Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, 2008-04-21 at 14:37 +1000, Mary Gardiner wrote: > I wasn't clear in my original mail: I'm more interested in how people > get their laptop to switch mail settings between "inside horrible > network" and "normal operation" Gentoo Linux has an RC system that has the concept of "named runlevels"... so we tend to have laptops that are setup something like: /etc/runlevels/ default/ network/ wireless/ office/ and then have different /etc/init.d/ RC scripts added to these softlevels as appropriate - for example, in the "office", bring up cupsd; in "wireless" we're want the NetworkManager daemon running, etc. As root, it's just # rc office etc to switch. Rather nice. Anyway, that's our gateway to running custom scripts depending on environment. AfC Sydney -- Andrew Frederick Cowie Operational Dynamics is an operations and engineering consultancy focusing on IT strategy, organizational architecture, systems review, and effective procedures for change management. We actively carry out research and development in these areas on behalf of our clients, and enable successful use of open source in their mission critical enterprises, worldwide. http://www.operationaldynamics.com/ Sydney New York Toronto London signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, Apr 21, 2008, Glen Turner wrote: > Networks *should* block outgoing SMTP from anything but authorised > mail servers. They should, however, allow IMAPS (993) and > Authenticated SMTP (587 to allow users to exchange mail with third-party > servers. Indeed, but in this case they've blocked everything except HTTP(S) and THAT is also increasingly common: block all ports and wait for users to scream. Screaming sometimes gets outgoing SSH back, but hasn't in this case. So, really, that's the scenario I was talking about being fairly common now: pretty much everything blocked. I know of at least two universities now who do this for their wireless networks. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
Mary Gardiner wrote: Everyone's solutions have been pretty interesting[1]. I'm surprised (although, yes, I knew) that there aren't less sysadmin-y solutions: blocking outgoing SMTP is getting pretty common. Networks *should* block outgoing SMTP from anything but authorised mail servers. They should, however, allow IMAPS (993) and Authenticated SMTP (587 to allow users to exchange mail with third-party servers. In this day and age mail servers shouldn't relay unauthenticated mail from within a network to the outside. That's just asking for one infected PC to drop the entire domain into a spam blacklist. -- Glen Turner -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On 21/04/2008, at 5:22 PM, Mary Gardiner wrote: People who suspend to RAM regularly won't find this as useful since most of the time they will be bypassing their bootloader. Search paths from /etc/resolv.conf and wireless ESSIDs are the closest I've come to establishing definitive locations, and you put the scripts in your equivalent of the if-up.d directories. There's about 50 different packages that do "where am i" type functionality, one package is called, whereami. I'm not sure if there's a popular/ preferred one. I have used something similar in the past in dhclient up hooks to change settings on config files. Usually i would have the same config file with different extensions and copy the right one over the main file and restart a process if I had to, all in a dhclient up hook script. ie cp main.cf.home main.cf or cp main.cf.work main.cf etc. -- Michael Chesterton http://chesterton.id.au/blog/ http://barrang.com.au/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
/proc/cmdline has the kernel parameters on my Ubuntu system On Mon, Apr 21, 2008 at 5:36 PM, Mick Pollard <[EMAIL PROTECTED]> wrote: > On Mon, 21 Apr 2008 17:25:30 +1000 > Sonia Hamilton <[EMAIL PROTECTED]> wrote: > > > On Mon, 2008-04-21 at 16:31 +1000, Mick Pollard wrote: > > > To automate this 'script' you could build a simple smtp profile system. > > > Grub allows you to pass extra info to it and this is made available to > > > the init process in shell variable $CMDLINE. > > > > So would one access $CMDLINE in /etc/rc.local (Ubuntu), or elsewhere? > > > I am not sure on Ubuntu ( never used it or upstart ), I can't see why it > wouldn't, but on sysv init/bsd init I know it works. > On arch linux I edit /etc/rc.multi and its available there. > > > -- > Regards > Mick Pollard ( lunix ) > > BOFH Excuse of the day: > Unreplicatable Proxy Interruption Signal > > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, 21 Apr 2008 17:25:30 +1000 Sonia Hamilton <[EMAIL PROTECTED]> wrote: > On Mon, 2008-04-21 at 16:31 +1000, Mick Pollard wrote: > > To automate this 'script' you could build a simple smtp profile system. > > Grub allows you to pass extra info to it and this is made available to > > the init process in shell variable $CMDLINE. > > So would one access $CMDLINE in /etc/rc.local (Ubuntu), or elsewhere? > I am not sure on Ubuntu ( never used it or upstart ), I can't see why it wouldn't, but on sysv init/bsd init I know it works. On arch linux I edit /etc/rc.multi and its available there. -- Regards Mick Pollard ( lunix ) BOFH Excuse of the day: Unreplicatable Proxy Interruption Signal pgpq4Eh2gWGka.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, 2008-04-21 at 16:31 +1000, Mick Pollard wrote: > To automate this 'script' you could build a simple smtp profile system. > Grub allows you to pass extra info to it and this is made available to > the init process in shell variable $CMDLINE. So would one access $CMDLINE in /etc/rc.local (Ubuntu), or elsewhere? -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Sending mail from within a highly locked down network
On Mon, Apr 21, 2008, Mick Pollard wrote: > To automate this 'script' you could build a simple smtp profile system. > Grub allows you to pass extra info to it and this is made available to > the init process in shell variable $CMDLINE. People who suspend to RAM regularly won't find this as useful since most of the time they will be bypassing their bootloader. Search paths from /etc/resolv.conf and wireless ESSIDs are the closest I've come to establishing definitive locations, and you put the scripts in your equivalent of the if-up.d directories. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
Quoting Mary Gardiner <[EMAIL PROTECTED]>: Everyone's solutions have been pretty interesting[1]. I'm surprised (although, yes, I knew) that there aren't less sysadmin-y solutions: blocking outgoing SMTP is getting pretty common. I feel bad users who just want to send their mail already and not carry around a SMTP setup cheatsheet for Outlook/Evo/something. If you want to do something simple you could run a https Webmail server such as The Horde and then do all your email away from home through your web browser. Steve Grady -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Sending mail from within a highly locked down network
On Mon, 21 Apr 2008 15:18:13 +1000 Craig Dibble <[EMAIL PROTECTED]> wrote: > Quoting [EMAIL PROTECTED]: > > > maybe a quick and nasty shell/python/perl script to > > change/update/swap your configuration file is what you need > > Indeed. > > I've done it this way in the past, usually just by running the script > manually, but you could attach it to an if-up script or even your > .profile to work out where you are and make the changes automatically. > > Craig To automate this 'script' you could build a simple smtp profile system. Grub allows you to pass extra info to it and this is made available to the init process in shell variable $CMDLINE. So have a couple of entries in grub with different SMTP_profiles ( SMTP_profile=uni ) and then test for that in the init process and trigger a script or run the necessary 'postconf -e' commands. snippet from my grub/menu.lst # (0) Arch Linux title Arch Linux [/boot/vmlinuz26] root (hd0,0) kernel /vmlinuz26 root=/dev/sda3 ro SMTP_profile=uni initrd /kernel26.img Results: $CMDLINE on my system: root=/dev/sda3 ro SMTP_profile=uni -- Regards Mick Pollard ( lunix ) BOFH Excuse of the day: Unregistered Service Timeout Problem pgpF8YPTzajNN.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, Apr 21, 2008, Jeff Waugh wrote: > relayhost = > [usual.server.on.normal.port]:25 > [usual.server.on.submission.port]:587 > [fascist.university.server]:25 Huh, I didn't actually know it was possible to specify more than one server there (I thought it had to be done with an MX record or not at all, and thus you get one choice of port). That should be a workable solution, as long as I don't end up visiting too many networks of evil. Everyone's solutions have been pretty interesting[1]. I'm surprised (although, yes, I knew) that there aren't less sysadmin-y solutions: blocking outgoing SMTP is getting pretty common. I feel bad users who just want to send their mail already and not carry around a SMTP setup cheatsheet for Outlook/Evo/something. -Mary [1] Don Marti also has a fun setup with an automatically created SSH tunnel firing up from inittab[2], I could also try that as my last relay host. http://www.linuxworld.com/community/?q=node/134 [2] Hrm, I guess this means learning upstart. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
On Mon, 2008-04-21 at 14:37 +1000, Mary Gardiner wrote:
> I wasn't clear in my original mail: I'm more interested in how people
> get their laptop to switch mail settings between "inside horrible
> network" and "normal operation" than I am in specifically what their
> inside-horrible-network settings are, because in this particular case I
> can use the university's mail server to get mail out (and I also have an
> SSH server on my own machine listening on 443, so if I couldn't I could
> do various SSH tunneling). It's just annoying to have to remember to
> re-configure my mail client (in this case, actually Postfix, but similar
> problems apply to any client, whether full MTA or not) when I am located
> at uni, and again when I leave.
Using postconf -e
An example script (probably broken) that I used to run on my laptop:
if (( `id -u` != 0 )); then { echo "Sorry, must be root. Exiting...";
exit; } fi
postconf -e "defer_transports = "
postconf -e "relayhost = "
postconf -e "transport_maps = "
# check if eth0 not up - send email later (TODO: handle ppp0 for evdo)
myip=`ip a sh eth0 | grep 'inet\>'`
if [ -z "$myip" ] ; then
postconf -e "defer_transports = smtp"
postfix reload
postfix flush
exit 0
fi
# if we're at home, send email instantly using sandia as relay
myip=`ip a sh eth0 | grep 'inet\>' | awk '{print $2}'`
if [ $myip = "192.168.1.1/24" ] ; then
postconf -e "relayhost = [192.168.1.254]:25"
postfix reload
postfix flush
exit 0
fi
# if we're on didata staff network, relay POE email via
sydmta.POE.com.au
myip=`ip a sh eth0 | grep 'inet\>'| awk '{print $2}' | awk -F. '{print
$1 "." $2}'`
if [ $myip = "148.182" ] ; then
postconf -e "relayhost = [sydmta.POE.com.au]:25"
# TODO: work out bug in transport map & combine with ssh tunnel
#postconf -e "transport_maps = hash:/etc/postfix/transport"
postfix reload
postfix flush
exit 0
fi
# otherwise, just defer transport (until I implement ssh tunnel)
# including 10.172.x.y addresses (when on classroom net) - can't relay
via sydmta
postconf -e "defer_transports = smtp"
postfix reload
postfix flush
exit 0
# TODO bring up ssh tunnel
# otherwise, just use ssh tunnel
#postconf -e "relayhost = [127.0.0.1]:2525"
#postfix reload
#postfix flush
#exit 0
--
Thanks,
Sonia Hamilton
http://soniahamilton.wordpress.com
http://www.linkedin.com/in/soniahamilton
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
Quoting [EMAIL PROTECTED]: maybe a quick and nasty shell/python/perl script to change/update/swap your configuration file is what you need Indeed. I've done it this way in the past, usually just by running the script manually, but you could attach it to an if-up script or even your .profile to work out where you are and make the changes automatically. Craig -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
> I wasn't clear in my original mail: I'm more interested in how people get > their laptop to switch mail settings between "inside horrible network" and > "normal operation" than I am in specifically what their > inside-horrible-network settings are, because in this particular case I > can use the university's mail server to get mail out (and I also have an > SSH server on my own machine listening on 443, so if I couldn't I could do > various SSH tunneling). It's just annoying to have to remember to > re-configure my mail client (in this case, actually Postfix, but similar > problems apply to any client, whether full MTA or not) when I am located > at uni, and again when I leave. Oh! Well, how about using multiple parameters in the postfix relayhost setting? relayhost = [usual.server.on.normal.port]:25 [usual.server.on.submission.port]:587 [fascist.university.server]:25 Then set up multiple entries in /etc/postfix/sasl_passwd like so: usual.server.on.normal.port p4ssw0rd fascist.university.serverp4ssw0rd When the first one fails, it'll try the same server on a different port (just thought I'd throw in a 25 vs. 587 mention in, because it's handy in similar situations), then it'll try a totally different server (the one that works when you're at a fascist network location). Saves changing anything whenever you're somewhere new. - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ I used the word 'infrastructure' when describing her cooking style... and she didn't speak to me for a week. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Sending mail from within a highly locked down network
Quoting Mary Gardiner <[EMAIL PROTECTED]>: I wasn't clear in my original mail: I'm more interested in how people get their laptop to switch mail settings between "inside horrible network" and "normal operation" than I am in specifically what their inside-horrible-network settings are, because in this particular case I can use the university's mail server to get mail out (and I also have an SSH server on my own machine listening on 443, so if I couldn't I could do various SSH tunneling). It's just annoying to have to remember to re-configure my mail client (in this case, actually Postfix, but similar problems apply to any client, whether full MTA or not) when I am located at uni, and again when I leave. :-) well of course maybe a quick and nasty shell/python/perl script to change/update/swap your configuration file is what you need that would save you having to edit it manually every time... David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Sending mail from within a highly locked down network
I wasn't clear in my original mail: I'm more interested in how people get their laptop to switch mail settings between "inside horrible network" and "normal operation" than I am in specifically what their inside-horrible-network settings are, because in this particular case I can use the university's mail server to get mail out (and I also have an SSH server on my own machine listening on 443, so if I couldn't I could do various SSH tunneling). It's just annoying to have to remember to re-configure my mail client (in this case, actually Postfix, but similar problems apply to any client, whether full MTA or not) when I am located at uni, and again when I leave. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
