Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Network Security: Firewall, NAT, QoS, IPS and more
Reload this Page How to Restrict access to SMTP proxy?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-02-2004, 02:55 PM
Member
  
Join Date: Dec 2002
Posts: 43
Default How to Restrict access to SMTP proxy?
Under ASL 4.020, I use the SMTP proxy for antivirus and antispam filtering into Exchange. However, our setup is such that all email is filtered externally, before hitting our wire; thus, there should only be incoming SMTP connections from specific IPs.
I've tried to implement a packet filter to deny all and accept from the specific upstream IPs, but it doesn't work.
Can anyone shed some light on this, please?
Thanks!
-David
Reply With Quote
  #2 (permalink)  
Old 02-02-2004, 04:19 PM
Wizard
  
Join Date: Jul 2003
Location: U.S.
Posts: 1,265
Default Re: How to Restrict access to SMTP proxy?
proxies sit outside the firewall and are unaffected by rules.
So how can you do what you want to do, I am not sure;
the only way you could restrict is through a setting on the SMTP proxy...
Reply With Quote
  #3 (permalink)  
Old 02-02-2004, 04:52 PM
Member
  
Join Date: Dec 2002
Posts: 43
Default Re: How to Restrict access to SMTP proxy?
Right. I had seen someone suggest setting up 'ipfilter.local' for proxy filter blocking. Would that apply in the case of the SMTP proxy? Else, is there a configuration option for Exim to only allow connections from specific IPs?

Unfortunately, I'm not [yet] too familiar with Exim configuration. I guess on this, I'll ping Astaro support. It seems like something desirable to do...
Reply With Quote
  #4 (permalink)  
Old 02-03-2004, 12:57 AM
Wizard
  
Join Date: Jul 2003
Location: U.S.
Posts: 1,265
Default Re: How to Restrict access to SMTP proxy?
That's your only shot: an Exim tweak or an SMTP proxy setting. The ipfilter local is for the firewall rules; proxies are unaffected by that...

Reply With Quote
  #5 (permalink)  
Old 02-03-2004, 03:22 PM
Wizard
  
Join Date: Feb 2002
Location: Massachusetts, USA
Posts: 850
Default Re: How to Restrict access to SMTP proxy?
You could use the "I" option in your IPTABLES rule definition and it should insert the rule at the beginning of the stack.
Create 1 rule for each allowed IP:
Rule to allow : IPTABLES I INPUT -s "allowed IP" -p tcp -d "ASL external IP" -dport 25 -j AUTO_INPUT

You should use the target AUTO_INPUT, I believe, so that the traffic would then have to pass the other rules for incoming traffic.

Rule to drop : IPTABLES I INPUT -s any -d "ASL external IP" -dport 25 -j DROP

This one will DROP smtp traffic not allowed by the earlier rules before it gets to the ASL generated AUTO_INPUT target.

Give it a shot. It is a "hack", but since it's reducing allowed traffic it should pose limited risk.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 01:28 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.