[K12OSN] Please not M$ Exchange

Fri Oct 26 17:56:48 UTC 2007

I wonder if it could be since I have Squid and Dansguardian on this same 
machine that something with their configuration is preventing me from 
achieving this.

SM machine is behind this firewall and all mail services run on it alone.

James P. Kinney III wrote:
> Is the SquirrelMail machine
> 1. Behind a firewall
> 2. different from the imap server
> 3. different from the smtp server
> ?
> 
> A common scenario is to have SM on the mail machine running both smtp
> and imap behind the firewall. If that is the case, all that is needed is
> to open up port 80 and 443 at the firewall and direct the traffic to the
> SM/smtp server.
> 
> iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp
> --dports 80,443 -j DNAT --to-destination <internal machine IP>
> 
> iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443
> -j ACCEPT
> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> The incoming packets have to cross BOTH the nat AND filter tale so nat
> is used to redirect (--dports may not be in your kernel so use --dport
> and two rules instead). Now the packet is "inside" the system and needs
> to be allowed to be forwarded so the next rule happens. But we still
> don't trust it so the state is checked and only related transfers happen
> afterwards.
> 
> Port numbers: You don't need to allow access to port 143 to the outside
> world unless people are checking their email with a client from home.
> If so, you need to set up TLS/SSL encryption or else you will be staring
> at a security breach in the future.
> 
> I HIGHLY recommend the excellent book "Real World Linux Security" by Bob
> Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening
> Linux systems. Bob was on the team that ported Unix to Silicon Graphics
> hardware and currently a system security guru.
> 
> On Thu, 2007-10-25 at 18:48 -0700, Huck wrote:
>> fought with this for the past hour...gave up again.
>> it's my 3rd attempt..this is on a stand-alone debian box with no gui.
>>
>> I tried the following:
>>
>> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 143 -j 
>> DNAT --to 10.1.3.5:143
>> iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 80 -j 
>> DNAT --to 10.1.3.5:80
>>
>> didn't work so tried:
>>
>> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j 
>> DNAT --to-destination 10.1.3.5
>> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j 
>> DNAT --to-destination 10.1.3.5
>>
>>
>> am I thinking backwards ?  I copied what I have for my e-mail port 25 to 
>> be redirected to my email server...and that I know works =)
>>
>> --Huck
>>
>> Mr Barry Cisna wrote:
>>> Huck,
>>>
>>> To allow users "at home" access to your SM server , just port forward on
>>> your border firewall.
>>> For example your SM servers internal IP address is 1.2.3.4 and you have an
>>> public ip range for your school of 4.3.2.1-4.3.2.10, just port forward
>>> 1.2.3.4 ,> 4.3.2.1.
>>> You will need to port forward, both tcp 143 and tcp 80 to the public ip
>>> address.
>>> To test get on a box "outside" of your lan  and do 'telnet publicipaddress
>>> 143'   and 'telnet publicipaddress 80'. if you get a response on both of
>>> these port numbers your users can access your SM at home as easy as they
>>> can at school.
>>>
>>> Take Care,
>>>
>>> Barry Cisna
>>>
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
>>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>