Outgoing SMTP Proxy ONLY | NO Incoming - Page 3

RFCat_vk · #21 (**permalink**) 05-18-2009, 02:24 PM

Hi Billybob,
thank you for those test results

.

Ian M

Alvin · #22 (**permalink**) 05-19-2009, 11:09 AM

Billybob

Thanks for doing the testing

1) It is strange that in your case, Only port 25 is open with SMTP Proxy, mine have 3 ports, 25, 465 and 587.

2) Did you Enable Transparent Mode?
I try and error with every setting ON and OFF and I realized if I enable Transparent Mode, 25 opens, if I disable it, it closes.
But I do need Transparent Mode so that laptops need not reconfigure in and out of the network.

3) For the Routing, is it better to use MX Records or STATIC Host -> Blackhole?

Thanks !

Alvin · #23 (**permalink**) 05-21-2009, 03:13 PM

Hi

- I am quite sure it is that Transparent Proxy (Enabled) thus Port 25 is Open even with the DNAT.

- But sometime when we try and error so much, I have to admit I get confused.

- Can someone confirm Transparent Proxy Enabled, will have Port 25 open?

- Any idea why I have other 2 ports when others only have 25?

- Why is this the behavior since there is a section which allow us to define which network to allow relay? If we allow LAN, then it should simply Block WAN right based on the default is deny concept?

- Please advice me for the routing, MX is better or Static -> Blackhole (non exist ip) is better, I am trying to make it as secure as possible but in this case both seems to work thus I cannot decide what is better.

RichardBlank · #24 (**permalink**) 05-22-2009, 11:48 PM

Thanks for the solid information.

Richard

.

Alvin · #25 (**permalink**) 06-01-2009, 03:18 PM

Hi All

Just want to share more findings.

1) 100% Confirmed my port 25 remains open even with DNAT to Blackhole is due to Transparent Proxy Enabled.

2) The Counter Measure is to add WAN ADDRESS ( I hope I am right but if you think it is better to add WAN Network or the WAN Broadcast, please let me know) to the Skip transparent mode hosts/nets and UNCHECK the Allow SMTP traffic for listed hosts/nets

3) I believe the above Theory is the Transparent Mode Hijack much higher level than DNAT etc thus open.

4) Please note that you still need those DNAT Rules to close other ports.

5) I hope Astaro can fix it such that in future it only hijack the network under Relaying => Host-based relay => Allowed hosts/networks

6) Note as a additional safety counter measure, I did put ANY under the Host/Network blacklist => Blocked hosts/networks

This will block SMTP Traffic directly to the postmaster@[ip.ad.dr.es].

7) For the Routing, I keep the domain list Empty , Static Host => Blackhole, if someone think it is better to set to MX please let me know. I honestly cannot see any difference. On one hand, it seems good to route anything if any to Blackhole since I do not have a SMTP Server. On the other hand route via MX seems to make sense as I am afraid it breaks my sending out mails which I yet to notice yet.

YEAH ! Finally closed the unnecessary ports !

Thank You all who bother to read and contributed and for the rest hope you find this useful !

Time for another SecuritySpace Audit...