Exim and SMTP on an internet gateway
I've been reading some docs and googled for answers, but still need help setting up exim (or another MTA, suggestions?) on our internet gateway. SHORT VERSION I want exim to accept inbound SMTP for our domain from the internet, and forward it to our internal mail server. I want exim to accept outgoing SMTP from our domain, and forward it to the ISP smarthost. Later I want to plug anti-virus and anti-spam tools into exim, to prevent unwanted emails from being sent or received. That is a question for another day, though. TECHNICAL DETAILS We have a simple local network, in the 10.0.0.0/24 address range that is standard for Microsoft Small Business Server networks. The server (server2.ourdomain.no) at 10.0.0.2 is running MS Exchange, which is our main mailserver. The gateway (gator.ourdomain.no, running Debian/stable) at 10.0.0.1 is running iptables and masquerading, as well as some proxies. The second NIC has a permanent, public IP and is connected to the DSL-router that provides our internet connection. All outgoing mail is sent via the smarthost provided by our ISP. It seems easy enough to make exim accept all mail for ourdomain and forward outgoing mail to the ISP smarthost. However, local delivery of mail to ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. Surely, this must be a common situation? Could someone please help me configure exim to do this, or point me at the right docs. Unfortunately, the docs at www.exim.org didn't mention this scenario. I'm sure that I could do this if I fully understood the exim docs, but alas - I have not fully digested them yet. Thanks a lot, David Knudsen -- David Knudsen, aka Dansken on #vgaplanets/EFnet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
snip It seems easy enough to make exim accept all mail for ourdomain and forward outgoing mail to the ISP smarthost. However, local delivery of mail to ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. $path_iptables -t nat -A PREROUTING -p tcp -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25 will forward all mail to your masked exchangeserv if it listens on on port This is firewall based and doens't need an eximserver on your firewall greetings Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
On 1 Nov 2002, Mark Lamers wrote: snip It seems easy enough to make exim accept all mail for ourdomain and forward outgoing mail to the ISP smarthost. However, local delivery of mail to ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. $path_iptables -t nat -A PREROUTING -p tcp -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25 will forward all mail to your masked exchangeserv if it listens on on port This is firewall based and doens't need an eximserver on your firewall Thank you for your very swift reply. Actually, I _want_ exim on the firewall to handle the mail forwarding ... later I'll plug anti-virus and anti-spam tools into exim, so unwanted mails doesn't reach the exchange server. Best regards, David Knudsen -- David Knudsen, aka Dansken on #vgaplanets/EFnet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
Hi David, If you want to carry on using MS Exchange as your MTA, why not just use port forwarding? Friday, November 1, 2002, 6:03:08 AM, [EMAIL PROTECTED] wrote: DK I've been reading some docs and googled for answers, but still need help DK setting up exim (or another MTA, suggestions?) on our internet gateway. DK SHORT VERSION DK I want exim to accept inbound SMTP for our domain from the internet, and DK forward it to our internal mail server. DK I want exim to accept outgoing SMTP from our domain, and forward it to the DK ISP smarthost. DK Later I want to plug anti-virus and anti-spam tools into exim, to prevent DK unwanted emails from being sent or received. That is a question for another DK day, though. DK TECHNICAL DETAILS DK We have a simple local network, in the 10.0.0.0/24 address range that is DK standard for Microsoft Small Business Server networks. DK The server (server2.ourdomain.no) at 10.0.0.2 is running MS Exchange, which DK is our main mailserver. DK The gateway (gator.ourdomain.no, running Debian/stable) at 10.0.0.1 is DK running iptables and masquerading, as well as some proxies. The second NIC DK has a permanent, public IP and is connected to the DSL-router that provides DK our internet connection. DK All outgoing mail is sent via the smarthost provided by our ISP. DK It seems easy enough to make exim accept all mail for ourdomain and forward DK outgoing mail to the ISP smarthost. However, local delivery of mail to DK ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. DK Surely, this must be a common situation? Could someone please help me DK configure exim to do this, or point me at the right docs. Unfortunately, DK the docs at www.exim.org didn't mention this scenario. I'm sure that I DK could do this if I fully understood the exim docs, but alas - I have not DK fully digested them yet. DK Thanks a lot, DK David Knudsen DK -- DK David Knudsen, aka Dansken on #vgaplanets/EFnet -- __ _ Debian GNU User Simon Martin / /(_)_ __ _ ___ __ Project Manager / / | | '_ \| | | \ \/ / Milliways / /__| | | | | |_| | mailto: [EMAIL PROTECTED] \/_|_| |_|\__,_/_/\_\ ICQ: 81183862 OpenPGP Public Key: mailto:smartin;milliways.cl?subject=public_key During the voyage of life, remember to keep an eye out for a fair wind; batten down during a storm; hail all passing ships; and fly your colors proudly. Sig by Kookie Jar 6.1.7 (http://go.to/generalfrenetics/) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
On Fri, Nov 01, 2002 at 10:03:08AM +0100, David Knudsen wrote: I've been reading some docs and googled for answers, but still need help setting up exim (or another MTA, suggestions?) on our internet gateway. SHORT VERSION I want exim to accept inbound SMTP for our domain from the internet, and forward it to our internal mail server. I want exim to accept outgoing SMTP from our domain, and forward it to the ISP smarthost. Later I want to plug anti-virus and anti-spam tools into exim, to prevent unwanted emails from being sent or received. That is a question for another day, though. TECHNICAL DETAILS We have a simple local network, in the 10.0.0.0/24 address range that is standard for Microsoft Small Business Server networks. The server (server2.ourdomain.no) at 10.0.0.2 is running MS Exchange, which is our main mailserver. The gateway (gator.ourdomain.no, running Debian/stable) at 10.0.0.1 is running iptables and masquerading, as well as some proxies. The second NIC has a permanent, public IP and is connected to the DSL-router that provides our internet connection. All outgoing mail is sent via the smarthost provided by our ISP. It seems easy enough to make exim accept all mail for ourdomain and forward outgoing mail to the ISP smarthost. However, local delivery of mail to ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. Surely, this must be a common situation? Could someone please help me configure exim to do this, or point me at the right docs. Unfortunately, the docs at www.exim.org didn't mention this scenario. I'm sure that I could do this if I fully understood the exim docs, but alas - I have not fully digested them yet. I have done this many places, and am doing exactly this here at BNL. The machine smtpgw.bnl.gov is publicly advertised as a 'wildcard' MX host for all BNL machince, meaning, all mail gets delivered to this machine, when inbound to our facility. However, none of those machines or subdomains are listed in the local_domains line it exim.conf. So, this machine will take delivery as the MX host, look at each email, say, nope, this isn't mine and try to deliver to the real machine. Now, we have a split-dns setup, so the hosts/IPs seen outside our firewall don't actually point to the real machines in most cases, and the SMTP gateway uses our internal DNS, so knows how to deliver mail properly. Without split DNS, you can do this with creative use of /etc/hosts (I think) but DNS/MX would do the job for you. Tim -- Tim Sailer [EMAIL PROTECTED] Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
Greetings! Tim Sailer wrote: Now, we have a split-dns setup, so the hosts/IPs seen outside our firewall don't actually point to the real machines in most cases, and the SMTP gateway uses our internal DNS, so knows how to deliver mail properly. Without split DNS, you can do this with creative use of /etc/hosts (I think) but DNS/MX would do the job for you. WARNING! If you go that way without further bastioning, you will create an open relay - and thus be blackholed faster than you could imagine. Make sure, that mail ONLY is accepted if it (exclusively) either 1.) comes from LAN and goes out 2.) comes from outside and goes to LAN Usually MTAs look at MX records for mail delivery, so you won't be able to use /etc/hosts for fudging - that file only can do A/PTR entries (DNS-wise speaking). Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim and SMTP on an internet gateway
This one time, at band camp, David Knudsen said: On 1 Nov 2002, Mark Lamers wrote: snip It seems easy enough to make exim accept all mail for ourdomain and forward outgoing mail to the ISP smarthost. However, local delivery of mail to ourdomain is not what I need ... I want _that_ mail forwarded 10.0.0.2. $path_iptables -t nat -A PREROUTING -p tcp -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25 will forward all mail to your masked exchangeserv if it listens on on port This is firewall based and doens't need an eximserver on your firewall Thank you for your very swift reply. Actually, I _want_ exim on the firewall to handle the mail forwarding ... later I'll plug anti-virus and anti-spam tools into exim, so unwanted mails doesn't reach the exchange server. The domainlist router seems to be what you're looking for - let me look it up . . . http://www.exim.org/exim-html-3.30/doc/html/spec.html and look for #28. Note that since 10.0.0.2 will fail MX lookups, you'll want to specify this route as 10.0.0.2 byname in that section, rather than bydns_a. So it would look something like: ## # ROUTERS CONFIGURATION # #Specifies how remote addresses are handled # ## # ORDER DOES MATTER # # A remote address is passed to each in turn until it is accepted. # ## # Remote addresses are those with a domain that does not match any item # in the local_domains setting above. # Send all mail to a smarthost smarthost: driver = domainlist transport = remote_smtp route_list = .our_domain.org 10.0.0.2 byname smarthost: driver = domainlist transport = remote_smtp route_list = * mail.myisp.net bydns_a end Not tested, etc., but this looks to be a starting point for you. Of course, you'll have to set up rules for what mail is acepted for who and so forth, as right now you accept all mail for anywhere to anywhere, and make yourself an open relay. That's not too hard, though - again exim.org's FAQ section and documentation is your friend. HTH, Steve -- pediddel: A car with only one working headlight. -- Sniglets, Rich Hall Friends msg10455/pgp0.pgp Description: PGP signature
Re: Exim and SMTP on an internet gateway
Stephen Gran [EMAIL PROTECTED] writes: Note that since 10.0.0.2 will fail MX lookups, you'll want to specify this route as 10.0.0.2 byname in that section, rather than bydns_a. AFAIR bydns_a uses DNS to look up the corresponding A record, not MX, so it is almost the same as byname in most cases (when you specify the host name). However, you are absolutely correct that in order to use the IP address directly, byname needs to be used. Ciao, Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
