Allow only SMTP 'callback'

Allow only SMTP 'callback'

[Gavin Hamill]

Hello :)

Normally I permit only port 80 incoming to our webservers, but since each 
webserver also sends out booking-complete confirmation emails, I would like 
to also enable incoming port 25 for those remote mail servers who 'call back' 
to check that the envelope sender  / HELO address is truly a reachable mail 
server.

I don't particularly want to leave port 25 simply open, but only for those 
hosts with whom an outgoing port 25 connection is already established with.

Is this possible?

Cheers,
Gavin.

Re: Allow only SMTP 'callback'

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1785 bytes --]


Hi Gavin,

On Mon, Jan 10, 2005 at 10:30:59AM +0000, Gavin Hamill told us:
> Hello :)
> 
> Normally I permit only port 80 incoming to our webservers, but since each 
> webserver also sends out booking-complete confirmation emails, I would like 
> to also enable incoming port 25 for those remote mail servers who 'call back' 
> to check that the envelope sender  / HELO address is truly a reachable mail 
> server.
> 
> I don't particularly want to leave port 25 simply open, but only for those 
> hosts with whom an outgoing port 25 connection is already established with.
> 
> Is this possible?

Yes, should be doable by using the "recent" extension with something
like this:

iptables -I OUTPUT -p tcp --dport 25 -m recent --set --rdest -j ACCEPT
iptables -I INPUT  -p tcp --dport 25 -m recent --update --seconds 60 -j ACCEPT

The first rule will add the destination ip address of the outgoing SMTP
session to the recent list. The second rule will match (and allow)
incoming SMTP sessions from ips which are on the recent list and not
older than 60 seconds (and update the recent list with the source ip,
therefore extending the time frame for this ip for another 60 seconds).
(I must admit that I haven't made heavy use of the recent match myself,
so these two rules might not be 100% correct. Look at it as a starting
point :-) here is the ipt_recent documentation:
http://snowman.net/projects/ipt_recent/ )
I'm assuming a default policy of drop here, otherwise you might need an
explicit DROP rule for packets not matched by the ACCEPT rule.


HTH

Sven

> 
> Cheers,
> Gavin.

-- 
Linux zion 2.6.10-bk7 #0 Fri Jan 7 19:08:39 CET 2005 i686 athlon i386 GNU/Linux
 12:08:18 up 2 days, 16:45,  1 user,  load average: 0.00, 0.04, 0.05

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Allow only SMTP 'callback'

[Marc Haber]

On Mon, Jan 10, 2005 at 10:30:59AM +0000, Gavin Hamill wrote:
> Normally I permit only port 80 incoming to our webservers, but since each 
> webserver also sends out booking-complete confirmation emails, I would like 
> to also enable incoming port 25 for those remote mail servers who 'call back' 
> to check that the envelope sender  / HELO address is truly a reachable mail 
> server.
> 
> I don't particularly want to leave port 25 simply open, but only for those 
> hosts with whom an outgoing port 25 connection is already established with.

If your webservers send out the booking-complete confirmation emails
with a correct envelope and header sender, the callback will go to the
mail servers and complete there.

I don't see the problem here.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Allow only SMTP 'callback'

[Gavin Hamill]

On Monday 10 January 2005 11:18, Sven Schuster wrote:

> Yes, should be doable by using the "recent" extension with something
> like this:

Ah, superb - thanks for the tip :)

Marc: The webservers do have correctly configured MTAs, I just don't want them 
to be exposed all the time :)

gdh