SMTP and IP Masquerade problem

SMTP and IP Masquerade problem

Post by D. Youn » Sat, 01 Aug 1998 04:00:00



Hi. I am running a small network (5 users) with a Linux box as a dial on
demand router to the internet. Of course, the Linux box works perfectl
except for one problem. I can load web pages and retrieve e-mail via a POP3
client, but when I try to reply to a message, the mailserver on the other
end of the router will not accept the message. Any ideas? I have ipfwadm
forwarding packets between all interfaces (eth0 and ppp0).

Thanks,
Darrell Young

 
 
 

SMTP and IP Masquerade problem

Post by whamm » Sat, 01 Aug 1998 04:00:00



> Hi. I am running a small network (5 users) with a Linux box as a dial on
> demand router to the internet. Of course, the Linux box works perfectl
> except for one problem. I can load web pages and retrieve e-mail via a POP3
> client, but when I try to reply to a message, the mailserver on the other
> end of the router will not accept the message. Any ideas? I have ipfwadm
> forwarding packets between all interfaces (eth0 and ppp0).

> Thanks,
> Darrell Young

This is a swag, but here goes. Our company used an linux box for our proxy
server for about a year. As more and more people piled on it, requests for
fetching personel mail kept coming up. The ip masquerading has an unfortunate
side effect of reassigning the port numbers on the outgoing packets as well as
the ip address. The port number is the key to the problem. The two ports that
you are interested in are ports 25 (smtp) and port 110 (pop3). You need to open
a trusted host hole in the firewall which allows traffic to these two ports
between your domain and the mail server ip. Use specific ip's rather than a
broad net mask if possible to minimize security risks though this may not be
possible since many isp mail servers are assigned blocks of ip addresses rather
than a specific ip. Just keep the mask as tight as possible. Also, make sure
the mail port rules appear ahead of the masquerading rules so that ipfwadm
finds them first and doesn't try to masquerade the mail service.

==== Bill Gates is living proof that money won't wash off geek.====

 
 
 

SMTP and IP Masquerade problem

Post by Tony Schlemme » Sun, 02 Aug 1998 04:00:00




>> Hi. I am running a small network (5 users) with a Linux box as a dial on
>> demand router to the internet. Of course, the Linux box works perfectl
>> except for one problem. I can load web pages and retrieve e-mail via a POP3
>> client, but when I try to reply to a message, the mailserver on the other
>> end of the router will not accept the message. Any ideas? I have ipfwadm
>> forwarding packets between all interfaces (eth0 and ppp0).

>> Thanks,
>> Darrell Young
> This is a swag, but here goes. Our company used an linux box for our proxy
> server for about a year. As more and more people piled on it, requests for
> fetching personel mail kept coming up. The ip masquerading has an unfortunate
> side effect of reassigning the port numbers on the outgoing packets as well as
> the ip address. The port number is the key to the problem. The two ports that
> you are interested in are ports 25 (smtp) and port 110 (pop3). You need to open
> a trusted host hole in the firewall which allows traffic to these two ports
> between your domain and the mail server ip. Use specific ip's rather than a
> broad net mask if possible to minimize security risks though this may not be
> possible since many isp mail servers are assigned blocks of ip addresses rather
> than a specific ip. Just keep the mask as tight as possible. Also, make sure
> the mail port rules appear ahead of the masquerading rules so that ipfwadm
> finds them first and doesn't try to masquerade the mail service.
> ==== Bill Gates is living proof that money won't wash off geek.====

From the original post, it's not clear to me where the mailserver
is on the other end of the router and so I have a WAG as well:

I recently setup a home network using ip-masquerading and have several
Win95 systems inside my Linux firewall and both systems are able to send
email via SMTP and retreive email via POP3 using Eudora.  The two of
us using this network are use the same ISP that the Linux box dials into
and so that's probably why our email clients work.  If you are
trying to access a SMTP mailserver in another domain outside the ISP
where the Linux box is dialed into, attempts at sending email may
fail.  I think most if not all ISP's disallow systems outside their
domain to send email through their mailservers.  This keeps spammers
from using their mail servers to send junk email messages.

I went through some hoops to get my sendmail.cf file setup correctly
for sendmail on a Slackware system one time. As best as I could tell,
 my ISP's mailserver would reject any email being sent from my Linux box
as my system didn't have a real system name that could be found when
doing a DNS lookup.  I had to modify sendmail.cf to use modified headers
in any outgoing email so it would show my ISP userid and not my Linux
system's userid and hostname.

Tony

--
Tony Schlemmer
Global Mobility Systems, Inc.

 
 
 

SMTP and IP Masquerade problem

Post by Alexis Huxle » Mon, 03 Aug 1998 04:00:00


Quote:> >> client, but when I try to reply to a message, the mailserver on the other
> >> end of the router will not accept the message. Any ideas? I have ipfwadm
> >> forwarding packets between all interfaces (eth0 and ppp0).

You've set up IP masquerading, but have you set up *sendmail*
masquerading? The easiest way to do this is to add some of the following
entries to your .mc file and then regenerate the .cf file using m4
in the usual manner, check the sendmail docs (/usr/doc/sendmail/..?)
for which are relevent to your setup:

FEATURE(masquerade_entire_domain)dnl
FEATURE(always_add_domain)dnl
FEATURE(masquerade_envelope)dnl

Also, if any of the masqueraded machines run sendmail then you'll want to
add to *their* .mc files:

define(`SMART_HOST', `your.masquerader.com')

Also, some clients will *always* try to send direct first if they can
and only then fall back on a smart host. In order to prevent this you
will need to add an 'ipfwadm' rule to prevent internet-bound SMTP
connections from masqueraded machines, or order that the masquerader
always gets the chance to rewrite the headers. I can't tell you precisely
what the ipfwadm command would be since I only masquerade unix machines
running sendmail.

Remember that it is relevent to the .mc file setup is whether your
running a DNS server for a made up domain.  

Alexis
--
RainSurrender?DelfynSlovenskoStarsCompromiseHealthSolarisOutsideExplore?Village
*                                                                             *

*                                                                             *

 
 
 

1. IP for masqueraded net other than masquerading host IP

Hello

I have a linux box which should work as router for two subnets to the internet.
One subnet has valid IP addresses but the other subnet with private IPs has to be masqueraded. Is it possible to masquerade this subnet with an IP address from the other subnet or with the IP of the router port which is connected to the valid subnet and not with the IP address of the router port which is connected to the internet which is the default?

regards
Klaus

2. where can i find Unix commands for dos ?

3. IP Masquerade + smtp error

4. My XBF installation for Real3d Starfighter

5. SMTP, PPP, IP masquerading (not entirely working)

6. Zmodem & Telnet

7. IP Firewall and IP Masquerading Problems

8. XISP problem

9. SMTP only listens on host.domain.com:smtp want *:smtp

10. IP Masquerading works, but does not masquerade from within the local network

11. IP MASQuerading NOT Masquerading?

12. IP Masquerade problem: HTTP problems.