On Tue, Sep 26, 2000 at 05:10:09PM -0400, Paul Reavis wrote: > perimeter network behind the firewall, and since I was using redir to > redirect SMTP to it through the firewall from outside, the MTA was doing > all its checking against the IP address of the firewall, not the outside
Did you run redir in transparent mode? I never set up a system using the newer versions of redir, but I think it should be able to do that. > It also makes me wonder what other services would suffer. I do use tcpd > to wrap the redir command, so at least some protection is there, but if > daemons on the perimeter box (which supplies www, ftp, and smtp) always > think packets are coming from the firewall then they can't perform > protocol-specific validation that depends on the origin IP address. Right. That's why you should use tranparency whenever possible. As for ftp I'd recommend using a proxy anyway. > 1) should I be using a forward-only SMTP server at the firewall, rather > than port forwarding? That in fact is what I used to do most of the time, because redir wsn't doing more than pure redirection at that time. Well, I still do this mostly as many customers have M$ Exchange as a MTA and I don't to be this to be accessible from the internet, not even on port 25. Michael -- Michael Meskes [email protected] Go SF 49ers! Go Rhein Fire! Use Debian GNU/Linux! Use PostgreSQL!
