chris severn

I'm still installing Gentoo along side an existing redhat 6.2
installation, as an eventual replacement when it's working. I have so
far managed to boot from the live cd, get my ADSL modem working the hard
way (roaring penguin doesn't work), emerge the basic system, and compile
a kernel.

The machine is a squid/masqerading gateway for a lan of 25 machines, and
hosts its own mail (using sendmail) for the users, including laptop
users who need on-the-road access.

I'd like to change from sendmail to a new MTA now which is more secure,
and supports the following easily :

1. SMTP authentication. So the laptop users can still send mail through
this server. (On my redhat system I used pop-before-smtp by a dodgy
"DynamicRelay" perl script).

2. Ability to save a backup copy of every mail passed through (both sent
by my users, and received by my users). (On my redhat system I do this
via a source code patch to sendmail, coupled with a D{LogAll} directive
in sendmail.cf).

3. Ability to set up MTA to listen on the normal port 25, but also
listen on another port 1025. This is because some ISPs that the laptop
users log in on block outgoing connections to port 25. I set them up to
use 1025 to send mail. Everyone else uses standard port 25. On my
redhat system, I did that by adding a "..... /usr/sbin/sendmail -bs" in
inetd.conf on port 1025.

I'd appreciate any pointers to which MTA provides these things in the
easiest way to configure.

I've seen imformation on how to do SMTP auth on some MTAs, but I can't
find out how to save a copy of all mails. I imagine an input filter
would work on some MTAs, but I'm not sure.....

Thanks,

Chris

wuphons reach

In article <40a04532$0$16587$5a62ac22
@freenews.iinet.net.au>, severn@iinet.net.au says...

Postfix is what we use for about 30 users.

Postfix + SASL (see chapter 12 in "Postfix, The
Definitive Guide").

However, your laptop users should be using TLS
(basically SSL encryption) at a minimum if they are
connecting to the machine from the outside. So as to
not send their userids/passwords via plain-text across
the wire. TLS is covered in chapter 13.

Alternately, you can have your laptop users use SSH to
tunnel into the network.

http://www.postfix.org/postconf.5.html

Parameter name is: always_bcc

Make sure you're open and honest about the fact that
this system logs all inbound/outbound e-mail... I'm not
100% sure what the legal climate is regarding archving
of mail, or whether it's merely setting up lawyer bait.

I believe you change this in master.cf (not 100% sure).
The TLS port is typically something other then port 25 I
think tcp/465 is the default, some folks use 587, others
use port #s above 1024 (GeekMail used 2525, IIRC). One
message that I saw indicated that there is no fixed port
for SMTP+TLS.

Unfortunately, you're beyond what I've had a chance to
muck with in Postfix (I wasn't the one who set it up...
and I'm still learning how to maintain it).

chris severn

I was leaning towards postfix, so that's good to hear.

I've presently got POP-3 encryption supported using SSL-proxy on my old
system. I had tried to also have encrypted SMTP supported, but the
clients didn't work for some reason. I would prefer to have a different
SMTP password for authorisation, and have it not be the same as the
POP-3 passwords, whether or not I get the encryption working.

Actually, I plan on implementing a VPN (Probably ipsec) eventually, so
that all the laptop users will be using that for mail, and file access.
The SMTP auth, and other encryptions are for use until I get that running.

Excellent. Thanks for that. Just what I was after. I imagine that if I
don't want to create a real user to receive all that mail, that I can
just specify an alias which dumps to a file ?

Yep, everyone already knows the mail is logged. People often come to me
to ask me to resurrect a message they sent or received but accidently
deleted. They're only logged for 7 days anyway. I originally
implemented it as a check for viruses. People would get these reports
saying "you sent a virus". I wanted to be able to go back and check
their sent mail to confirm it didn't happen.

OK, I'll check that out. I'm presently not using encryption on the SMTP
because I couldn't get it working. I've just added a non-encrypted port
other than port 25. But, if I can get an encrypted port working, then that's fine.


Thanks for your help,

Chris

claes wikstrom

This is easier to fix with iptables at the router/fw.

Assuming the ip of your mailserver is 192.168.128.1

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1025 \
-j DNAT --to-destination 192.168.128.1:25

/klacke


--
Claes Wikstrom -- Caps lock is nowhere and
http://www.hyber.org -- everything is under control

chris severn

You're assuming I've got a firewall independant of the mailserver ?

What if they're on the same box ?

I can't just redirect the port from 1025 to 25 locally, or postfix will
assume the connection came from localhost, and will allow it to send
whatever mail it wants without anti-spam measures.

I need postfix to have the same security on relaying when it's being
used on port 1025 as it does when it's being used on port 25.

Chris

claes wikstrom

Not correct, the REDIR will not change the source IP. As a matter of fact,
when I run this scheme, I do run the REDIR on the same machine as the MTA.
The MTA will not notice anything out of the ordinary, it will be precicely
as if the sending MTA (or client) connected to port 25.

Absolutely, and using REDIR doesn't change that.


/klacke


--
Claes Wikstrom -- Caps lock is nowhere and
http://www.hyber.org -- everything is under control