On 11/24/2010 11:16 AM, Scott Race wrote: > Thanks for the reply. > > So it sounds like my iptables rule: > > iptables -A INPUT -p tcp --dport 25 -j REJECT > > also blocks outbound mail too. Is there a preferred way to secure mailman > SMTP traffic with iptables? In our case, we would just need an inbound > filter that only accepts mail from a few hosts, I thought this would do it, > but mailman wouldn't send mail with rules like this: > > # accept mail from two hosts, drop the rest > iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT > iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j REJECT
I can't really answer that without knowing much more detail about your Mailman/Barracuda/Postfix configuration, but by default, Mailman delivers output (all list posts and other messages FROM Mailman) via SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you reject packets with addressed to port 25, Mailman won't be able to deliver anything. Every message in the out/ queue will result in a connection refused upon attempted delivery and will be logged in Mailman's smtp-failure log and put in the retry/ queue to be retried at intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of DELIVERY_RETRY_PERIOD (default 5 days). Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably won't help at all with Mailman's outgoing delivery as those connects come from localhost (127.0.0.1). As far as delivery of Mail to Mailman is concerned, this mail is queued by Postfix in Mailman's queues so it gets to the Barracuda appliance somehow which then delivers it to Postfix on some port other than 25 and Postfix either pipes it to Mailman's mail wrapper based on aliases or perhaps via some script like postfix_to_mailman.py depending on how Postfix is configured, and Mailman's Mail wrapper queues the message for Mailman. If you want to secure all SMTP traffic, I suggest you set up a separate SMTP listener in Postfix on some unused port and tell Mailman to deliver to that port by setting SMTPPORT in mm_cfg.py. Then you can block port 25 with iptables or just configure Postfix to not listen on port 25 at all. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
