[K12OSN] Please not M$ Exchange
James P. Kinney III
jkinney at localnetsolutions.com
Fri Oct 26 02:34:47 UTC 2007
Is the SquirrelMail machine
1. Behind a firewall
2. different from the imap server
3. different from the smtp server
?
A common scenario is to have SM on the mail machine running both smtp
and imap behind the firewall. If that is the case, all that is needed is
to open up port 80 and 443 at the firewall and direct the traffic to the
SM/smtp server.
iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp
--dports 80,443 -j DNAT --to-destination <internal machine IP>
iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443
-j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
The incoming packets have to cross BOTH the nat AND filter tale so nat
is used to redirect (--dports may not be in your kernel so use --dport
and two rules instead). Now the packet is "inside" the system and needs
to be allowed to be forwarded so the next rule happens. But we still
don't trust it so the state is checked and only related transfers happen
afterwards.
Port numbers: You don't need to allow access to port 143 to the outside
world unless people are checking their email with a client from home.
If so, you need to set up TLS/SSL encryption or else you will be staring
at a security breach in the future.
I HIGHLY recommend the excellent book "Real World Linux Security" by Bob
Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening
Linux systems. Bob was on the team that ported Unix to Silicon Graphics
hardware and currently a system security guru.
On Thu, 2007-10-25 at 18:48 -0700, Huck wrote:
> fought with this for the past hour...gave up again.
> it's my 3rd attempt..this is on a stand-alone debian box with no gui.
>
> I tried the following:
>
> iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j
> DNAT --to 10.1.3.5:143
> iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j
> DNAT --to 10.1.3.5:80
>
> didn't work so tried:
>
> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j
> DNAT --to-destination 10.1.3.5
> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j
> DNAT --to-destination 10.1.3.5
>
>
> am I thinking backwards ? I copied what I have for my e-mail port 25 to
> be redirected to my email server...and that I know works =)
>
> --Huck
>
> Mr Barry Cisna wrote:
> > Huck,
> >
> > To allow users "at home" access to your SM server , just port forward on
> > your border firewall.
> > For example your SM servers internal IP address is 1.2.3.4 and you have an
> > public ip range for your school of 4.3.2.1-4.3.2.10, just port forward
> > 1.2.3.4 ,> 4.3.2.1.
> > You will need to port forward, both tcp 143 and tcp 80 to the public ip
> > address.
> > To test get on a box "outside" of your lan and do 'telnet publicipaddress
> > 143' and 'telnet publicipaddress 80'. if you get a response on both of
> > these port numbers your users can access your SM at home as easy as they
> > can at school.
> >
> > Take Care,
> >
> > Barry Cisna
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> >
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20071025/4ab47a2e/attachment.sig>
More information about the K12OSN
mailing list