Transparent mail redirection through iptables

    The header can be continued: ... or a smooth transfer of mail to another server .
    Recently, the task arose - to realize the possibility of using a mail server that does not have direct access to the Internet. And it should work instead of the old one, which works, of course, under a different IP address.

    The crucial point is that mail was originally stored on the gateway. We will configure iptables on the gateway, we do not need to configure iptables on the mail server.

    Initial data:
    server - CentOS 5 -
    IP-address of the mail server - internal IP-address of the former mail server / gateway - IP-address of the former mail server / gateway

    eth0 - local interface on the gateway
    eth1 - the external interface on the gateway

    Configuring the network interface on the mail server:

    We will forward IMAP (port 143), SMTP (port 25).

    We proceed directly to the implementation:

    1. Receiving mail

    # All that came to the internal interface on the mail ports is redirected
    iptables -t nat -A PREROUTING -i eth0 -p tcp -d --dport 25 -j DNAT --to-destination
    iptables -t nat -A PREROUTING -i eth0 -p tcp -d --dport 143 -j DNAT --to-destination

    # All that came to the external interface via mail ports - redirected
    iptables -t nat -A PREROUTING -i eth1 -p tcp -d --dport 143 -j DNAT --to-destination
    iptables -t nat -A PREROUTING -i eth1 -p tcp -d --dport 25 -j DNAT --to-destination

    # Change the source IP address of the client to the IP address of the gateway.
    # It is very important to do SNAT only for computers on the local network, otherwise RBL checks when receiving mail will not work,
    since everything will be accepted from one IP address. This is also bad because you cannot enter a limit on the number of
    # connections from a single IP address.
    iptables -t nat -A POSTROUTING -o eth0 -p tcp -s -d --dport 25 -j SNAT --to-source
    iptables -t nat -A POSTROUTING -o eth0 -p tcp -s -d --dport 143 -j SNAT --to-source

    # Allow port forwarding after port forwarding on the gateway
    iptables -A FORWARD -p tcp -d --dport 143 -j ACCEPT
    iptables -A FORWARD -p tcp -d --dport 25 -j ACCEPT

    2. Sending mail

    # Allow sending mail from the mail server
    iptables -A FORWARD -s -j ACCEPT

    # We send packets to the Internet, of course, from only one IP address
    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source

    Do not forget the prerequisite
    net.ipv4.ip_forward = 1

    Finally, a detailed scheme of iptables.

    A natural desire is to unify domain names to configure email clients.
    So that the setup of the mail client outside the office does not differ from the setting inside the office.
    Moreover, in the new version of Thunderbird (which we mainly use), a wizard for automatically detecting SMTP, POP, IMAP servers for a custom account has appeared.

    We will focus on common names:
    mx record for the domain

    We need to configure the records for the domain 2 times - for the domain itself in the domain name admin panel and in DNS on the local network.

    Consider setting up records on a DNS server on a local network.
    In named.conf, add:

    view "internal"
            match-clients           { localnets; };
            match-destinations      { localnets; };
            zone    "" IN {
                type master;
                file "master/";
                allow-update {;; };

    Create master /
    $ORIGIN .
    $TTL 259200     ; 3 days        IN SOA (
                                    23840      ; serial
                                    10800      ; refresh (3 hours)
                                    900        ; retry (15 minutes)
                                    604800     ; expire (1 week)
                                    86400      ; minimum (1 day)
    @       IN MX 10      
    ns                       A
    mail                    A
    imap                   CNAME    mail
    smtp                   CNAME    mail

    Checking with nslookup. All!

    Also popular now: