Very Computer

Hi,

Would anyone give me some advice on coding regarding to preventing mail
realy in the Linux?  Providing that linux box is not a mail server and the
mail server is running on windows base.
Thanks.

Jason

|Would anyone give me some advice on coding regarding to preventing mail
|realy in the Linux?  Providing that linux box is not a mail server and the
|mail server is running on windows base.

If the problem is in the Windows mail server config, it should be fixed
there.  Anti-relaying is an application config issue, not a firewall
issue.  Although if the mail server is purely local you can block
external access. But that's only a stopgap solution.

Hi,
What I am thinking is by filtering the relaying packet, we can prevent
unwanted realying mail.  So, I need the info about the mail packet, such as
what it looks like, probabily the header file.  And we could do some coding
job to filter out the unwanted relaying mail.
Thanks.

Quote:> |Would anyone give me some advice on coding regarding to preventing mail
> |realy in the Linux?  Providing that linux box is not a mail server and
the
> |mail server is running on windows base.

> If the problem is in the Windows mail server config, it should be fixed
> there.  Anti-relaying is an application config issue, not a firewall
> issue.  Although if the mail server is purely local you can block
> external access. But that's only a stopgap solution.

|What I am thinking is by filtering the relaying packet, we can prevent
|unwanted realying mail.  So, I need the info about the mail packet, such as
|what it looks like, probabily the header file.  And we could do some coding
|job to filter out the unwanted relaying mail.

The only thing different about relayed mail is that it comes from
outside and goes to the outside. This is not something you can easily
see from the packets, you have to examine the mail addresses. So it's
not something a packet filter can or should do.

Jason,

We are using Exchange 5.0 as our mail server and this does not allow relay
prevention, not without losing POP3.  Upgrading is impractical at the
moment.

To stop mail relaying I used qmail www.qmail.org on our firewall.  I set it
up to just perform smtpforwarding for particular domain names.

For simplicity I allow qmail to forward smtp traffic to the exchange server
and the exchange server will send mail directly, not through qmail.

It works great for us.

Garry

Quote:> Hi,

> Would anyone give me some advice on coding regarding to preventing mail
> realy in the Linux?  Providing that linux box is not a mail server and the
> mail server is running on windows base.
> Thanks.

> Jason

Thanks Garry.
Are you saying you can still use Exchange server as your mail server, only
leave the qmail on your linux box which is also a firewall(iptables) too?

Jason

Quote:> Jason,

> We are using Exchange 5.0 as our mail server and this does not allow relay
> prevention, not without losing POP3.  Upgrading is impractical at the
> moment.

Oh, brother. You've got deeper problems. Upgrade *immediately*: Exchange 5.0
will not support simultaneous incoming SMTP connections. So if two people
send SMTP directly to your server at the same time, it will crash (in my
experience).

One solution I've seen to this, which took me days to stop laughing about,
was to buy a hideously expensive Alpha server custom-managed by an outside
vendor to act as an upstream SMTP server, and configure that with sendmail
to block relaying and take all incoming SMTP connections, then channel them
to the Exchange server one at a time. I offered to do it with a Sparc IPC
running RedHat Linux for the price of the spare disk, but they didn't take
me seriously.

Until 3 years later, when they finally noticed the NNTP server I made out of
that IPC still running merrily without downtime and carrying internal
traffic about how to deal with Windows when the Exchange server was having
problems and email was unavailable.

Quote:> To stop mail relaying I used qmail www.qmail.org on our firewall.  I set
it
> up to just perform smtpforwarding for particular domain names.

> For simplicity I allow qmail to forward smtp traffic to the exchange
server
> and the exchange server will send mail directly, not through qmail.

> It works great for us.

Cool.

"in the Linux" is a really broad term. What version of Linux, how much
email, and what mail handler? If you have RedHat 7.2, which runs sendmail,
there are some very nice docs in /usr/share/doc/sendmail-*/.

Thanks Nico!
I am thinking that Mr. Rusty Russell write code in filtering packets, won't
it be a great idea to do something in preventing relaying mail?

|I am thinking that Mr. Rusty Russell write code in filtering packets, won't
|it be a great idea to do something in preventing relaying mail?

You don't understand do you? Packet filtering cannot prevent relaying.
A packet filter can't tell the difference between an outside machine
sending to the inside which is legit, and an outside machine sending to
the outside again which is relaying. You can however, as people have
pointed out, use a Linux mail server in front of Exchange to prevent
relaying. Better still, get rid of Exchange if you can.

Quote:> |I am thinking that Mr. Rusty Russell write code in filtering packets,
won't
> |it be a great idea to do something in preventing relaying mail?

> You don't understand do you? Packet filtering cannot prevent relaying.
> A packet filter can't tell the difference between an outside machine
> sending to the inside which is legit, and an outside machine sending to
> the outside again which is relaying. You can however, as people have
> pointed out, use a Linux mail server in front of Exchange to prevent
> relaying. Better still, get rid of Exchange if you can.

Unfortunately, I just went through that at a research laboratory. Two of the
professors had gotten used to the Exchange server and wanted it for email
and calendar functions, partly because they thought it was the easiest for
the secretaries to use, one had gotten very grateful for the webmail
function, and one had gotten a Blackberry, which only knows how to handle
MSmail format. Replacing it entirely requires some sort of Primary Domain
Controller for the Windows logins (Samba),
a decent SMTP server (done before me with sendmail, though with odd SMTPAUTH
settings), working IMAP and POP +SSL (done before me, though with mix+match
components), a decent calendar server (I was lookinig at courier at
www.sourceforge.net), a decent webmail server (also courier), and some way
to cope with the Blackberry (which was screwed).

That list may be useful to other people wanting to replace Exchange
servers....

server, after four years running solid, that the expensive "Windows
consultant" hadn't been doing primary backups or explained that the state of
Exchange can't be restored from a normal tape backup, that the UPS
interpreted the disk duplication going on in DOS mode as an emergency and
discharged itself, shutting down the machine cold after 15 minutes

its' very nice SCSI card doesn't support RAID 1 to have created a duplicate
of the main disk dynamically, etc., etc.

In a perfect world, this is probably what should be done if you wish to keep
your exchange server going (although I strongly recommend qMail).

Put your exchange server inside your internal network so It can not be
accessed from the outside.  Anyone on your internal lan can get access to
your LDAP directory listings that way.  Have your exchange server forward
all its mail directly to qMail, and have that server sit on your gateway
only as a relay.  Allow authentication before SMTP for any pop user that
needs to get access outside of the domain.  (this means that they will have
to login and check mail before they can send any.) Either that or enable a
non-public knowledge port for SMTP relay.

If your exchange server that is inside the network can not be reached from
the outside (BBI) then that server is now a secured host.  Qmail acting as a
secured relay only allowing a very small number of connections is safe as
well.

OR

Run your exchange server inside your internal lan with no access save that
exchange can send mail through the gateway, and can only receive incoming
messages from the outside (no outside senders), and make any user that needs
to access their e-mail either use a web-based access solution from the
outside, or force them to VPN to your network before being able to access
the host.

------

It is probably a little bit off in concept, but I haven't slept for a
while...  I recommend checking out http://www.lifewithqmail.org/....

Cheers,

Sean

Jason

I am still using Exchange as the mail server.

Before the change our firewall would port forward port 25 and port 110 to
the exchange server.  This was changed and the qmail smtp server was started
directly on the local machine (firewall).  I left port 110 still port
forwarding to the exchange server.

Garry