I have 3 IP addresses assigned to my Internet interface. Off course two of them are virtual. So let say I have 212.1.1.1 which is originaly asigned to firewall for IPSec/VPN, then 212.1.1.2 that is a new one publishing an WEB server using a DNAT rule and 212.1.1.3 which is where my MX record points to. The problem is that I activate the SMTP proxy instead publishing with DNAT rule so the port 25 looks open for the three IP addresses. Off course another SMTP server will enter only using the 212.1.1.3 since the DNS is pointing that as MX record... but a hacker could try to mess with the other two IP addresses.
How can I assign the SMTP proxy to the 212.1.1.3 only????
I thought making some DNAT rules to no place but looks quite dirty solution to me . Any idea?
I've seen this also and would like to know how to get around it. I just put in a seperate spam solution on the Internet side of our firewall. I've changed our MX record to point to the new box and removed the Astaro's IP from the MX in DNS. The spam box gets the traffic and then forwards the good mail to the Astaro box. Here is the problem, even several weeks after this change I am still seeing connections from the public, Spammers, straight to the Astaro box. So, the spammers must be caching our DNS entry for a very long time or they have our IP staticly defined??? maybe? Anyway, I would like to change the IP that the spam box sends to, to one of the other IPs already defined, but in this case that will not do any good because it accepts mail on all the IPs.
If there is not an easy way to change this, I guess it would be a feature request.
It is not due to the caching of DNS... the spammers does port 25 scanning on IP addresses. While testing my email solution I use the real IP before setting the MX record and I was surprised with spammers going into the IP directly.
So maybe the reason is a mix of two.
Anyway I understand your problem... and YES... it's basically like my problem.
Thanks for the info Jim. One other question. Using those same commands, can I change the port to something other than port 25? Or will that traffic not get handed to the SMTP Relay correctly if that is done?
I believe you could use a DNAT rule to translate the incoming port 8025 (for example) traffic to port 25. But why? Other mail servers won't be able to send you mail. If you're only receiving mail from other specific sources and want to go through the bother of reconfiguring them as well, I suppose it's possible.
Yea, I only want to receive mail from one specific IP. And now that I'm looking over the the fix you posted above in more detail, I see that I should be able to put the single IP I want to receive traffic from right into that same rule. That should work perfectly.
You could create this script as smtphack in the /etc/init.d directory and put a virtual link in the rc3.d directory called something like S99hack and have it point to the smtphack script.
Upon startup it will execute smtphack after S95selfmonng link. Give this a try. If the SMTP proxy isn't fully started when the smtphack script is run. It won't work properly. But give it a shot.
[ QUOTE ] The activation of the SMTP proxy opens port 25 for ANY incoming traffic. You can use a small hack to fix this. at the console, login as root.
make sure you use the "back tic" not single quote aournd the iptables -L command line.
[/ QUOTE ]
Not sure if this is a flaw, or I just did not enter it quite right, but when I made this change, I could no longer send mail. Incoming worked, but it appears to have blocked ALL SMTP connections except the one external address, including the internal one. Restarted ASL and all was well.
All seems to be working ok as my external email address was the first external address I put into ASL, and that seems to be the first one the SMTP Proxy uses to send. I added a second external address after setting up the ASL and the SMTP proxy.
. Any idea?
