This is my setup for mail to/from my ITS system. It depends on having an external "hardened" mail server around, but requires minimal changes to the ITS mail server. You will have to adapt it to your system.
I take no responsibility for any problems you get by using my advice below, but please let me know so I can update it!
NOTE: Below, all occurrences of xy should be replaced with your host name, and its.os.org should be replaced with your domain. my.external.mail.server and aaa.bbb.ccc.ddd should be replaced with the name and address of your external mail server.
Do not open the firewall to allow general external access to the ITS mail server (COMSAT). COMSAT was written back in the days before spam, viruses and the abuse of poorly configured mail servers to forward spam, viruses etc. If you let just anyone connect, you will quickly be overloaded with requests to forward spam and viruses, which COMSAT will (try to) do, and you risk being shut down by your ISP or similar.
Supposing the ITS end of the tunnel has address 192.168.0.203 and the Linux host end has address 192.168.0.200, you need
HOST : 192.168.0.200 : ITS-GW.ITS.OS.ORG : PC : LINUX : :
You have probably already done this, as described in distrib.its:
These are the changes I needed to do to the default Postfix configuration in Fedora Core.
luser_relay = $firstname.lastname@example.org is easier to administer (since you don't forget to add new users/addresses in the file), but may also have disadvantages:
If you figure out why ITS does this silly thing, and how to avoid it, please let me know! The "..."@ITS-GW... appears also on the ITS end, e.g. in local CC copies of the mail.
Add a line
for each valid mail address foo on the ITS system. Run postalias /etc/postfix/its-aliases when you've edited the file.
If you added the header_checks line to main.cf, then here add the lines
/^X-Spam-Level:[[:space:]]+\*\*\*\*\*\*\*/ DISCARD Spam level 7 or above detected
to filter spamassasin level 7 and above (adjust as you like).
You need to tell the world how to deliver email to your ITS system. This is done by adding an MX record to the DNS entry for your host pointing at the "hardened" external mail server, e.g.
XY MX 0 my.external.mail.server.
That makes the external mail server the "end delivery point" of mail to your system, so you need to configure the external mail servert so it delivers mail the next step, to your Linux host. If it's a Postfix system, the transport_map is the right place.
It probably works just as well to have two MX records, one primary to your Linux host and a secondary (with a higher preference value) to the external mail server. Since external systems (except for the mail server) cannot connect to your SMTP server, mail will be sent to the external mail server, which will automagically forward it to your Linux host.
Finally, when everything is configured, your Linux host needs to open the firewall to let the external mail server connect to the SMTP port on your Linux system (not the ITS system!). With iptables, do
iptables -I RH-Firewall-INPUT -s aaa.bbb.ccc.ddd -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
(replacing the chain name if necessary).
NOTE that if you allow other external hosts to connect to your SMTP server, you will want to harden it.
|© Björn Victor <Bjorn@Victor.se>|
|Latest update: August 6, 2014.|