Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-05-2004, 06:23 PM
|
#1
|
LQ Newbie
Registered: Feb 2004
Location: Israel
Distribution: Kubuntu
Posts: 7
Rep:
|
closing a postfix open relay behind a NAT
I have 2 PCs on a LAN:
A - (192.168.0.1) Windows, ADSL to the Internet, WinGate NAT.
B - (192.168.0.4) Mandrake 9.2, Postfix.
My question in a nutshell: is there a way to configure Postfix so that
I can send mail from a client on the Windows machine to the Internet,
and at the same time not be an open relay?
Although I followed all the good advice I found in the documentations,
in various FAQs and in verious posts, Postfix remains an open relay.
I think the problem lies in the LAN topology - from Postfix standpoint,
all connections to port 25 arrive from 192.168.0.1, which is part of
$mynetworks, and there is no way to tell which connection originated
in the LAN and which originated from the Internet.
Allowing only $myhostname to send mail is too restrictive, because I
want to be able to send mail from a mail client running on the Windows
machine. Receiving mail can be restricted to the local machine only,
but I don't see how this can help me.
If I allow sending mail from machine A to the world, then anybody
on the Internet can send mail to anybody anywhere.
- Can I do what I want with just configuring Postfix?
- Is Qmail any better in solving this problem?
- Can I do it without changing the network topology (like moving the
ADSL connection from the Windows machine to the Linux one)?
Here is what an open relay test shows:
$ telnet relay-test.mail-abuse.org
Trying 168.61.4.13...
Connected to relay-test.mail-abuse.org (168.61.4.13).
Escape character is '^]'.
Connecting to xxx.xxx.xxx.xxx ...
<<< 220 xxxx.xxxxxx.xxxxxx.xxx ESMTP Postfix (2.0.13) (Mandrake Linux)
>>> HELO cygnus.mail-abuse.org
<<< 250 xxxx.xxxxxx.xxxxxx.xxx
:Relay test: #Quote test
>>> mail from: <spamtest@DSLxxx-xxx-xxx-xxx.xx.xxxx.xxx>
<<< 250 Ok
>>> rcpt to: <"nobody@mail-abuse.org">
<<< 250 Ok
>>> rset
<<< 250 Ok
:Relay test: #Test 1
>>> mail from: <nobody@mail-abuse.org>
<<< 250 Ok
>>> rcpt to: <nobody@mail-abuse.org>
<<< 250 Ok
>>> QUIT
<<< 221 Bye
Tested host banner: 220 xxxx.xxxxxx.xxxxxx.xxx ESMTP Postfix (2.0.13) (Mandrake Linux)
System appeared to accept 1 relay attempts
Connection closed by foreign host.
$
These are the log lines generated by the above test:
postfix/smtpd[30013]: connect from unknown[192.168.0.1]
postfix/smtpd[30013]: AC28A10C73: client=unknown[192.168.0.1]
postfix/smtpd[30013]: 8FFFA10C73: client=unknown[192.168.0.1]
postfix/smtpd[30013]: disconnect from unknown[192.168.0.1]
This is the Postfix configuration I had during that test:
$ postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
disable_vrfy_command = yes
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
masquerade_domains = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain
mynetworks = 192.168.0.0/24, 127.0.0.0/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
proxy_interfaces = 192.168.0.4
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
recipient_delimiter = +
relay_domains = $mynetworks
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrake Linux)
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject
unknown_local_recipient_reject_code = 450
$
|
|
|
02-05-2004, 06:32 PM
|
#2
|
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Rep:
|
|
|
|
02-05-2004, 06:32 PM
|
#3
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
WinGate is a pretty sorry firewall/proxy from my experience, but any way...
Seems like your main.cf doesn't have the original comments...
Code:
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
By the way, I would really not recommend testing your MTA with a tester from an RBL. That's a good way to end up on a blacklist that will be difficult to get off of. Test it by hand. All you need is a shell on an outside host. how to test open relay by hand
Last edited by chort; 02-05-2004 at 06:40 PM.
|
|
|
All times are GMT -5. The time now is 11:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|