Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: MSmith on August 24, 2015, 05:31:43 AM

Title: Modify iptables or qmail to accept traffic only from filtering service
Post by: MSmith on August 24, 2015, 05:31:43 AM: I would appreciate some guidance in setting SME Server to only accept incoming *external* SMTP traffic on a list of specific ports, please.
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: stephdl on August 24, 2015, 07:57:28 AM: Indeed after a quick search it is not well documented....senior dev and power admin are welcome here. After that it should be written in the wiki
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: mmccarn on August 24, 2015, 12:40:07 PM: I've tested & verified the commands below on SME 8.1; they should also work on SME 9:

Code: [Select]
config setprop smtpd AllowHosts a.b.c.d,x.y.z.0/24 signal-event remoteaccess-update
Note that the firewall rules for inbound smtp are controlled by the pre-SME 7 service 'smtpd' rather than 'qpsmtpd' which actually services the traffic.

The value following 'AllowHosts' is split at the comma and converted into multiple rules, one for each comma-separated value. Running the above command changes the default rule in /etc/rc.d/init.d/masq from this:

Quote
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 25 \
--destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT

to this:
Quote
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 25 \
--destination $OUTERNET --src a.b.c.d --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 25 \
--destination $OUTERNET --src x.y.z.0/24 --jump ACCEPT

Restore the default setting by deleting the AllowHosts property:

Code: [Select]
config delprop smtpd AllowHosts signal-event remoteaccess-update
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: CharlieBrady on August 24, 2015, 02:56:21 PM: Note also that qmail doesn't accept any network traffic. The service which operates as an SMTP listener is qpsmtpd.
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: Xavier.A on August 24, 2015, 03:28:53 PM: Quote from: MSmith on August 24, 2015, 05:31:43 AM
I would appreciate some guidance in setting SME Server to only accept incoming *external* SMTP traffic on a list of specific ports, please.

MSmith :

maybe you could test something like this (http://wiki.contribs.org/PortRedirect) and verify your iptables rules :
Code: [Select]
iptables -A PREROUTING -t nat -p tcp -m multiport --dports 1025,2025 -j REDIRECT --to-port 25 iptables -t nat -vnL | grep -E $25\|1025\|2025$if it works, you have to make it permanent with a templates-custom or with a script to add iptables rules after the boot.

it seems that :
Code: [Select]
config setprop smtpd TCPPorts 25,2525 signal-event email-update signal-event remoteaccess-updatedoesn' work... ;-)

or you could try to use a firewall in front of your SME, it can help you to forward your specific ports to the port 25 of your SME!

A+
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: CharlieBrady on August 24, 2015, 03:44:39 PM: Quote from: MSmith on August 24, 2015, 05:31:43 AM
I would appreciate some guidance in setting SME Server to only accept incoming *external* SMTP traffic on a list of specific ports, please.

I guess you are asking as a followup to your post here:

http://forums.contribs.org/index.php/topic,51895.0.html

It already accepts traffic on port 25. You can have it accept SMTP traffic on additional ports by use of the portforwarding panel. Portforward port 5252 to port 25 on localhost.

If you really need to ignore port 25, you can do:

config setprop smtpd TCPPort 5252

but then you might have issues with your LAN clients trying to use port 25.
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: Xavier.A on August 24, 2015, 04:40:16 PM: MSmith :

If you don't know the difference between DNAT and REDIRECT targets, you should use the CharlieBrady solution. It's more in the SMEserver Spirit.

DNAT and REDIRECT targets are not equivalent, and they will not work the same way in every situation but in your case they will do the job ;-)

A+
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: MSmith on August 24, 2015, 04:43:20 PM: Quote from: mmccarn on August 24, 2015, 12:40:07 PM
I've tested & verified the commands below on SME 8.1; they should also work on SME 9:

Code: [Select]
config setprop smtpd AllowHosts a.b.c.d,x.y.z.0/24 signal-event remoteaccess-update

Thanks for this, it appears to be working splendidly.
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: MSmith on August 26, 2015, 12:30:51 AM: Just to follow up on this, mmccarn's commands worked perfectly and, paired with the incredibly cheap SpamHero service, have cut my junk email problem down to almost nothing.
Title: Re: Modify iptables or qmail to accept traffic only from filtering service
Post by: MSmith on August 26, 2015, 12:32:00 AM: Quote from: CharlieBrady on August 24, 2015, 03:44:39 PM
I guess you are asking as a followup to your post here:

http://forums.contribs.org/index.php/topic,51895.0.html

It already accepts traffic on port 25. You can have it accept SMTP traffic on additional ports by use of the portforwarding panel. Portforward port 5252 to port 25 on localhost.

If you really need to ignore port 25, you can do:

config setprop smtpd TCPPort 5252

but then you might have issues with your LAN clients trying to use port 25.

Thanks for that. I went with mmccarn's AllowHosts solution and it's working beautifully with SpamHero.