> Unless, you configure things so that the box running sendmail sees the > clients address you're going to have difficulties. Yes, you are 100% right, configuring sendmail without see real IP address is a bit complicated. But i have no other way, because my whole network have many servers and onyl one IP. My politics is to not run any servers on firewall box. So the solution you wrout to me to intall sendmail on this box is not good for me. But is easyest for do. I think i can try to encalupsate IP packets. My idea is to encapsulate all IP trafic incoming to firewall into other protocol. Lets take samba. Then send it to sendmail box, decapsulate, examine real IP addres, take decission, and replay the same way. > > The way I think you want it to run is that any connection from your local > subnet 192.168.0.0 is allowed to relay but any connection from outside isn't. > Further to that, all connections come via your firewall and have a source > address of 192.168.0.2 (the firewall). Is that correct? Yes, Paul you are right. Of course firewall box, have two ethernet cards. > > You really need to configure your firewall so that it doens't rewrite the > source address of external connections. That will solve your problem. If you > can't do that, try running a mail relay on your firewall. This box will be > able to see the client address and can choose to relay based on that. ie. if > it's from the local LAN, allow relays. If it's external, only allow relaying > if the destination is your mail server (or an alias for it). NO! I cant do it base to fundamental rules of TCP/IP protocol. I will explain it. Let have external box 'A', firewall 'B', and sendmail box 'C'. Now if A send IP packet to B is have src=A dst=B, now B receive this packet and change it to src=B dst=C. IF (as you want to) B would not change this and leave it as src=A dst=C, then packet will arrive to C, but never will be send back to A, because sequnce number of TCPIP protocol is different in B and C, and simply A will reject packets form C, due to Man-In-Middle-Attack rules. So in this configuration must be like is. Secont, will not be received because of C is private IP, and for third, B will not pass throuw packets from C to A. Read the SNAT and DNAT rules of IPTABLES again. :) > This way, connections from the internal LAN don't even need to be sent to the > mail server. The mail relay on your firewall can handle where to send the > mail and you'll reduce the load on the mail server, and most probably on the > firewall too. > There is another way. It is highly tricky. Make on firewall rules that alter TCPIP flag of that packet which is allowed to go to sendmail. Now sendmail box will have iptables rule located in PREROUTE and simpy DROP all packets without flag altered. > Hope that helps a bit. > > Paul. > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
