (postfix, exim, etc.) to accomplish the desired redirection.

EDITED: I have a Linux machine which is my gateway router and firewall.

I have crafted a single iptables NAT rule to attempt having ALL outgoing
mail be redirected from port 25 over to port 587.

EXTERNAL=xx.xx.xx.xxx
..
iptables -t nat -A OUTPUT -o $EXTERNAL -p tcp --dport 25 -j REDIRECT --to-port 587

The iptables rules are loaded without any apparent errors reported (in /var/log/messages) so I was expecting it to accomplish the task as desired.

This rule does NOT have any effect on mail going out, however. Maybe the
order of rules is such that all mail is being ACCEPTed before this new rule is encountered?

How can I ensure that this rule is seen/processed BEFORE any ACCEPT rules?

Is this NAT OUTPUT rule the correct way to do this sort of thing? Or should I be using either a DNAT or POSTROUTING rule?

Last edited by thumbelina; 05-30-2010 at 02:10 AM.
 
Old 05-30-2010, 02:58 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
If it's outgoing mail then they will be connecting to mail servers not under your control, so unless you can guarantee that they will accept mail on port 587 you are wasting your time.
 
0 members found this post helpful.
Old 05-30-2010, 11:03 AM   #3
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
Is this a commercial internet package with static IP? If so I would call up the ISP and find out why they are blocking outbound traffic, and request they unblock. If they refuse and you do run mail servers find another ISP.

Have you confirmed that they are actually blocking outbound traffic on port 25? Doing that could potentially block even regular mail clients from being able to send mail.
 
Old 05-30-2010, 12:19 PM   #4
thumbelina
LQ Newbie
 
Registered: Oct 2006
Location: USA
Distribution: CentOS,Mint,openSuSE,Ubuntu,FBSD
Posts: 12

Original Poster
Rep: Reputation: 5
Re: how-to redirect outgoing mail from port 25 to port 587

Quote:
Originally Posted by ComputerErik View Post
Is this a commercial internet package with static IP? If so I would call up the ISP and find out why they are blocking outbound traffic, and request they unblock. If they refuse and you do run mail servers find another ISP.

Have you confirmed that they are actually blocking outbound traffic on port 25? Doing that could potentially block even regular mail clients from being able to send mail.

Yes, they are blocking port 25 BOTH WAYS.. in and out.

I have called the ISP, Coxxxxx and spoken to tech support, carefully explained the problem. As soon as the L-word (Linux) was uttered, the T/S drone said, "well I'm sorry but we don't support Linux.. yadda, yadda". (I know from prior experience, that they "teach" their people to say that; never mind helping the customer) I don't need Linux support from them. I simply want them to unblock incoming-port-25. They can leave their block on outbound-port-25 if they think that helps their SPAM problems.

I escalated to their T/S manager, and patiently explained to him why blocking port-30 inbound was useless as a control of SPAM coming FROM their customers. That still didn't get thru.. "I'm sorry sir, but we cannot do that.."

I scanned their mail gateway server: it only has ports 465 (SMTPS) and port 587 (Submission) as open, listening. So, I have already configured the iptables ruleset on the firewall to accept any NEW, incoming traffic to port 587 with a rule to ACCEPT input and another rule to DNAT the PREROUTING traffic to the appropriate mail server box.

So, back to my original question:

Does anyone know how to formulate an iptables rule to REDIRECT all outgoing port-25 traffic over to port 587 outbound??

I need this to have a blanket method of correctly routing any/all outgoing mail controlled by the firewall rules; not by tweaking the configurations at every mail client.

I will need such for whoever my ISP is or will be in the future.

Thank you.
 
Old 05-30-2010, 01:55 PM   #5
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
Quote:
Originally Posted by thumbelina View Post
I will need such for whoever my ISP is or will be in the future.

Thank you.
Why? I manage more than a dozen different mail serevrs (mix of Linux and Windows) and no real ISP with the proper plan has ever done any port filtering. I would just make life easy and take the steps needed to switch to an ISP that won't filter traffic on a business connection.

Are you running a mail server locally, or trying to use a mail client to connect to the ISP mail server? Even if you do succeed in having your server listen on a different port incoming mail will always be on 25, and thus get blocked before hitting your iptables rule to move to a different port. For outbound as already mentioned if you just switch to using 587 no other mail server would be accepting mail on that port. Anyone you would want to exchange mail with would need to have a server setup that accepts mail on 587, and I doubt that will happen.
 
Old 05-31-2010, 04:23 AM   #6
thumbelina
LQ Newbie
 
Registered: Oct 2006
Location: USA
Distribution: CentOS,Mint,openSuSE,Ubuntu,FBSD
Posts: 12

Original Poster
Rep: Reputation: 5
Quote:
Originally Posted by ComputerErik View Post
Why? I manage more than a dozen different mail serevrs (mix of Linux and Windows) and no real ISP with the proper plan has ever done any port filtering. I would just make life easy and take the steps needed to switch to an ISP that won't filter traffic on a business connection.

Are you running a mail server locally, or trying to use a mail client to connect to the ISP mail server? Even if you do succeed in having your server listen on a different port incoming mail will always be on 25, and thus get blocked before hitting your iptables rule to move to a different port. For outbound as already mentioned if you just switch to using 587 no other mail server would be accepting mail on that port. Anyone you would want to exchange mail with would need to have a server setup that accepts mail on 587, and I doubt that will happen.

Hi Erik.. thanks for your thoughts..

Yes, I run a sendmail server with SMART_HOST to the ISP's gateway. So outgoing from my server will be handled properly by that gateway IF.. I adjust the config to send to port 587 and use TLS Auth. I can do that part.

But, upon more reflection, I see your point.. Yes, you are correct: the SMART_HOST at my ISP will know what to do with my outgoing mail sent to 587; but any other host who was sent-to from a mis-configured client mailer, and thus bypassing SMART_HOST, will indeed, drop that mail on the floor.

And, I cannot control incoming mail arriving on 25, no matter what I try. That will all get dumped.

maybe some mail-management services like No-IP.com's are another way to go.

thank you
 
Old 05-31-2010, 08:33 AM   #7
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
What I have done for my personal email (which I run off a server at home on a cable connection that doesn't allow SMTP) is utilize an outsource service from where I bought the domain. So basically my MX point to them, and I can use them as an outbound relay after authentication. For inbound I just use POP to download every few minutes so there is never really any mail sitting on that server.

The other option as I mentioned is to switch ISPs to one that will actually alllow you to do what you want. What is the point of having a static IP if they block you from running a server? I don't know what else you do or how long you have been with them, but I have had other problems with them (regular outages and having IP ranges with such a bad reputation that access to websites was being blocked).
 
Old 05-31-2010, 09:06 AM   #8
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
Quote:
Originally Posted by ComputerErik View Post
So basically my MX point to them, and I can use them as an outbound relay after authentication.
That is pointless if outbound port 25 has to go through comcasts servers. It will not work. I had a comcast connection some years ago, and with roughly 15 domains, each with it's own mail server, I was basically up sh*t creek. I cancelled comcast within a week. You would be better off using gmail for domains, at least they catch all the spam.
 
Old 06-01-2010, 05:27 AM   #9
linuxgurusa
Member
 
Registered: Mar 2008
Location: Namibia, Swakopmund
Distribution: Redhat, Fedora
Posts: 127

Rep: Reputation: 27
IPTABLES -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination 100.200.1.1:587

??
 
1 members found this post helpful.
Old 06-01-2010, 05:34 AM   #10
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,504

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
Do you have a dynamic or static IP?
If dynamic, most, if not all mailservers will refuse your mail.
 
Old 06-01-2010, 07:17 AM   #11
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
Quote:
Originally Posted by smoker View Post
That is pointless if outbound port 25 has to go through comcasts servers. It will not work. I had a comcast connection some years ago, and with roughly 15 domains, each with it's own mail server, I was basically up sh*t creek. I cancelled comcast within a week. You would be better off using gmail for domains, at least they catch all the spam.
It isn't pointless if you use the ISP as a relay, and use whatever port they have setup for mail. Also many domain hosts have an alternate SMTP port setup for just this situation, so you could use that as well.

Ultimately though I agree if you want or need to run a mail server, and Comcast won't let you then best option is tell them they can keep the subpar service, and sign up with someone who will let you work.
 
Old 02-01-2012, 06:31 AM   #12
rouvas
Member
 
Registered: Aug 2006
Location: Greece
Distribution: Slackware.12.2
Posts: 83
Blog Entries: 2

Rep: Reputation: 6
thx linuxgurusa for a much needed quick answer
 
Old 03-19-2012, 08:26 AM   #13
Pac
LQ Newbie
 
Registered: Mar 2012
Posts: 1

Rep: Reputation: Disabled
reroute your port 25 whit this

iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25

if all is ok do this
/etc/init.d/iptables save

this works for Cent OS Red-hat.

Last edited by Pac; 03-19-2012 at 08:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Send outgoing mail to a specific IP address and port starkhorn Linux - Software 1 01-31-2008 05:20 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
iptables port redirect/forwarding izghitu Linux - Newbie 1 02-01-2006 09:26 PM
Problem with iptables port redirect and rh9 zkn Linux - Networking 0 05-05-2004 04:34 PM
Redirect port with iptables |DeJoTa| Linux - Networking 0 07-11-2003 01:31 AM


All times are GMT -5. The time now is 01:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration