Solved

Fedora Core 5 Configuration as SMTP Relay

Posted on 2006-06-11
7
947 Views
Last Modified: 2008-01-16
I'm trying to configure a few Fedora Core 5 computers to act as SMTP relay servers. However, I've never used Linux for that before, so I'm not sure where to start. My question is: what is the best (free) program to use as an SMTP relay, and how do I configure it to relay mail for only a few computers within a known IP range? Also, what is the easiest way to configure it to only allow SSH from a given IP and to block out all traffic not associated with SMTP (ie - SMTP and DNS)?

Thanks in advance!!!
0
Comment
Question by:phoenix706
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 16882738
Ask 5 people here what the best email server software is and you'll get 5 different answers. For a relay on fedora I would suggest Sendmail. It probably is already installed with fedora if you chose to include "mail server" in setup.

To set sendmail to relay for specific ip or set of ips you'll need to edit the /etc/mail/access file. CD into /etc/mail and add lines like this to the access file:

123.45.67.8    relay
123.45.67.9    relay
etc...

then just run "make" in that folder to recreate the database from the file and restart sendmail (/etc/rc.d/init.d/sendmail restart).

To block access to certain ports you'll need to use the iptables firewall. You can edit the rules directory or by editing /etc/sysconfig/iptables and restarting iptables when finished (/etc/rc.d/init.d/iptables restart). You'll want tcp/25 open to the world (if receiving mail) or just your network for sending. For dns you'll need udp/53 open.
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 16882760
forgot the iptables rules....

to allow incoming mail add something like this to your /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

To allow from specific ips:
-A INPUT -s 10.1.1.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
* where 10.1.1.0/24 is your subnet you want to accept mail from

as for dns:
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

for ssh from your computer:
-A INPUT -s 10.1.1.1/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
* assuming your computer's address is 10.1.1.1

Then just restart iptables and you should be in business.
0
 

Author Comment

by:phoenix706
ID: 16883120
Awesome :-)

I'll try these out tomorrow and let you know how things go.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:jar3817
ID: 16885055
thinking more about it.... you may need to change sendmail's config.

open up /etc/mail/sendmail.mc and look for a line like this:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

If you see it, comment it out by putting a dnl in front. This command causes sendmail only to listen on the localhost interface which won't let other hosts connect to it. Once you make that change backup your orginal sendmail.cf (cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig) and recreate it based on the mc file (m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf). Then restart sendmail and it should work.
0
 

Author Comment

by:phoenix706
ID: 16891429
I have the SMTP running perfectly now, but I'm having some trouble with the iptables file. I added the lines from above, but I can still connect from a computer via SSH other than the ones specified in the iptables file. Below if the current contents of iptables. I'm pretty sure I just need to remove or modify a few of the lines, but I'm not sure which ones to change. Thanks for the help!!!

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.20.35.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/27 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16893666
"-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

Second from the bottom...this was probably in the file by default and lets anyone connect via ssh. Remove that line to stop "everyone" from being able to ssh in.

I also see this line (twice):
"-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT"
This allows everyone to connect to your smtp server. This is fine if this computer accepts mail for a domain of yours, but if this is only an outgoing relay you'll want to get rid of those lines too.
0
 

Author Comment

by:phoenix706
ID: 16896585
Awesome! Thanks!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now