[plug] postfix open relay

Mon, 03 Nov 2003 18:17:26 -0800

Hi, it's me again.

It seems every one I've asked about <subject> said that postfix indeed is not an open relay by default, even when it's already running with the minimum settings. ;-)

I think that all those who responded so were running postfix on their firewall machines. Anybody here running postfix BEHIND their firewall? Can somebody please tell me what is wrong with the following IPTABLES rules relevant to running web and mail servers BEHIND a firewall?

Here are the relevant rules I'm using on the firewall machine:

# Generated by iptables-save v1.2.5 on Mon Jul 28 13:19:45 2003
*mangle
:PREROUTING ACCEPT [117:55510]
:INPUT ACCEPT [2021:463484]
:FORWARD ACCEPT [3509:1790224]
:OUTPUT ACCEPT [61:41865]
:POSTROUTING ACCEPT [4983:2228457]
COMMIT
# Completed on Mon Jul 28 13:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Jul 28 13:19:45 2003
*nat
:PREROUTING ACCEPT [7:776]
:POSTROUTING ACCEPT [1:78]
:OUTPUT ACCEPT [7:492]
#
#
-A PREROUTING -d 203.215.86.205 -p tcp --dport 110 -j DNAT --to-destination <mailserver.IP>
-A PREROUTING -d 203.215.86.205 -p tcp --dport 25 -j DNAT --to-destination <mailserver.IP>
-A PREROUTING -d 203.215.86.205 -p tcp --dport 80 -j DNAT --to-destination <mailserver.IP>
#
#
-A POSTROUTING -d <mailserver.IP> -p tcp --dport 110 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -d <mailserver.IP> -p tcp --dport 25 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -d <mailserver.IP> -p tcp --dport 80 -j SNAT --to-source 192.168.1.1
#
#
-A OUTPUT -d 203.215.86.205 -p tcp --dport 80 -j DNAT --to-destination <mailserver.IP>
-A OUTPUT -d 203.215.86.205 -p tcp --dport 110 -j DNAT --to-destination <mailserver.IP>
-A OUTPUT -d 203.215.86.205 -p tcp --dport 25 -j DNAT --to-destination <mailserver.IP>
#
# masquerade all outbound
#
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source 203.215.86.205
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

<snipped the *filter rules>

-Victor

--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Reply via email to