Overclockers Australia Forums
OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Software Topics > Other Operating Systems

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 26th September 2012, 3:50 PM   #1
methodman213 Thread Starter
Member
 
methodman213's Avatar
 
Join Date: Aug 2002
Location: Sydney
Posts: 292
Default configure exim4 to use a LAN smtp relay server and only allow outgoing

Hi,

I have been racking my brain over this for a while now, here is what i am trying to achieve:

- I have an internal open mail relay server that is only available on the LAN, this server is not available outside of the LAN. This open relay server requires no authentication

- I am configuring exim4 on debian squeeze, and I need exim4 to only be able to send out emails and use the internal mail relay server, it should not be allowed to recieve any emails or be open for someone to use it as a mail relay/server.

My thoughts so far:
- I need some sort of iptables rules
e.g.:

Block INCOMING SMTP
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d x.x.x.x --dport 25 -m state --state NEW,ESTABLISHED -j REJECT
iptables -A OUTPUT -p tcp -s x.x.x.x --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j REJECT

Allow OUTGOING SMTP
iptables -A OUTPUT -p tcp -s x.x.x.x --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d x.x.x.x --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT




- use denyhosts /etc/hosts.deny - smtp:local.ip.of.exim4host
- how secure can i get this?

Am I over complicating things here and simply use the smartyhost options when running dpkg-reconfigure exim4-config?

In the end exim4 is used to send out logwatch, nagios, rkhunter, clamav logs/alerts to my email

I had a debian box get compromised a few weeks back - I dont want to get bitten again...

Any thoughts/guidance would be much appreciated.

Thanks
__________________



Last edited by methodman213; 26th September 2012 at 4:11 PM.
methodman213 is offline   Reply With Quote

Join OCAU to remove this ad!
Old 26th September 2012, 10:26 PM   #2
j3ll0
Member
 
j3ll0's Avatar
 
Join Date: Jul 2005
Posts: 4,330
Default

Smarthost.

Unless I'm missing something. You've said that the open relay is not available from outside the LAN. Wouldn't a theoretical attacker who could compromise the Debian box be able to talk to the open relay directly?

.
__________________
Mug Mug Mug
j3ll0 is offline   Reply With Quote
Old 27th September 2012, 12:09 AM   #3
joe_sixpack
Member
 
joe_sixpack's Avatar
 
Join Date: Jan 2002
Location: Logan City, QLD
Posts: 2,835
Default

If this on a home network you may find that port 25 is blocked for outgoing mail, and you will need to use your ISP's mail server. In this case you will need configure the use of a smarthost.

In regards to your iptables config..

Why do you specifically need to create REJECT records... I wouldn't use REJECT for internet related connections it's advisable to use DROP. REJECT will drop the packet and send a message to the host, DROP will just drop the packet making it seem as though nothing exists.

I would simplify your rules by the following:

Assuming...
:INPUT ACCEPT & :OUTPUT ACCEPT

-A INPUT -s <ip of server on your LAN> -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

Obviously you'll need to add in all your other bits and pieces to suit other services, like DNS, SSH plus other stuff... Failing that just start logging stuff to using -j LOG on specific rules to see what's happening.
__________________
"I don't stop eating when I'm full.. The meal isn't over when I'm full... The meal is over when I hate myself" - Louis CK.
joe_sixpack is offline   Reply With Quote
Old 27th September 2012, 8:19 AM   #4
cleary
Mental in the Face
 
cleary's Avatar
 
Join Date: Apr 2003
Location: Griffith NSW
Posts: 4,208
Default

You could use something like ssmtp.
It makes a sendmail like interface available to the local machine that uses a relay to send mail, and doesn't run as a network service that needs firewalling.

Configuration is a 3-4 line job. Less if no authentication is required.
__________________
SmugMug
cleary is offline   Reply With Quote
Old 27th September 2012, 11:06 AM   #5
methodman213 Thread Starter
Member
 
methodman213's Avatar
 
Join Date: Aug 2002
Location: Sydney
Posts: 292
Default

Quote:
Originally Posted by j3ll0 View Post
Smarthost.

Unless I'm missing something. You've said that the open relay is not available from outside the LAN. Wouldn't a theoretical attacker who could compromise the Debian box be able to talk to the open relay directly?

.
Yes - as far as I am aware this open relay is made available on the LAN/VC but is not presented to the Internet, much the same way as my linux box is not presented to public Internet either...heh lets not get started on that idea

joe_sixpack:
I have managed to lock myself out of the box as I am a total noob with IPTABLES, so have flushed all rules and rethinking what I am doing completely. haha

Thanks for the ideas I will look over it all again.
__________________


methodman213 is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 12:58 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd. -
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Internode!