> Using E2B with Extended Scripts, I have an email server sitting in a > private address DMZ (172.20.x.x) with two internal networks > (192.168.x.y). Connections from the internal network to an SMTP server > in the DMZ are masqueraded so they look like connections from the > firewall address on the 172.20. network. The SMTP server is also port > forwarded from the outside world for mail delivery etc. > > In trying to lock down the server against being an unsecured relay, > Postfix offers a few options for clients wishing to send email. One is > to only allow clients from given networks or domains to send, another to > only allow sending to a limited range of domains. :-( > > As far as I can see, all traffic to the server (from internal or > > external hosts) appears to come from the 172.20. network so I can't > > use this to discriminate against external senders (networks or domains). > > Restricting the destination domains is likewise not an option. > > Short of SMTP authorisation, what is the best/normal way to tackle this > either on the firewall or email server?
First, you need to get a clearer picture of how everything works. Your mail logs may be helpful here, if your server logs the IP of the connecting machine. If your internal systems use the private IP of the mail server, the connection will be masqueraded, and the mail server will see the DMZ IP of the firewall (172.20.x.x) If your internal systems use the public IP of the mail server, the connection will be port-forwarded (NOT masqueraded), and the mail server will see the private IP of the internal machine (192.168.x.y). I suggest configuring your internal systems to use the public IP of your mail server, rather than it's private IP, and that you use the domain name of your mail server, rather than the IP address, if you've got DNS setup. ALL connections from the outside world will be port-forwarded and the mail-server will see their real IP. Just because the firewall is port-forwarding the traffic doesn't mean the mail-server sees the firewall as the source of that traffic. The functionality I think you're associating with port-forwarding is actually that of a proxy-server. Anyway, all this means that you can easily impliment IP based relaying rules in your mail server. Simply allow traffic from 192.168.x.y (internal net) and 172.20.x.x (DMZ network), and don't relay from any other IP's. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
