Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: v8star on March 16, 2016, 02:22:12 PM
-
Hi everybody,
I have to restrict the inbound smtp connection to a single source ip (an antispam appliance in another network). My customer does not have a firewall (sigh) but only a router from their isp that does not have a firewall: can only pat ports. I don't want to have tcp:25 exposed to the entire internet. ATM i have played with iptables with the following commands:
config setprop smtpd AllowHosts 123.123.123.123,456.456.456.456/32 DenyHosts 0.0.0.0/0
signal-event remoteaccess-update
-A InboundTCP -j InboundTCP_24020
-A InboundTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A InboundTCP_24020 ! -d 192.168.1.150/32 -j denylog
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 993 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j denylog
-A InboundTCP_24020 -s 123.123.123.123/32 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_24020 -s 456.456.456.456/32 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 465 -j ACCEPT
Chain SMTPProxy (1 references)
target prot opt source destination
denylog tcp -- anywhere anywhere tcp dpt:smtp
with
Due to unavailability of smtp from external hosts (but only localnet) i deleted the rule in bold with:
iptables -D InboundTCP_24020 6
now it's working but i know at the next reconfiguration i will lose this rulesets.
I need help to create a valid custom template
Thanks in advance
-
i have just reconfigure the server for updates, the iptables configuration still exist, included the bold one (that limit smtp at all)
how i can reset the denyhost entry?
-
you'd wonder just in case, using the DenyHosts/AllowHosts props, they were not in place anymore :-D
-
v8star
https://wiki.contribs.org/Template_Tutorial
-
I would recommend that you configure smtpd for access=>private, and then configure the appliance to connect via smtps.
-
I would recommend that you configure smtpd for access=>private, and then configure the appliance to connect via smtps.
with smtps i will need auth?
-
yes, sure
-
yes, sure
so, in this case is not applicable because i can't pass any credential to my appliance as every appliance does
-
do you mean that the AV/AS appliance doesn't support such a configuration?
-
yep: many antispam appliance i've tryed can't auth to mail server by desing. Relay must be open like from internal net: can change only port
In this situation in MsExchange (or hmail) i can define accepted source ip addresses for tcp:25 and for anonymous.
(http://www.msexchange.org/img/upl/image0051250768737238.jpg)
(http://exchangeserverpro.com/wp-content/uploads/2011/04/exchange-2010-resolve-anonymous-email-02.png)
the best solution is a firewall in the customer network but in italy, IT security is not an investment, but a silly cost :x
-
with smtps i will need auth?
Not for email messages which have a destination domain on your SME server. Auth is only required before relaying messages.