Creating a "mail gateway"

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Jun 17 13:30:42 UTC 2008


On Tue, Jun 17, 2008 at 02:23:58AM -0400, Ian Petersen wrote:
> It seems to have resolved itself after uninstalling and then
> reinstalling OpenVPN on the Exchange server.  We were following a
> sequence of recipes of graduated complexity to make sure we understood
> the principles.  The first tunnel was an unencrypted link, then we
> created an encrypted link using static keys, and then we tried a setup
> that allows many clients to authenticate themselves with certificates.
>  It was when we moved from static keys to certificates that things
> broke.  My dad pointed out he had a virtual network interface with the
> address 10.0.0.2, but we were expecting OpenVPN to create an interface
> with an address like 10.0.0.5 or .6 upon client authentication.  We
> decided it might have been a ghost from one of the first two
> experiments.  Reinstalling OpenVPN made the ghost device disappear and
> then connecting worked like a charm.
> 
> The one thing that has me a little confused is that the Debian server
> can't ping the Exchange server.  Exchange is running on the same
> machine as his "internal" firewall.  The firewall is Microsoft's ISA,
> or something--I'm not familiar with it and I didn't ask questions.
> The firewall is configured to drop ICMP requests from the internet,
> which makes sense to me, but what doesn't make sense to me is that
> it's able to filter out the pings coming in across the VPN.  I would
> have thought that, since the VPN is encrypted, the firewall should be
> blind to traffic on it.  Now, maybe the firewall drops pings on all
> interfaces, not just the public one, which would explain it, but that
> strikes me as a little odd.

In my experience most current versions of windows seem to default to not
answer pings at all.  I can't ping most of the windows workstations at
work, while the linux ones answer just fine.

> My dad already has inbound mail working so we decided to leave well
> enough alone and just worry about outbound mail.  I used apt to
> install Postfix, which dropped me into a curses configuration
> interface.  I answered the questions, added 10.0.1.0/24 to the
> definition of "my_networks" in main.cf, configured Exchange to use
> Postfix as its smart host, and then things "just worked".  I intend to
> set up an iptables firewall to block incoming connections except on
> ports 22 and 1194 (ssh and OpenVPN respectively), and I expect Postfix
> will hum along without contributing positively or negatively to the
> spam problem.  I'll leave it up to my dad to make sure he's not
> creating backscatter.

Being able to use postgrey would seem very valuable, as well as being
able to receive mail when rogers is down (not frequent but does happen),
or one of the times rogers decides to change IPs around, which also
occationally happens.

> Thanks again everyone.  My dad can now send email without asking
> Rogers for permission, so he's very happy.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list