* RE: SMTP external
@ 2003-01-02 23:34 Simpson, Doug
2003-01-02 23:37 ` Linux
0 siblings, 1 reply; 7+ messages in thread
From: Simpson, Doug @ 2003-01-02 23:34 UTC (permalink / raw)
To: 'Linux', netfilter
Yes, thank you. This is one thing I am trying to avoid but there are those
who want remote access via their pop3 clients, etc.
-----Original Message-----
From: Linux [mailto:linux@usermail.com]
Sent: Thursday, January 02, 2003 5:32 PM
To: Simpson, Doug; netfilter@lists.netfilter.org
Subject: Re: SMTP external
Before doing this, make sure you are not an open relay
Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 3:40 PM
Subject: SMTP external
> I do not really want to do it but I need to open my firewall to allow smtp
> access from the internet.
> First is there a safe way to do it? (HA)
> Second, what is the correct command to do this?
> Thanks,
> Doug
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SMTP external
2003-01-02 23:34 SMTP external Simpson, Doug
@ 2003-01-02 23:37 ` Linux
0 siblings, 0 replies; 7+ messages in thread
From: Linux @ 2003-01-02 23:37 UTC (permalink / raw)
To: Simpson, Doug, netfilter
Do they only need pop3 or pop3 and smtp? If they need both, you may want to
consider installing a web based email client for remote access.
Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: "'Linux'" <linux@usermail.com>; <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 4:34 PM
Subject: RE: SMTP external
> Yes, thank you. This is one thing I am trying to avoid but there are
those
> who want remote access via their pop3 clients, etc.
>
> -----Original Message-----
> From: Linux [mailto:linux@usermail.com]
> Sent: Thursday, January 02, 2003 5:32 PM
> To: Simpson, Doug; netfilter@lists.netfilter.org
> Subject: Re: SMTP external
>
>
> Before doing this, make sure you are not an open relay
>
> Linux303
>
> ----- Original Message -----
> From: "Simpson, Doug" <dsimpson@friedmancorp.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, January 02, 2003 3:40 PM
> Subject: SMTP external
>
>
> > I do not really want to do it but I need to open my firewall to allow
smtp
> > access from the internet.
> > First is there a safe way to do it? (HA)
> > Second, what is the correct command to do this?
> > Thanks,
> > Doug
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: SMTP external
@ 2003-01-03 15:55 Simpson, Doug
0 siblings, 0 replies; 7+ messages in thread
From: Simpson, Doug @ 2003-01-03 15:55 UTC (permalink / raw)
To: 'Linux', netfilter
I thought about this but they already have a pop3 connection out on the
internet. They just need to send their mail when they are remote.
Thanks
-----Original Message-----
From: Linux [mailto:linux@usermail.com]
Sent: Thursday, January 02, 2003 5:38 PM
To: Simpson, Doug; netfilter@lists.netfilter.org
Subject: Re: SMTP external
Do they only need pop3 or pop3 and smtp? If they need both, you may want to
consider installing a web based email client for remote access.
Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: "'Linux'" <linux@usermail.com>; <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 4:34 PM
Subject: RE: SMTP external
> Yes, thank you. This is one thing I am trying to avoid but there are
those
> who want remote access via their pop3 clients, etc.
>
> -----Original Message-----
> From: Linux [mailto:linux@usermail.com]
> Sent: Thursday, January 02, 2003 5:32 PM
> To: Simpson, Doug; netfilter@lists.netfilter.org
> Subject: Re: SMTP external
>
>
> Before doing this, make sure you are not an open relay
>
> Linux303
>
> ----- Original Message -----
> From: "Simpson, Doug" <dsimpson@friedmancorp.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Thursday, January 02, 2003 3:40 PM
> Subject: SMTP external
>
>
> > I do not really want to do it but I need to open my firewall to allow
smtp
> > access from the internet.
> > First is there a safe way to do it? (HA)
> > Second, what is the correct command to do this?
> > Thanks,
> > Doug
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* SMTP external
@ 2003-01-02 22:40 Simpson, Doug
2003-01-02 23:31 ` Linux
0 siblings, 1 reply; 7+ messages in thread
From: Simpson, Doug @ 2003-01-02 22:40 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
I do not really want to do it but I need to open my firewall to allow smtp
access from the internet.
First is there a safe way to do it? (HA)
Second, what is the correct command to do this?
Thanks,
Doug
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SMTP external
2003-01-02 22:40 Simpson, Doug
@ 2003-01-02 23:31 ` Linux
2003-01-02 23:44 ` Athan
0 siblings, 1 reply; 7+ messages in thread
From: Linux @ 2003-01-02 23:31 UTC (permalink / raw)
To: Simpson, Doug, netfilter
Before doing this, make sure you are not an open relay
Linux303
----- Original Message -----
From: "Simpson, Doug" <dsimpson@friedmancorp.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 3:40 PM
Subject: SMTP external
> I do not really want to do it but I need to open my firewall to allow smtp
> access from the internet.
> First is there a safe way to do it? (HA)
> Second, what is the correct command to do this?
> Thanks,
> Doug
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SMTP external
2003-01-02 23:31 ` Linux
@ 2003-01-02 23:44 ` Athan
2003-01-03 1:29 ` Joel Newkirk
0 siblings, 1 reply; 7+ messages in thread
From: Athan @ 2003-01-02 23:44 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 710 bytes --]
On Thu, Jan 02, 2003 at 04:31:51PM -0700, Linux wrote:
> Before doing this, make sure you are not an open relay
Of course to be SURE he's not an open relay he'll have to open the
port up to test it from !localhost/network ;).
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp
--sport 25
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp
--dport 25
Untested, off the top of my head, but should do the job.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: SMTP external
2003-01-02 23:44 ` Athan
@ 2003-01-03 1:29 ` Joel Newkirk
0 siblings, 0 replies; 7+ messages in thread
From: Joel Newkirk @ 2003-01-03 1:29 UTC (permalink / raw)
To: Athan, netfilter
On Thursday 02 January 2003 06:44 pm, Athan wrote:
> iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp
> --sport 25
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp
> --dport 25
>
> Untested, off the top of my head, but should do the job.
>
> -Ath
Umm, it might help to have a target... adding "-j ACCEPT" perhaps? :^)
Also, since the intent is to let outside clients connect TO port 25, the
INPUT rule should use --dport, while the OUTPUT should use --sport. Of
course, if a looser OUTPUT rule already exists (like EST/REL with no
protocol specified) then the OUTPUT rule would be redundant anyway.
(but would also be a sign that the firewall /could/ be tighter)
If logging of 'all' access is desired, at least for a test period, I'd
suggest logging ONLY state NEW connections in INPUT, to keep from being
overwhelmed. Unless something goes seriously wrong, or you have
unsecure rules elsewhere, you will still log each and every IP that
tries to connect to port 25, but only once per attempt, instead of once
for each packet in 3mb worth of family christmas pictures or such. (and
lord help your logfile if they send it to several family members
individually... :^) It'd probably be a good idea to log port 25 DROPs
as well, so you can see if anyone has been poking around.
For individual IP control just redirect all NEW state dport 25 from INPUT
to a custom chain that has an ACCEPT rule for each client IP, and a DROP
at the end. Obviously this would require either that every client has a
static IP, or that you allow ranges of IP's which their dynamic IP is
assigned from, and the latter isn't a good idea. Since you're unlikely
to be lucky enough that every client is (and would remain) on a static
IP, this probably is pointless.
Finally, and probably most important, go to http://sendmail.net
(presuming that's what you'd be running) and download and install latest
releases, and read through and follow all their security instructions.
Starting with version 8.10 (8.12 is current release) sendmail supports
SMTP AUTH - use it.
j
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-01-03 15:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-02 23:34 SMTP external Simpson, Doug
2003-01-02 23:37 ` Linux
-- strict thread matches above, loose matches on Subject: below --
2003-01-03 15:55 Simpson, Doug
2003-01-02 22:40 Simpson, Doug
2003-01-02 23:31 ` Linux
2003-01-02 23:44 ` Athan
2003-01-03 1:29 ` Joel Newkirk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.