Shorewall users - Oct 2007 - workaround to new Orange policy on outgoing SMTP traffic for xDSL users

hi all,

since wanadoo/orange blocks any outgoing smtp traffic other than to
their SMTP server/relay, my customers who have such xDSL accounts cannot
reach directly the smtp service we provide anymore.

I''d like to trick that by allowing them to reach my smtp server of port
26 instead of 25, without perturbing the other customers.

I got a firewall that bridges a WAN zone to my DMZ zone.
In DMZ zone is the SMTP server that answers on port 25, as usual.

I''d like that any incoming connection to my smtp server on port 26 to
be
redirect to this smtp server on port 25.

But i''m a bit confused: what should i do? DNAT or REDIRECT? on the mail
server itself :-( or on the firewall :-) ?

Any advice welcome,

thanks all!

Tristan


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Thu, Oct 04, 2007 at 04:31:06PM +0200, Tristan DEFERT
wrote:
> hi all,
> 
> since wanadoo/orange blocks any outgoing smtp traffic other than to
> their SMTP server/relay, my customers who have such xDSL accounts cannot
> reach directly the smtp service we provide anymore.
> 
> I''d like to trick that by allowing them to reach my smtp server of
port
> 26 instead of 25, without perturbing the other customers.
> 
> I got a firewall that bridges a WAN zone to my DMZ zone.
> In DMZ zone is the SMTP server that answers on port 25, as usual.
> 
> I''d like that any incoming connection to my smtp server on port 26
to be
> redirect to this smtp server on port 25.
> 
> But i''m a bit confused: what should i do? DNAT or REDIRECT? on the
mail
> server itself :-( or on the firewall :-) ?
> 
You are going about this the wrong way.  The "correct" way for them to
connect would be to use the submission port (587), which is defined as
the entry point for new mail into the SMTP system.  Then you can have
your mail server listen on 587 and 25 and then you don''t have to worry
about redirecting using shorewall.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Roberto C. Sánchez a écrit :
> On Thu, Oct 04, 2007 at 04:31:06PM +0200, Tristan DEFERT wrote:
>   
>> hi all,
>>
>> since wanadoo/orange blocks any outgoing smtp traffic other than to
>> their SMTP server/relay, my customers who have such xDSL accounts
cannot
>> reach directly the smtp service we provide anymore.
>>
>> I''d like to trick that by allowing them to reach my smtp
server of port
>> 26 instead of 25, without perturbing the other customers.
>>
>> I got a firewall that bridges a WAN zone to my DMZ zone.
>> In DMZ zone is the SMTP server that answers on port 25, as usual.
>>
>> I''d like that any incoming connection to my smtp server on
port 26 to be
>> redirect to this smtp server on port 25.
>>
>> But i''m a bit confused: what should i do? DNAT or REDIRECT? on
the mail
>> server itself :-( or on the firewall :-) ?
>>
>>     
> You are going about this the wrong way.  The "correct" way for
them to
> connect would be to use the submission port (587), which is defined as
> the entry point for new mail into the SMTP system.  Then you can have
> your mail server listen on 587 and 25 and then you don''t have to
worry
> about redirecting using shorewall.
>
> Regards,
>
> -Roberto
>   
In mail clients, we just have to change 25 with 587 ??? It seems too easy !
Else, you can try to activate SMTPS... (tcp/465)


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Thu, Oct 04, 2007 at 07:01:00PM +0200, Jérôme Blion
wrote:
> 
> In mail clients, we just have to change 25 with 587 ??? It seems too easy !
Yes it is that easy.  Some mail clients (like recent versions of
Thunderbird, IIRC) even have "Submission" as one of the protocol
options.
> Else, you can try to activate SMTPS... (tcp/465)
That is also a possibility.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Roberto C. Sánchez wrote:
> On Thu, Oct 04, 2007 at 07:01:00PM +0200, Jérôme Blion wrote:
>> In mail clients, we just have to change 25 with 587 ??? It seems too
easy !
> 
> Yes it is that easy.  Some mail clients (like recent versions of
> Thunderbird, IIRC) even have "Submission" as one of the protocol
> options.
> 
>> Else, you can try to activate SMTPS... (tcp/465)
> 
> That is also a possibility.
> 
Although I found that difficult to set up the first time that I tried it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Jérôme Blion wrote:
> ...
>>> But i''m a bit confused: what should i do? DNAT or
REDIRECT? on the mail
>>> server itself :-( or on the firewall :-) ?
>>>
>>>     
>> You are going about this the wrong way.  The "correct" way
for them to
>> connect would be to use the submission port (587), which is defined as
>> the entry point for new mail into the SMTP system.  Then you can have
>> your mail server listen on 587 and 25 and then you don''t have
to worry
>> about redirecting using shorewall.
>>
>> ...  
> In mail clients, we just have to change 25 with 587 ??? It seems too easy !
> Else, you can try to activate SMTPS... (tcp/465)
My understanding of SMTP submission was that 587 was intended to be open
normally only on the loopback interface (i.e. it''s used for submitting
mail from the local machine).

DNATing from port 25 outgoing to port 26 on a specific server seems like
a reasonable thing to do (although possibly less secure than using a
local mail relay and pushing SMTP traffic through a VPN link).

Jérôme, if you decide to do it this way, DNAT is what you will need,
since REDIRECT only redirects to ports on the firewall itself.

-- 
Paul
<http://paul.gear.dyndns.org>
--
Did you know?  Microsoft Internet Explorer and Outlook have a poor track
record for security <http://www.kb.cert.org/vuls/id/713878>.  Why not
try one of the more secure alternatives from <http://mozilla.org>?



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Fri, Oct 05, 2007 at 08:45:51AM +1000, Paul Gear
wrote:
> 
> My understanding of SMTP submission was that 587 was intended to be open
> normally only on the loopback interface (i.e. it''s used for
submitting
> mail from the local machine).
> 
I don''t think that is right.  The relevant RFC [0] never mentions
loopback or that it is only meant for submitting from the local machine. 
> DNATing from port 25 outgoing to port 26 on a specific server seems like
> a reasonable thing to do (although possibly less secure than using a
> local mail relay and pushing SMTP traffic through a VPN link).
> 
> Jérôme, if you decide to do it this way, DNAT is what you will need,
> since REDIRECT only redirects to ports on the firewall itself.
> 
Regards,

-Roberto

[0] http://www.faqs.org/rfcs/rfc2476.html

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Can I just chip in that the correct action in this case is to switch 
ISP to one a bit less brain dead ?

Such policies, whilst generally good, must have a mechanism to deal 
with customers that genuinely need it - and any ISP that doesn''t 
allow for this should not be in the business (which was my opinion of 
Orange anyway).

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Fri, 2007-10-05 at 07:51 +0100, Simon Hobson wrote:
> Can I just chip in that the correct action in this case is to switch 
> ISP to one a bit less brain dead ?
You must also understand that just because your local market allows you
the freedom to choose ISPs, many do not.  Rural Americas are a great
example where there are markets where only one ISP is providing service
and if you don''t like their business model, tough nuts.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Sure i cannot push my customers to change from this ISP to another,
simply because most of them can't: Orange is the only one that provides
xDSL in their area. But i agree, it is one the WORST.

So i just opened tcp/587 to my mail server, and i'm now publishing a
document to assist them in configuring their MUA to use this port. 
End of the story.

Tristan

Le vendredi 05 octobre 2007 à 09:48 -0400, Brian J. Murrell a écrit
:
> On Fri, 2007-10-05 at 07:51 +0100, Simon Hobson wrote:
> > Can I just chip in that the correct action in this case is to switch 
> > ISP to one a bit less brain dead ?
> 
> You must also understand that just because your local market allows you
> the freedom to choose ISPs, many do not.  Rural Americas are a great
> example where there are markets where only one ISP is providing service
> and if you don't like their business model, tough nuts.
> 
> b.
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________ Shorewall-users mailing
list Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users