Thanks to all that helped It's working now ... kind of (but good enough) I spent some time working on my firewall to better organize it's arrangement (that wasn't the problem though) To recap, I was trying to forward email (including system email) to another server via the internet It turns out that it was a firewall problem ... the ISP for one of the machines was blocking port 25 ! I briefly tried using port 30 for email forwarding but decided that I really didn't care if the email was direct to my host machine. So I pointed the email at the ISPs smtp server and things started to flow For security, I intend to either encrupt the mail before it leaves the server or setup a VPN with IPSEC (in which case I'll have to point the email directly at my host again ... but should avoid the port 25 ISP blocking in the VPN tunnel) Cowles, Steve (Steve@SteveCowles.com) wrote*: > >> -----Original Message----- >> From: Brian Johnson >> Sent: Friday, January 31, 2003 12:36 AM >> Subject: Re: Sendmail config >> >> >> I am now playing with DaemonPortOptions and Modifiers=b in >> sendmail to have computers use port 30 (but still want local >> connections through port 25 so trying two ports on local machine) >> >> Can now telnet on port 30 from computer B to computer A >> >> Still not getting mail through ... but at least now should be >> limited to sendmail options >> > >Brian, > >Based on the requirements you have stated in other posts, you should not >have to configure your MTA to listen on another port. You have other >problems. Probably firewall related. > >Might I suggest that you take a big step backwards and... > >1) Create a LAN/WAN firewall design document. Create a document for each >site/office. The following link will give you an example of what I do before >I sit down to configure a firewall and the available services running behind >that firewall. If you don't have access to Visio, then use a spreadsheet >program and map the services available between firewall zones as I have >shown in this document. Anyway, checkout: >http://www.infohiiway.com/cowlesnet for an example > >2) Configure/test your firewall(s) to the design document(s) created in step >one. Test using ip addresses/ports, not FQDN. If you are unable to contact a >particular service... (do not pass go, do not collect 200 dollars) fix the >problem before continuing to step 3. With regards to sendmail, I remove the >daemonportoptions at this stage until I get the firewall working correctly. >I also place ALL: ALL in /etc/hosts.allow until I get the firewall working. >Then I lock down the application. (step 4 below) > >3) Resolve DNS (resolver lib) issues. Especially issues like accessing a >masq'd system from behind your firewall using your firewalls external IP >address. Some firewalls are just not capable of (re)masq'ing packets of >data. i.e. From a node on your private LAN (192.168.1.20), access your web >server by its FQDN www.mydomain.com (which is also on your private LAN at >192.168.1.10) using a public IP address (returned from ISP's DNS server). >The packet is first masq'd, then hits the external ip address of your >firewall, then the firewall (if configured) must remasq this packet and send >it back out on the private LAN segment. I won't even get into the reply >packet path. :-( > >IMO: This type of packet traversal just flat out sucks! But if your not able >to setup your own autonomous caching DNS server (behind your firewall) to >return a private IP address for www.mydomain.com, then your stuck with this >horrible hack where your firewall is involved in accessing local systems. > >FWIW: I run a multi-view bind-9 setup at this end. If a DNS request comes >from the internet for www.mydomain.com, the public IP address is returned >(external ip of firewall). If a DNS request comes from my private/dmz >networks for www.mydomain.com, the private ip address is returned (rfc1918 >address). This eliminates my firewall from handling requests that originate >locally, but destined for the local/dmz networks. > >4) Finally, once the above tasks are complete and tested, configure your >application services like smtp, www, etc... With regards to your post, my >smtp server (sendmail) is configured to handle multiple domains along with >being a backup MX for other domains. For my registered domains, I have >configured sendmail (running in the dmz) to relay all inbound e-mail to my >exchange server (mailertable). For the backup MX domains, sendmail is >configured to queue all e-mail locally for later delivery using ETRN (also >using the mailertable). All this is done with a single instance of sendmail >listening on port 25. i.e. No DeamonPortOptions... > >Well thats my two bits (well really 4 bits) > >Good Luck >Steve Cowles > > > > -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
