Jérôme Blion wrote: > ... >>> But i'm a bit confused: what should i do? DNAT or REDIRECT? on the mail >>> server itself :-( or on the firewall :-) ? >>> >>> >> You are going about this the wrong way. The "correct" way for them to >> connect would be to use the submission port (587), which is defined as >> the entry point for new mail into the SMTP system. Then you can have >> your mail server listen on 587 and 25 and then you don't have to worry >> about redirecting using shorewall. >> >> ... > In mail clients, we just have to change 25 with 587 ??? It seems too easy ! > Else, you can try to activate SMTPS... (tcp/465)
My understanding of SMTP submission was that 587 was intended to be open normally only on the loopback interface (i.e. it's used for submitting mail from the local machine). DNATing from port 25 outgoing to port 26 on a specific server seems like a reasonable thing to do (although possibly less secure than using a local mail relay and pushing SMTP traffic through a VPN link). Jérôme, if you decide to do it this way, DNAT is what you will need, since REDIRECT only redirects to ports on the firewall itself. -- Paul <http://paul.gear.dyndns.org> -- Did you know? Microsoft Internet Explorer and Outlook have a poor track record for security <http://www.kb.cert.org/vuls/id/713878>. Why not try one of the more secure alternatives from <http://mozilla.org>?
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
