Creating a "mail gateway"

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Jun 12 15:26:29 UTC 2008 

On Thu, Jun 12, 2008 at 12:33:56AM -0400, Ian Petersen wrote:
> My understanding, which could be flawed, is that IPSec is a Swiss Army
> Chainsaw for doing things with encryption and authentication on the
> internet.  OpenVPN is a VPN, nothing more.  The reviews of IPSec that
> I've read make it sound like it's complex enough that you have to know
> exactly what you're doing or you'll end up creating a really insecure
> tunnel, rather than a VPN.  On the other hand, OpenVPN is supposed to
> be nearly trivial to install and configure and it's secure by default.
>  OpenVPN also has the benefit of being cross-platform, so using
> OpenVPN means I don't have to rely on Microsoft's IPSec
> implementation.  (I have no idea if Microsoft did a good job
> implementing IPSec--I don't even know if Microsoft implemented it at
> all--but OpenVPN allows me to proceed without caring.)

Setting up openswan is generally very very simple.  It also handles all
traffic types well and efficiently (no VPN should EVER use a tcp
connection, so IPsec uses udp).

Certainly with a pre shared key, IPsec is trivial.  With RSA keys, it's
still pretty simple.  When using certificates, IPsec itself is pretty
simple and nice, but generating certificates seems to be an awfully
difficult task.

Example ipsec.conf:

include /etc/ipsec.d/examples/no_oe.conf

conn maillink
        authby=rsasig
        auto=start
        compress=no
        esp=aes
        left=%any (since rogers isn't completely static so you can't rely on it staying put)
	leftid=Home
	leftrsasigkey=.....(public rsa signature)...
        leftsubnet=192.168.1.0/24
        pfs=yes
        right=hosted.server.static.ip
	rightid=Hosted
	rightrsasigkey=.....(public rsa signature)...
        type=tunnel

This would actually not need a subnet at the hosted end.  It just
encrypt traffic between a local private network, and the hosted server
on the internet.  You could have a rightsubnet too, although it probably
wouldn't be helpful here.

> That makes a whole lot of sense.  Now I'm going to have to learn about
> configuring a mail server to just ferry mail back and forth.  What
> should I be searching for?  "Store and foward"?  I'll look again at
> the link Jamon provided, and see what I can find on Google by myself,
> but any links or search terms that you think would be helpful would be
> much appreciated.

Well for incoming mail, just configure the linux box as if it was a
secondary mail server for the domain, so that it will accept mail and
forward it (unless it can't reach the primary server in which case it
stores it until it can).  For outgoing, configure it as a mail server
that is willing to relay for machines on the private IPs, and then
figure out how to make exchange send out using another mail server as a
realy.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list