Creating a "mail gateway"

[Lennart Sorensen]

On Wed, Jun 11, 2008 at 03:08:22PM -0400, Ian Petersen wrote:
> My father is stuck using Rogers as his ISP because the DSL connection
> is his area is terrible.  He runs a business from home and uses
> Exchange for his email server.  (He's somewhat married to Microsoft,
> despite 6 or 7 years of me trying to change his mind--Exchange isn't
> going anywhere anytime soon.)
> 
> As was mentioned on this list, Rogers has recently made it a
> requirement that you log in to some web interface and add all your
> outgoing email addresses to some list before their relay will allow
> your email to pass.  My father is unwilling to use this interface on
> principle.  I told him we could probably make use of a virtual private
> server running Linux to get around Rogers' annoyances.  I imagined
> that he could rent something like a Slicehost machine, set up a VPN
> between home and the VPS, and then arrange his network such that mail
> comes and goes through the VPS, rather than through his Rogers IP.
> 
> We went ahead and created a Slicehost account and it's configured with
> Debian Etch.  I've secured it as best I know how and intend to spend
> Fathers' Day making OpenVPN work on the Debian machine and on a
> machine at my father's house.  I realized, though, that my cursory
> understanding of TCP/IP routing might be getting in my way here.  I
> was expecting to configure his mail server to use the Debian machine
> as the default gateway (ie. the mail server would get to the internet
> by going across the VPN and out the Debian machine), and have the
> Debian machine port-forward the incoming mail port (25?) directly to
> his mail server.  I figured this would be a minimally-invasive change
> to his network settings and should "just work".  I realized, though,
> that it may not be so simple because whichever machine is running the
> OpenVPN connection needs to know to use the Rogers cable modem as the
> default gateway in order to get the tunneled packets out to the
> internet in the first place, and you can't have two default gateways.

I have never used OpenVPN, so no idea what it does.  I use openswan
IPsec for such things.

> Can someone here suggest a solution?  What I'd like is for my father's
> DNS records to have the Debian machine's IP in their MX records, and
> for his Exchange server to be able to send and receive email through
> the Debian machine so he can ignore all of Rogers' nonsense.  As I
> mentioned in a previous post to this list, I have a copy of "Linux
> Networking Cookbook", so I think I'll be able to set up iptables to do
> whatever port-forwarding and routing is necessary, but I'm struggling
> with the overall network architecture.

You could have more than one gateway although you probably don't need
it.  If you configure the exchange server to use the private IP of the
Debian mail server as it's mail server to send through, then it won't be
going through the default route but rather through the VPN to the other
subnet.

For example:

exchange server
192.168.1.10/24 
default gateway: 192.168.1.1

gateway router
192.168.1.1/24 
external IP
default gateway: internet
VPN link to hosted server with 192.168.2.0/24 subnet

hosted server
192.168.2.1/24 on secondary interface or optionally dummy0
external IP
default gateway: internet
VPN link to gateway router with 192.168.1.0/24 subnet

Both end of the VPN link knows about the other private network and that
they can route to it through the VPN.  So the exchange server simply has
to deliver mail to 192.168.2.1 and the hosted mail server delivers
incoming mail to 192.168.1.10

I know OpenSwan IPsec can do it easily.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists