Creating a "mail gateway"
Ian Petersen
ispeters-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Jun 17 06:23:58 UTC 2008
On Tue, Jun 17, 2008 at 12:02 AM, Robert Brockway
<robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
>> running in server mode on the VPS, and I thought I had it running in
>> client mode on the Exchange server, but starting it on the Exchange
>> server produces errors in the log file. I hope to get things working
>> tomorrow night, and then I'll move on to setting up an MTA.
>
> Googling the error will often reveal a solution, otherwise feel free to post
> the error to this thread.
It seems to have resolved itself after uninstalling and then
reinstalling OpenVPN on the Exchange server. We were following a
sequence of recipes of graduated complexity to make sure we understood
the principles. The first tunnel was an unencrypted link, then we
created an encrypted link using static keys, and then we tried a setup
that allows many clients to authenticate themselves with certificates.
It was when we moved from static keys to certificates that things
broke. My dad pointed out he had a virtual network interface with the
address 10.0.0.2, but we were expecting OpenVPN to create an interface
with an address like 10.0.0.5 or .6 upon client authentication. We
decided it might have been a ghost from one of the first two
experiments. Reinstalling OpenVPN made the ghost device disappear and
then connecting worked like a charm.
The one thing that has me a little confused is that the Debian server
can't ping the Exchange server. Exchange is running on the same
machine as his "internal" firewall. The firewall is Microsoft's ISA,
or something--I'm not familiar with it and I didn't ask questions.
The firewall is configured to drop ICMP requests from the internet,
which makes sense to me, but what doesn't make sense to me is that
it's able to filter out the pings coming in across the VPN. I would
have thought that, since the VPN is encrypted, the firewall should be
blind to traffic on it. Now, maybe the firewall drops pings on all
interfaces, not just the public one, which would explain it, but that
strikes me as a little odd.
> Remember to make sure you reject undeliberable mail at the first MTA. If
> you don't do this your MTA can be a source of backscatter spam. If that
> happens it will find itself on an RBL[1] rapidly.
My dad already has inbound mail working so we decided to leave well
enough alone and just worry about outbound mail. I used apt to
install Postfix, which dropped me into a curses configuration
interface. I answered the questions, added 10.0.1.0/24 to the
definition of "my_networks" in main.cf, configured Exchange to use
Postfix as its smart host, and then things "just worked". I intend to
set up an iptables firewall to block incoming connections except on
ports 22 and 1194 (ssh and OpenVPN respectively), and I expect Postfix
will hum along without contributing positively or negatively to the
spam problem. I'll leave it up to my dad to make sure he's not
creating backscatter.
Thanks again everyone. My dad can now send email without asking
Rogers for permission, so he's very happy.
Ian
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list