[K12OSN] Please not M$ Exchange

Huck dhuckaby at paasda.org
Fri Oct 26 18:05:42 UTC 2007


also...is it somehow possible that the webserver on the SM machine only 
accepts requests from INTERAL subnet addresses?

--Huck

James P. Kinney III wrote:
> Is the SquirrelMail machine
> 1. Behind a firewall
> 2. different from the imap server
> 3. different from the smtp server
> ?
> 
> A common scenario is to have SM on the mail machine running both smtp
> and imap behind the firewall. If that is the case, all that is needed is
> to open up port 80 and 443 at the firewall and direct the traffic to the
> SM/smtp server.
> 
> iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp
> --dports 80,443 -j DNAT --to-destination <internal machine IP>
> 
> iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443
> -j ACCEPT
> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> The incoming packets have to cross BOTH the nat AND filter tale so nat
> is used to redirect (--dports may not be in your kernel so use --dport
> and two rules instead). Now the packet is "inside" the system and needs
> to be allowed to be forwarded so the next rule happens. But we still
> don't trust it so the state is checked and only related transfers happen
> afterwards.
> 
> Port numbers: You don't need to allow access to port 143 to the outside
> world unless people are checking their email with a client from home.
> If so, you need to set up TLS/SSL encryption or else you will be staring
> at a security breach in the future.
> 
> I HIGHLY recommend the excellent book "Real World Linux Security" by Bob
> Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening
> Linux systems. Bob was on the team that ported Unix to Silicon Graphics
> hardware and currently a system security guru.
> 
> On Thu, 2007-10-25 at 18:48 -0700, Huck wrote:
>> fought with this for the past hour...gave up again.
>> it's my 3rd attempt..this is on a stand-alone debian box with no gui.
>>
>> I tried the following:
>>
>> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 143 -j 
>> DNAT --to 10.1.3.5:143
>> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 80 -j 
>> DNAT --to 10.1.3.5:80
>>
>> didn't work so tried:
>>
>> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j 
>> DNAT --to-destination 10.1.3.5
>> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j 
>> DNAT --to-destination 10.1.3.5
>>
>>
>> am I thinking backwards ?  I copied what I have for my e-mail port 25 to 
>> be redirected to my email server...and that I know works =)
>>
>> --Huck
>>
>> Mr Barry Cisna wrote:
>>> Huck,
>>>
>>> To allow users "at home" access to your SM server , just port forward on
>>> your border firewall.
>>> For example your SM servers internal IP address is 1.2.3.4 and you have an
>>> public ip range for your school of 4.3.2.1-4.3.2.10, just port forward
>>> 1.2.3.4 ,> 4.3.2.1.
>>> You will need to port forward, both tcp 143 and tcp 80 to the public ip
>>> address.
>>> To test get on a box "outside" of your lan  and do 'telnet publicipaddress
>>> 143'   and 'telnet publicipaddress 80'. if you get a response on both of
>>> these port numbers your users can access your SM at home as easy as they
>>> can at school.
>>>
>>> Take Care,
>>>
>>> Barry Cisna
>>>
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
>>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>




More information about the K12OSN mailing list