Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 967
  • Last Modified:

Fedora Core 5 Configuration as SMTP Relay

I'm trying to configure a few Fedora Core 5 computers to act as SMTP relay servers. However, I've never used Linux for that before, so I'm not sure where to start. My question is: what is the best (free) program to use as an SMTP relay, and how do I configure it to relay mail for only a few computers within a known IP range? Also, what is the easiest way to configure it to only allow SSH from a given IP and to block out all traffic not associated with SMTP (ie - SMTP and DNS)?

Thanks in advance!!!
0
phoenix706
Asked:
phoenix706
  • 4
  • 3
1 Solution
 
jar3817Commented:
Ask 5 people here what the best email server software is and you'll get 5 different answers. For a relay on fedora I would suggest Sendmail. It probably is already installed with fedora if you chose to include "mail server" in setup.

To set sendmail to relay for specific ip or set of ips you'll need to edit the /etc/mail/access file. CD into /etc/mail and add lines like this to the access file:

123.45.67.8    relay
123.45.67.9    relay
etc...

then just run "make" in that folder to recreate the database from the file and restart sendmail (/etc/rc.d/init.d/sendmail restart).

To block access to certain ports you'll need to use the iptables firewall. You can edit the rules directory or by editing /etc/sysconfig/iptables and restarting iptables when finished (/etc/rc.d/init.d/iptables restart). You'll want tcp/25 open to the world (if receiving mail) or just your network for sending. For dns you'll need udp/53 open.
0
 
jar3817Commented:
forgot the iptables rules....

to allow incoming mail add something like this to your /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

To allow from specific ips:
-A INPUT -s 10.1.1.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
* where 10.1.1.0/24 is your subnet you want to accept mail from

as for dns:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

for ssh from your computer:
-A INPUT -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
* assuming your computer's address is 10.1.1.1

Then just restart iptables and you should be in business.
0
 
phoenix706Author Commented:
Awesome :-)

I'll try these out tomorrow and let you know how things go.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jar3817Commented:
thinking more about it.... you may need to change sendmail's config.

open up /etc/mail/sendmail.mc and look for a line like this:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

If you see it, comment it out by putting a dnl in front. This command causes sendmail only to listen on the localhost interface which won't let other hosts connect to it. Once you make that change backup your orginal sendmail.cf (cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig) and recreate it based on the mc file (m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf). Then restart sendmail and it should work.
0
 
phoenix706Author Commented:
I have the SMTP running perfectly now, but I'm having some trouble with the iptables file. I added the lines from above, but I can still connect from a computer via SSH other than the ones specified in the iptables file. Below if the current contents of iptables. I'm pretty sure I just need to remove or modify a few of the lines, but I'm not sure which ones to change. Thanks for the help!!!

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/27 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
jar3817Commented:
"-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

Second from the bottom...this was probably in the file by default and lets anyone connect via ssh. Remove that line to stop "everyone" from being able to ssh in.

I also see this line (twice):
"-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT"
This allows everyone to connect to your smtp server. This is fine if this computer accepts mail for a domain of yours, but if this is only an outgoing relay you'll want to get rid of those lines too.
0
 
phoenix706Author Commented:
Awesome! Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now