Solved

Fedora Core 5 Configuration as SMTP Relay

Posted on 2006-06-11
7
955 Views
Last Modified: 2008-01-16
I'm trying to configure a few Fedora Core 5 computers to act as SMTP relay servers. However, I've never used Linux for that before, so I'm not sure where to start. My question is: what is the best (free) program to use as an SMTP relay, and how do I configure it to relay mail for only a few computers within a known IP range? Also, what is the easiest way to configure it to only allow SSH from a given IP and to block out all traffic not associated with SMTP (ie - SMTP and DNS)?

Thanks in advance!!!
0
Comment
Question by:phoenix706
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 16882738
Ask 5 people here what the best email server software is and you'll get 5 different answers. For a relay on fedora I would suggest Sendmail. It probably is already installed with fedora if you chose to include "mail server" in setup.

To set sendmail to relay for specific ip or set of ips you'll need to edit the /etc/mail/access file. CD into /etc/mail and add lines like this to the access file:

123.45.67.8    relay
123.45.67.9    relay
etc...

then just run "make" in that folder to recreate the database from the file and restart sendmail (/etc/rc.d/init.d/sendmail restart).

To block access to certain ports you'll need to use the iptables firewall. You can edit the rules directory or by editing /etc/sysconfig/iptables and restarting iptables when finished (/etc/rc.d/init.d/iptables restart). You'll want tcp/25 open to the world (if receiving mail) or just your network for sending. For dns you'll need udp/53 open.
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 16882760
forgot the iptables rules....

to allow incoming mail add something like this to your /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

To allow from specific ips:
-A INPUT -s 10.1.1.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
* where 10.1.1.0/24 is your subnet you want to accept mail from

as for dns:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

for ssh from your computer:
-A INPUT -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
* assuming your computer's address is 10.1.1.1

Then just restart iptables and you should be in business.
0
 

Author Comment

by:phoenix706
ID: 16883120
Awesome :-)

I'll try these out tomorrow and let you know how things go.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 26

Expert Comment

by:jar3817
ID: 16885055
thinking more about it.... you may need to change sendmail's config.

open up /etc/mail/sendmail.mc and look for a line like this:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

If you see it, comment it out by putting a dnl in front. This command causes sendmail only to listen on the localhost interface which won't let other hosts connect to it. Once you make that change backup your orginal sendmail.cf (cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig) and recreate it based on the mc file (m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf). Then restart sendmail and it should work.
0
 

Author Comment

by:phoenix706
ID: 16891429
I have the SMTP running perfectly now, but I'm having some trouble with the iptables file. I added the lines from above, but I can still connect from a computer via SSH other than the ones specified in the iptables file. Below if the current contents of iptables. I'm pretty sure I just need to remove or modify a few of the lines, but I'm not sure which ones to change. Thanks for the help!!!

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/27 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16893666
"-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

Second from the bottom...this was probably in the file by default and lets anyone connect via ssh. Remove that line to stop "everyone" from being able to ssh in.

I also see this line (twice):
"-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT"
This allows everyone to connect to your smtp server. This is fine if this computer accepts mail for a domain of yours, but if this is only an outgoing relay you'll want to get rid of those lines too.
0
 

Author Comment

by:phoenix706
ID: 16896585
Awesome! Thanks!
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question