SMTP external

SMTP external

[Simpson, Doug]

I do not really want to do it but I need to open my firewall to allow smtp
access from the internet.  
First is there a safe way to do it? (HA)
Second, what is the correct command to do this?
Thanks,
Doug

Re: SMTP external

[Linux]

Before doing this, make sure you are not an open relay

Linux303

----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 3:40 PM
Subject: SMTP external


> I do not really want to do it but I need to open my firewall to allow smtp
> access from the internet.
> First is there a safe way to do it? (HA)
> Second, what is the correct command to do this?
> Thanks,
> Doug
>

RE: SMTP external

[Simpson, Doug]

Yes, thank you.  This is one thing I am trying to avoid but there are those
who want remote access via their pop3 clients, etc.

-----Original Message-----
From: Linux [mailto:linux@usermail.com]
Sent: Thursday, January 02, 2003 5:32 PM
To: Simpson, Doug; netfilter@lists.netfilter.org
Subject: Re: SMTP external


Before doing this, make sure you are not an open relay

Linux303

----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 3:40 PM
Subject: SMTP external


> I do not really want to do it but I need to open my firewall to allow smtp
> access from the internet.
> First is there a safe way to do it? (HA)
> Second, what is the correct command to do this?
> Thanks,
> Doug
>

Re: SMTP external

[Linux]

Do they only need pop3 or pop3 and smtp?  If they need both, you may want to
consider installing a web based email client for remote access.

Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: "'Linux'" <linux@usermail.com>; <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 4:34 PM
Subject: RE: SMTP external


> Yes, thank you.  This is one thing I am trying to avoid but there are
those
> who want remote access via their pop3 clients, etc.
>
> -----Original Message-----
> From: Linux [mailto:linux@usermail.com]
> Sent: Thursday, January 02, 2003 5:32 PM
> To: Simpson, Doug; netfilter@lists.netfilter.org
> Subject: Re: SMTP external
>
>
> Before doing this, make sure you are not an open relay
>
> Linux303
>
> ----- Original Message -----
> From: "Simpson, Doug" <dsimpson@friedmancorp.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, January 02, 2003 3:40 PM
> Subject: SMTP external
>
>
> > I do not really want to do it but I need to open my firewall to allow
smtp
> > access from the internet.
> > First is there a safe way to do it? (HA)
> > Second, what is the correct command to do this?
> > Thanks,
> > Doug
> >
>

Re: SMTP external

[Athan]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

On Thu, Jan 02, 2003 at 04:31:51PM -0700, Linux wrote:
> Before doing this, make sure you are not an open relay

   Of course to be SURE he's not an open relay he'll have to open the
port up to test it from !localhost/network ;).

	iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp
	--sport 25
	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp
	--dport 25

Untested, off the top of my head, but should do the job.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: SMTP external

[Joel Newkirk]

On Thursday 02 January 2003 06:44 pm, Athan wrote:

> 	iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp
> 	--sport 25
> 	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp
> 	--dport 25
>
> Untested, off the top of my head, but should do the job.
>
> -Ath

Umm, it might help to have a target... adding "-j ACCEPT" perhaps?  :^) 
Also, since the intent is to let outside clients connect TO port 25, the 
INPUT rule should use --dport, while the OUTPUT should use --sport.  Of 
course, if a looser OUTPUT rule already exists (like EST/REL with no 
protocol specified) then the OUTPUT rule would be redundant anyway.  
(but would also be a sign that the firewall /could/ be tighter)

 If logging of 'all' access is desired, at least for a test period, I'd 
suggest logging ONLY state NEW connections in INPUT, to keep from being 
overwhelmed.  Unless something goes seriously wrong, or you have 
unsecure rules elsewhere, you will still log each and every IP that 
tries to connect to port 25, but only once per attempt, instead of once 
for each packet in 3mb worth of family christmas pictures or such.  (and 
lord help your logfile if they send it to several family members 
individually... :^)  It'd probably be a good idea to log port 25 DROPs 
as well, so you can see if anyone has been poking around.

For individual IP control just redirect all NEW state dport 25 from INPUT 
to a custom chain that has an ACCEPT rule for each client IP, and a DROP 
at the end.  Obviously this would require either that every client has a 
static IP, or that you allow ranges of IP's which their dynamic IP is 
assigned from, and the latter isn't a good idea.  Since you're unlikely 
to be lucky enough that every client is (and would remain) on a static 
IP, this probably is pointless.

Finally, and probably most important, go to http://sendmail.net 
(presuming that's what you'd be running) and download and install latest 
releases, and read through and follow all their security instructions.  
Starting with version 8.10 (8.12 is current release) sendmail supports 
SMTP AUTH - use it.

j

RE: SMTP external

[Simpson, Doug]

I thought about this but they already have a pop3 connection out on the
internet.  They just need to send their mail when they are remote.
Thanks

-----Original Message-----
From: Linux [mailto:linux@usermail.com]
Sent: Thursday, January 02, 2003 5:38 PM
To: Simpson, Doug; netfilter@lists.netfilter.org
Subject: Re: SMTP external


Do they only need pop3 or pop3 and smtp?  If they need both, you may want to
consider installing a web based email client for remote access.

Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: "'Linux'" <linux@usermail.com>; <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 4:34 PM
Subject: RE: SMTP external


> Yes, thank you.  This is one thing I am trying to avoid but there are
those
> who want remote access via their pop3 clients, etc.
>
> -----Original Message-----
> From: Linux [mailto:linux@usermail.com]
> Sent: Thursday, January 02, 2003 5:32 PM
> To: Simpson, Doug; netfilter@lists.netfilter.org
> Subject: Re: SMTP external
>
>
> Before doing this, make sure you are not an open relay
>
> Linux303
>
> ----- Original Message -----
> From: "Simpson, Doug" <dsimpson@friedmancorp.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, January 02, 2003 3:40 PM
> Subject: SMTP external
>
>
> > I do not really want to do it but I need to open my firewall to allow
smtp
> > access from the internet.
> > First is there a safe way to do it? (HA)
> > Second, what is the correct command to do this?
> > Thanks,
> > Doug
> >
>