Creating a "mail gateway"

Robert Brockway robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Fri Jun 13 06:21:40 UTC 2008


On Wed, 11 Jun 2008, Ian Petersen wrote:

> We went ahead and created a Slicehost account and it's configured with
> Debian Etch.  I've secured it as best I know how and intend to spend
> Fathers' Day making OpenVPN work on the Debian machine and on a
> machine at my father's house.  I realized, though, that my cursory
> understanding of TCP/IP routing might be getting in my way here.  I
> was expecting to configure his mail server to use the Debian machine
> as the default gateway (ie. the mail server would get to the internet
> by going across the VPN and out the Debian machine), and have the
> Debian machine port-forward the incoming mail port (25?) directly to
> his mail server.  I figured this would be a minimally-invasive change
> to his network settings and should "just work".  I realized, though,
> that it may not be so simple because whichever machine is running the
> OpenVPN connection needs to know to use the Rogers cable modem as the
> default gateway in order to get the tunneled packets out to the
> internet in the first place, and you can't have two default gateways.
>
> Can someone here suggest a solution?  What I'd like is for my father's
> DNS records to have the Debian machine's IP in their MX records, and

Hi Ian.  I do this sort of thing quite a lot.  There are lots of options 
(as we can see from the list) but below is my preferred approach.  You 
mention that your dad wants the data stored on MS-Exchange locally but 
this doesn't preclude running an MTA on your Linux box.  Here is how : do 
this:

For purposes of the discussion I'm going to call the MS-Windows server 
mickey and the Linux box minnie.

mickey runs MS-Exchange, and is an OpenVPN client.
minnie runs Postfix and is the OpenVPN server

OpenVPN provides you with a new network interface and can be thought of as 
a very long ethernet cable.

Use routing mode for OpenVPN and assign a subnet for OpenVPN clients that 
is different from your lan.  Let's say for arguments sake that 
192.168.18.0/24 is your lan and 192.168.19.0/24 is for the VPN.

Postfix runs on minnie as a mail relay.  It receives mail from any address 
runs anti-spam, anti-virus, etc.  It passes legit mail on to the 
MS-Exchange box.

Note: minnie needs to reject mail that will be undeliverable before 
passing it on to avoid backscatter.  A common solution is to deliver the 
mail on minnie and pop it over to the VPN - in your case to the 
MS-Exchange box.  The mail can be passed via SMTP if that is preferred.

Running a Postfix gateway like this offers a number of advantages.  You 
can avoid direct exposure of MS-Exchange to the 'net and can also run your 
anti-virus, etc on Linux.

Outbound mail is sent from MS-Exchange over the VPN and relays via minnie. 
MS-Exchange has minnie set as a smarthost/relayhost/whatever they call it.

If his home-office goes off-air then inbound mail will queue upstream 
on minnie.

Now it seems like he may have been insisting that mail never queues 
anywhere except his local box (unless I misunderstood).  If this is true 
then it is based on a fundamental misunderstanding of how SMTP works. 
Mail destined for his server could queue in any number of places and he 
wouldn't know[1]

[1] Post delivery you could check the headers if you really cared.

You could use iptables to do DNAT or even an OpenSSH tunnel but the real 
solution IMHO is to have a Postfix installation hiding his MS-Exchange box 
from the world.

It's late and I wrote this very quickly.  Sorry if it isn't clear.

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list