I have a Centos server and I want to only accept mail for the local users from 3 mail servers, but I still want the users to be able to send emails through this server, If I firewall the SMTP port to my 3 mail servers is there any way users will be able to still send via the main POP server ? (currently using Sendmails SMTP-Auth)
Thanks
Denis
Hello-
If you firewall smtp to only accept connections from your 3 internal hosts, you won't get any inbound email from outside since external hosts can't reach the smtp server. Outbound mail will work ok from that server or the 3 firewall allowed internal hosts.
POP is for retrieving email from the server.
If your goal is to have the CentOS box serve as a mail gateway for inbound & outbound email, you'd use /etc/mail/access to control how sendmail handles connections from hosts. In that file you'd give your 3 internal hosts permission to relay mail through that server.
On 1/14/07, Denis Croombs denis@croombs.org wrote:
I have a Centos server and I want to only accept mail for the local users from 3 mail servers, but I still want the users to be able to send emails through this server, If I firewall the SMTP port to my 3 mail servers is there any way users will be able to still send via the main POP server ? (currently using Sendmails SMTP-Auth)
Thanks
Denis
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
________________________________
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Don Knott Sent: Sunday, January 14, 2007 8:09 AM To: CentOS mailing list Subject: Re: [CentOS] Firewalling SMTP On 1/14/07, Denis Croombs denis@croombs.org wrote:
I have a Centos server and I want to only accept mail for the local users from 3 mail servers, but I still want the users to be able to send emails through this server, If I firewall the SMTP port to my 3 mail servers is there any way users will be able to still send via the main POP server ? (currently using Sendmails SMTP-Auth) Thanks Denis ____________________________
I would setup SMTP-Auth and have sendmail ALSO listen on port 587 for users' to relay their mail. An external mail server would not attempt to deliver mail to a port other than 25. I'd use iptables to drop all connections to port 25 except for the 3 external hosts you want...problem solved.
Mike
Denis Croombs wrote:
I have a Centos server and I want to only accept mail for the local users from 3 mail servers, but I still want the users to be able to send emails through this server, If I firewall the SMTP port to my 3 mail servers is there any way users will be able to still send via the main POP server ? (currently using Sendmails SMTP-Auth)
sending mail is not a standard POP feature, and it's not what sendmail uses.
Your choices for limiting access to sendmail include: 1. Limiting the addresses it listens to. You don't want it listening to public IP addresses. 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail accepts connexions from. 3. Using an external firewall to control who can connect to your mail server. This is appropriate, for example, when you use ADSL and have a "hardware" router manage your internet connexion. You can also choose to use a PC in this role (I do it with an HP Vectra Pentium II running Debian and Shorewall). 4. Using netfilter on your mail server as above. See www.netfilter.org and "man iptables." 5. Sendmail (probably) has its own additional means of controlling who can connect: I use Postfix, and for certain and sure Postfix has.
Note that smtp-auth controls (effectively) people, without regard for where they actually are on the Internet. If I kbow an account name and password for your system, I can use your servers from here in Western Australia unless use use one of the options above.
None of the options above has any implications for people sending email through your mail service provided that they are physically attached to some place you've authoriseed as above.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Summerfield Sent: Sunday, January 14, 2007 5:21 PM To: CentOS mailing list Subject: Re: [CentOS] Firewalling SMTP
Denis Croombs wrote:
I have a Centos server and I want to only accept mail for
the local users
from 3 mail servers, but I still want the users to be able
to send emails
through this server, If I firewall the SMTP port to my 3
mail servers is
there any way users will be able to still send via the main
POP server ?
(currently using Sendmails SMTP-Auth)
sending mail is not a standard POP feature, and it's not what sendmail uses.
Your choices for limiting access to sendmail include:
- Limiting the addresses it listens to. You don't want it
listening to public IP addresses. 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail accepts connexions from. 3. Using an external firewall to control who can connect to your mail server. This is appropriate, for example, when you use ADSL and have a "hardware" router manage your internet connexion. You can also choose to use a PC in this role (I do it with an HP Vectra Pentium II running Debian and Shorewall). 4. Using netfilter on your mail server as above. See www.netfilter.org and "man iptables." 5. Sendmail (probably) has its own additional means of controlling who can connect: I use Postfix, and for certain and sure Postfix has.
Note that smtp-auth controls (effectively) people, without regard for where they actually are on the Internet. If I kbow an account name and password for your system, I can use your servers from here in Western Australia unless use use one of the options above.
None of the options above has any implications for people sending email through your mail service provided that they are physically attached to some place you've authoriseed as above.
If you have interfaces on the public Internet, then by all means firewall them, if you need to allow SMTP traffic over those public interfaces then allow port 25 from any host to localhost and use sendmail's access controls (/etc/mail/access) to determine who can send mail locally, relay mail etc. It's easier to control SMTP access within SMTP application then through firewall which handles traffic at a lower level.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Ross S. W. Walker wrote:
If you have interfaces on the public Internet, then by all means firewall them, if you need to allow SMTP traffic over those public interfaces then allow port 25 from any host to localhost and use
Nomachine except yourself can talk to _your_ localhost because (almost) everyone has their own localhost interface, and any attempt to talk to localhost on another machine will fail, even if you set up your own to do without localhost, because everyone's routing tables won't send the traffic anywhere useful.
If you don't mean the interface (lo on linux) with ip address 127.0.0.1 (and hostname localhost), then don't use the name localhost.
sendmail's access controls (/etc/mail/access) to determine who can send mail locally, relay mail etc. It's easier to control SMTP access within SMTP application then through firewall which handles traffic at a lower level.
years ago when I used sendmail, I found myself perpetually confused about the sendmail access rules (and mail in general) and could never get rules that worked. Possibly, part of the problem then was I'd not learned to not trust any information provided by those trying to send mail to me. For example:
I've just had a mishap with my mail service, I ran out of disk space and caused lots of mail errors. Some of the mail I couldn't accept came from hosts that introduced themselves: ehlo friend
or ehlo mail.home.intern
Obviously lies, so I tightened my postfix rules to reject incomplete hostnames (friend) and unknown hosts (mail.home.intern).
When I was fiddling with sendmail's access rules, I was looking at blocking email addresses, "from" domains, subjects & such. Absolutely useless, of course, on my small scale.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Summerfield Sent: Sunday, January 14, 2007 7:19 PM To: CentOS mailing list Subject: Re: [CentOS] Firewalling SMTP
Ross S. W. Walker wrote:
If you have interfaces on the public Internet, then by all means firewall them, if you need to allow SMTP traffic over those public interfaces then allow port 25 from any host to localhost and use
Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the local IP for that interface. I just didn't feel like typing the local IP for that interface, so yes I am guilty of laziness, I always say loopback when I refer to 127.0.0.1, as localhost is really just some name somebody made up a while ago so there'd be an entry in hosts.
Nomachine except yourself can talk to _your_ localhost because (almost) everyone has their own localhost interface, and any attempt to talk to localhost on another machine will fail, even if you set up your own to do without localhost, because everyone's routing tables won't send the traffic anywhere useful.
If you don't mean the interface (lo on linux) with ip address 127.0.0.1 (and hostname localhost), then don't use the name localhost.
sendmail's access controls (/etc/mail/access) to determine
who can send
mail locally, relay mail etc. It's easier to control SMTP
access within
SMTP application then through firewall which handles
traffic at a lower
level.
years ago when I used sendmail, I found myself perpetually confused about the sendmail access rules (and mail in general) and could never get rules that worked. Possibly, part of the problem then was I'd not learned to not trust any information provided by those trying to send mail to me. For example:
I've just had a mishap with my mail service, I ran out of disk space and caused lots of mail errors. Some of the mail I couldn't accept came from hosts that introduced themselves: ehlo friend
or ehlo mail.home.intern
Obviously lies, so I tightened my postfix rules to reject incomplete hostnames (friend) and unknown hosts (mail.home.intern).
When I was fiddling with sendmail's access rules, I was looking at blocking email addresses, "from" domains, subjects & such. Absolutely useless, of course, on my small scale.
Of course IP addresses are the preferred method to securely identify a host or block of hosts. Hostnames are always forged these days.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
sending mail is not a standard POP feature, and it's not what sendmail uses.
Your choices for limiting access to sendmail include:
- Limiting the addresses it listens to. You don't want it listening
to public IP addresses. 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail accepts connexions from. 3. Using an external firewall to control who can connect to your mail server. This is appropriate, for example, when you use ADSL and have a "hardware" router manage your internet connexion. You can also choose to use a PC in this role (I do it with an HP Vectra Pentium II running Debian and Shorewall). 4. Using netfilter on your mail server as above. See www.netfilter.org and "man iptables." 5. Sendmail (probably) has its own additional means of controlling who can connect: I use Postfix, and for certain and sure Postfix has.
I'd like to add another idea to the list. You can use DRAC (Dynamic Relay Authorization Control) to dynamically update your SMTP relay rules. We used to use this at one of my previous employers. You're users must make a POP or IMAP email check, and then DRAC will dynamically add a rule to your relay access filters for them.
http://mail.cc.umanitoba.ca/drac/
-Shawn
sending mail is not a standard POP feature, and it's not what sendmail uses.
Your choices for limiting access to sendmail include:
- Limiting the addresses it listens to. You don't want it listening
to public IP addresses. 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail accepts connexions from. 3. Using an external firewall to control who can connect to your mail server. This is appropriate, for example, when you use ADSL and have a "hardware" router manage your internet connexion. You can also choose to use a PC in this role (I do it with an HP Vectra Pentium II running Debian and Shorewall). 4. Using netfilter on your mail server as above. See www.netfilter.org and "man iptables." 5. Sendmail (probably) has its own additional means of controlling who can connect: I use Postfix, and for certain and sure Postfix has.
I'd like to add another idea to the list. You can use DRAC (Dynamic Relay Authorization Control) to dynamically update your SMTP relay rules. We used to use this at one of my previous employers. You're users must make a POP or IMAP email check, and then DRAC will dynamically add a rule to your relay access filters for them.
http://mail.cc.umanitoba.ca/drac/
-Shawn
Hi Shawn
Thanks that looks like the perfect solution, I will give it a try.
Regards
Denis
-
Denis Croombs -
denis@croombs.org
-
Don Knott -
John Summerfield -
Mike Kercher -
Ross S. W. Walker -
Shawn K. O'Shea