DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th June 2009
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default postfix incoming only on external

Hi All. I'm wanting to accept only incoming email (i.e. that which is destined for my network) on the external interface, yet outgoing on internal interfaces. In fact, I want to have it listen on one port to allow outgoing, and only incoming on port 25. Then I can alter pf.conf to disallow connection from anything not AT&T network so I can still use my phone.

Can anybody help with the configuration help I need for postfix?
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #2   (View Single Post)  
Old 7th June 2009
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default just in case

In case my attempts at being clear failed me again..

Ideal configuration
ext_if: accept smtp for locally hosted domain only on port 25
ext_if: accept smtp for any domain on an ambiguous high number port (later to be locked down to a range of ips matching my mobile phone network)
int_if: accept smtp for any domain on port 25

Secondary configuration
ext_if: accept smtp for locally hosted domain only on port 25
int_if: accept smtp for any domain on port 25

specifically what to change in postfix main.cf or whatever to accomplish this would be wonderful. I'm sure somebody knows postfix. Thanks in advance for any help anybody can provide.
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #3   (View Single Post)  
Old 7th June 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

I still don't understand which problem you are trying to solve

Are you aware that nowadays many mail installations use port 587 (with TLS/SSL) for their users to submit mail? Users have to authenticate with username and password an an encrypted channel is being used. For example gmail
Code:
Outgoing Mail (SMTP) Server - requires TLS:  	smtp.gmail.com (use authentication)
Use Authentication: Yes
Use STARTTLS: Yes (some clients call this SSL)
Port: 465 or 587
BTW, I am not a postfix expert
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 7th June 2009
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default understanding

J65nko,

Yes, thank you. I am familiar with this configuration, but unfortunately it is not what I was going for here. If anybody can help out with what I've described, please help. If my description is still unclear, please let me know. I'm not sure how else to describe it though. As this mail server will be the authoritative smtp server for a working domain, it obviously needs to be able to allow connections on port 25. However, I don't want this to open me up as a relay for others. This is where the different configuration for the internal interface vs. the external interface.
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #5   (View Single Post)  
Old 7th June 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Using SMTP AUTH on port 587 lets you do exactly what you want, selective relaying.

I will shut up now
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 7th June 2009
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default Figured it out

j65nko, no need to shut up. I appreciate the help. You have always been very helpful and knowledgeable. At this point I'm not wanting to implement ssl, but as it turns out, what I'm wanting to accomplish is very doable by simply understanding the postconf a bit better. For anybody who might be thinking they want what I was describing, here is what I learned:

mydestination = $myhostname, localhost.$mydomain, localhost
relay_domains = $mydestination
mynetworks = 10.x.x.0/24, 172.x.x.0/24

The domains referenced in "mydestination" are allowed as domains which this server will "relay for" and therefore allow anybody who connects to submit mail for that domain. The "mynetworks" is automatically allowed to relay to any domain. This is exactly what I was looking for. If I wanted to, I could add a block of IPs belonging to my phone network in "mynetworks" so that I can send email from my phone.

Thanks again for your willingness to help j65nko. You are one of the integral reasons this forum (now and it's first incarnation) is one of the very best. BSD is only as good to new people as the people supporting it.
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mounting external XFS HDD rativid OpenBSD General 5 3rd September 2010 02:31 PM
PF NAT and 2 external nic´s Calderon FreeBSD Security 20 9th September 2009 12:46 PM
External Ips zomo OpenBSD General 12 20th November 2008 09:47 AM
Router for external IP's bichumo General software and network 11 22nd July 2008 03:07 AM
BSD n00b needs to block incoming SQL on 3306 renolinux FreeBSD Security 5 27th May 2008 02:26 PM


All times are GMT. The time now is 03:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick