Re: exim & iptables

To: Derrick 'dman' Hudson <dman@dman.ddts.net>
Cc: debian-user@lists.debian.org, Andy <list@firman.us>
Subject: Re: exim & iptables
From: Hal Klingsporn <hal@retrotech.org>
Date: Thu, 13 Mar 2003 20:40:28 -0500
Message-id: <[🔎] EF4056AC-55BD-11D7-AD64-000393450708@retrotech.org>
In-reply-to: <[🔎] 20030314004331.GA7234@dman.ddts.net>

On Thursday, March 13, 2003, at 07:43 PM, Derrick 'dman' Hudson wrote:

On Sun, Mar 09, 2003 at 09:03:03AM -0500, Hal Klingsporn wrote:

| Mail to/from users on the local net are handled by a mail (exim)server| inside the firewall. This works very well. The only issue isgetting

| machine generated mail from the fw to the internal mail server.
| Disabling local delivery (local to the firewall) forces exim on the
| firewall to look for the appropriate mail server.

After reading this a couple of times, I now understand your topology
and the problem you are having.  First, the term "the firewall"
generally refers to the netfilter rules active in the kernel.  Here
you are not dealing with a firewall, but rather a /machine/ which
happens to be responsible for the firewall separating your LAN from
the Internet.

Your interpretation correct. Sorry that I wasn't clear, but since thefirewall machine is only used as a firewall - its an old 486 with twoNICs that does nothing else - I didn't distinguish between thenetfilter code and the machine.


For those who don't get it yet, here's the situation :

 ------    ------------     ----------
 |Inet|----| gateway  |-----| mail   |
 ------    |(firewall)|     | server |
           | machine  |     | machine|
           ------------     ----------

The network has a single public IP address which the MX record for the
domain refers to.  The gateway forwards incoming TCP connections on
port 25 to the mail server machine where mail is handled as desired.
The gateway system could generate mail (eg from cron), and Hal wants
to receive it in the same manner he receives other mail, on the mail
server machine.

Here's where the problem begins.  First of all, exim on the gateway
machine knows it is not "example.com".  So to make the delivery, it
does an MX lookup for "example.com" and determines that the IP address
of the machine responsible for example.com mail is its own IP address.
In a normal setup that would result in a mail loop with exim
connecting to itself for delivery.  Hence the sanity check to avoid
doing that.  The misconfiguration is in exim.

There are two solutions that come to mind :
    1)  set up a DNS server on your LAN so that when the gateway
        machine asks who the MX for the domain is it is told to use
        the internal machine

    2)  change exim's router so it bypasses the MX lookup using a
        manually configured route instead

Vineet provided the router configuration for solution #2 in one of his
messages.

Thanks to both of you. I'll be using the second alternative since Idon't want to set up an maintain a DNS server at the moment.


HTH,
-D
--
There are 10 types of people in the world: those who understand binary,
and those who do not.

http://dman.ddts.net/~dman/
<mime-attachment>

Reply to:

References:
- Re: exim & iptables
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

Prev by Date: Re: fixing perl scripts for register_globals = Off
Next by Date: Re: Problem with libc6
Previous by thread: Re: exim & iptables
Next by thread: A couple of mirrors not working
Index(es):
- Date
- Thread