Fedora Core 5 Configuration as SMTP Relay

Posted on 2006-06-11
Last Modified: 2008-01-16
I'm trying to configure a few Fedora Core 5 computers to act as SMTP relay servers. However, I've never used Linux for that before, so I'm not sure where to start. My question is: what is the best (free) program to use as an SMTP relay, and how do I configure it to relay mail for only a few computers within a known IP range? Also, what is the easiest way to configure it to only allow SSH from a given IP and to block out all traffic not associated with SMTP (ie - SMTP and DNS)?

Thanks in advance!!!
Question by:phoenix706
  • 4
  • 3
LVL 26

Expert Comment

ID: 16882738
Ask 5 people here what the best email server software is and you'll get 5 different answers. For a relay on fedora I would suggest Sendmail. It probably is already installed with fedora if you chose to include "mail server" in setup.

To set sendmail to relay for specific ip or set of ips you'll need to edit the /etc/mail/access file. CD into /etc/mail and add lines like this to the access file:    relay    relay

then just run "make" in that folder to recreate the database from the file and restart sendmail (/etc/rc.d/init.d/sendmail restart).

To block access to certain ports you'll need to use the iptables firewall. You can edit the rules directory or by editing /etc/sysconfig/iptables and restarting iptables when finished (/etc/rc.d/init.d/iptables restart). You'll want tcp/25 open to the world (if receiving mail) or just your network for sending. For dns you'll need udp/53 open.
LVL 26

Accepted Solution

jar3817 earned 500 total points
ID: 16882760
forgot the iptables rules....

to allow incoming mail add something like this to your /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

To allow from specific ips:
-A INPUT -s -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
* where is your subnet you want to accept mail from

as for dns:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

for ssh from your computer:
-A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
* assuming your computer's address is

Then just restart iptables and you should be in business.

Author Comment

ID: 16883120
Awesome :-)

I'll try these out tomorrow and let you know how things go.
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

LVL 26

Expert Comment

ID: 16885055
thinking more about it.... you may need to change sendmail's config.

open up /etc/mail/ and look for a line like this:
DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl

If you see it, comment it out by putting a dnl in front. This command causes sendmail only to listen on the localhost interface which won't let other hosts connect to it. Once you make that change backup your orginal (cp /etc/mail/ /etc/mail/ and recreate it based on the mc file (m4 /etc/mail/ > /etc/mail/ Then restart sendmail and it should work.

Author Comment

ID: 16891429
I have the SMTP running perfectly now, but I'm having some trouble with the iptables file. I added the lines from above, but I can still connect from a computer via SSH other than the ones specified in the iptables file. Below if the current contents of iptables. I'm pretty sure I just need to remove or modify a few of the lines, but I'm not sure which ones to change. Thanks for the help!!!

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
LVL 26

Expert Comment

ID: 16893666
"-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

Second from the bottom...this was probably in the file by default and lets anyone connect via ssh. Remove that line to stop "everyone" from being able to ssh in.

I also see this line (twice):
"-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT"
This allows everyone to connect to your smtp server. This is fine if this computer accepts mail for a domain of yours, but if this is only an outgoing relay you'll want to get rid of those lines too.

Author Comment

ID: 16896585
Awesome! Thanks!

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In a recent question ( here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question