[K12OSN] Please not M$ Exchange

James P. Kinney III jkinney at localnetsolutions.com
Fri Oct 26 18:34:23 UTC 2007


On Fri, 2007-10-26 at 11:05 -0700, Huck wrote:
> also...is it somehow possible that the webserver on the SM machine only 
> accepts requests from INTERAL subnet addresses?

Check the iptables on the machine to see if port 80 is blocked for
non-local addresses. Since that machine runs squid, you will need to
have a redirect rule for internal IPs only to use squid. Non-internal
IPs should proceed unaltered to the web server.

-OR- make the rule for squid to only use squid if the destination IP is
Not the local IP.
> 
> --Huck
> 
> James P. Kinney III wrote:
> > Is the SquirrelMail machine
> > 1. Behind a firewall
> > 2. different from the imap server
> > 3. different from the smtp server
> > ?
> > 
> > A common scenario is to have SM on the mail machine running both smtp
> > and imap behind the firewall. If that is the case, all that is needed is
> > to open up port 80 and 443 at the firewall and direct the traffic to the
> > SM/smtp server.
> > 
> > iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp
> > --dports 80,443 -j DNAT --to-destination <internal machine IP>
> > 
> > iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443
> > -j ACCEPT
> > iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > 
> > The incoming packets have to cross BOTH the nat AND filter tale so nat
> > is used to redirect (--dports may not be in your kernel so use --dport
> > and two rules instead). Now the packet is "inside" the system and needs
> > to be allowed to be forwarded so the next rule happens. But we still
> > don't trust it so the state is checked and only related transfers happen
> > afterwards.
> > 
> > Port numbers: You don't need to allow access to port 143 to the outside
> > world unless people are checking their email with a client from home.
> > If so, you need to set up TLS/SSL encryption or else you will be staring
> > at a security breach in the future.
> > 
> > I HIGHLY recommend the excellent book "Real World Linux Security" by Bob
> > Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening
> > Linux systems. Bob was on the team that ported Unix to Silicon Graphics
> > hardware and currently a system security guru.
> > 
> > On Thu, 2007-10-25 at 18:48 -0700, Huck wrote:
> >> fought with this for the past hour...gave up again.
> >> it's my 3rd attempt..this is on a stand-alone debian box with no gui.
> >>
> >> I tried the following:
> >>
> >> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 143 -j 
> >> DNAT --to 10.1.3.5:143
> >> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 80 -j 
> >> DNAT --to 10.1.3.5:80
> >>
> >> didn't work so tried:
> >>
> >> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j 
> >> DNAT --to-destination 10.1.3.5
> >> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j 
> >> DNAT --to-destination 10.1.3.5
> >>
> >>
> >> am I thinking backwards ?  I copied what I have for my e-mail port 25 to 
> >> be redirected to my email server...and that I know works =)
> >>
> >> --Huck
> >>
> >> Mr Barry Cisna wrote:
> >>> Huck,
> >>>
> >>> To allow users "at home" access to your SM server , just port forward on
> >>> your border firewall.
> >>> For example your SM servers internal IP address is 1.2.3.4 and you have an
> >>> public ip range for your school of 4.3.2.1-4.3.2.10, just port forward
> >>> 1.2.3.4 ,> 4.3.2.1.
> >>> You will need to port forward, both tcp 143 and tcp 80 to the public ip
> >>> address.
> >>> To test get on a box "outside" of your lan  and do 'telnet publicipaddress
> >>> 143'   and 'telnet publicipaddress 80'. if you get a response on both of
> >>> these port numbers your users can access your SM at home as easy as they
> >>> can at school.
> >>>
> >>> Take Care,
> >>>
> >>> Barry Cisna
> >>>
> >>> _______________________________________________
> >>> K12OSN mailing list
> >>> K12OSN at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/k12osn
> >>> For more info see <http://www.k12os.org>
> >>>
> >>>
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20071026/d1e030f4/attachment.sig>


More information about the K12OSN mailing list