Transparent mail redirection through iptables
The header can be continued: ... or a smooth transfer of mail to another server .
Recently, the task arose - to realize the possibility of using a mail server that does not have direct access to the Internet. And it should work instead of the old one, which works, of course, under a different IP address.
The crucial point is that mail was originally stored on the gateway. We will configure iptables on the gateway, we do not need to configure iptables on the mail server.
Initial data:
server - CentOS 5
192.168.0.3 -
IP-address of the mail server 192.168.0.1 - internal IP-address of the former mail server / gateway
199.199.199.199 - IP-address of the former mail server / gateway
eth0 - local interface on the gateway
eth1 - the external interface on the gateway
Configuring the network interface on the mail server:
ip-address: 192.168.0.3
mask: 255.255.255.0
gateway: 192.168.0.1
We will forward IMAP (port 143), SMTP (port 25).
We proceed directly to the implementation:
1. Receiving mail
1.1.1
# All that came to the internal interface on the mail ports is redirected
1.1.2
# All that came to the external interface via mail ports - redirected
1.2
# Change the source IP address of the client to the IP address of the gateway.
# It is very important to do SNAT only for computers on the local network, otherwise RBL checks when receiving mail will not work,
since everything will be accepted from one IP address. This is also bad because you cannot enter a limit on the number of
# connections from a single IP address.
1.3
# Allow port forwarding after port forwarding on the gateway
2. Sending mail
2.1
# Allow sending mail from the mail server
2.2
# We send packets to the Internet, of course, from only one IP address
Do not forget the prerequisite
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
Finally, a detailed scheme of iptables.
Addition.
A natural desire is to unify domain names to configure email clients.
So that the setup of the mail client outside the office does not differ from the setting inside the office.
Moreover, in the new version of Thunderbird (which we mainly use), a wizard for automatically detecting SMTP, POP, IMAP servers for a custom account has appeared.
We will focus on common names:
imap.mydomain.ru
smtp.mydomain.ru
mx record for the domain
We need to configure the records for the domain 2 times - for the domain itself in the domain name admin panel and in DNS on the local network.
Consider setting up records on a DNS server on a local network.
In named.conf, add:
Create master / mydomain.ru:
Checking with nslookup. All!
Recently, the task arose - to realize the possibility of using a mail server that does not have direct access to the Internet. And it should work instead of the old one, which works, of course, under a different IP address.
The crucial point is that mail was originally stored on the gateway. We will configure iptables on the gateway, we do not need to configure iptables on the mail server.
Initial data:
server - CentOS 5
192.168.0.3 -
IP-address of the mail server 192.168.0.1 - internal IP-address of the former mail server / gateway
199.199.199.199 - IP-address of the former mail server / gateway
eth0 - local interface on the gateway
eth1 - the external interface on the gateway
Configuring the network interface on the mail server:
ip-address: 192.168.0.3
mask: 255.255.255.0
gateway: 192.168.0.1
We will forward IMAP (port 143), SMTP (port 25).
We proceed directly to the implementation:
1. Receiving mail
1.1.1
# All that came to the internal interface on the mail ports is redirected
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.3 --dport 25 -j DNAT --to-destination 192.168.0.3:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.3 --dport 143 -j DNAT --to-destination 192.168.0.3:143
1.1.2
# All that came to the external interface via mail ports - redirected
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 199.199.199.199 --dport 143 -j DNAT --to-destination 192.168.0.3:143
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 199.199.199.199 --dport 25 -j DNAT --to-destination 192.168.0.3:25
1.2
# Change the source IP address of the client to the IP address of the gateway.
# It is very important to do SNAT only for computers on the local network, otherwise RBL checks when receiving mail will not work,
since everything will be accepted from one IP address. This is also bad because you cannot enter a limit on the number of
# connections from a single IP address.
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 -d 192.168.0.3 --dport 25 -j SNAT --to-source 192.168.0.1
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 -d 192.168.0.3 --dport 143 -j SNAT --to-source 192.168.0.1
1.3
# Allow port forwarding after port forwarding on the gateway
iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 143 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 25 -j ACCEPT
2. Sending mail
2.1
# Allow sending mail from the mail server
iptables -A FORWARD -s 192.168.0.3 -j ACCEPT
2.2
# We send packets to the Internet, of course, from only one IP address
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 199.199.199.199
Do not forget the prerequisite
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
Finally, a detailed scheme of iptables.
Addition.
A natural desire is to unify domain names to configure email clients.
So that the setup of the mail client outside the office does not differ from the setting inside the office.
Moreover, in the new version of Thunderbird (which we mainly use), a wizard for automatically detecting SMTP, POP, IMAP servers for a custom account has appeared.
We will focus on common names:
imap.mydomain.ru
smtp.mydomain.ru
mx record for the domain
We need to configure the records for the domain 2 times - for the domain itself in the domain name admin panel and in DNS on the local network.
Consider setting up records on a DNS server on a local network.
In named.conf, add:
view "internal"
{
match-clients { localnets; };
match-destinations { localnets; };
....
zone "mydomain.ru" IN {
type master;
file "master/mydomain.ru";
allow-update { 127.0.0.1; 192.168.0.1; };
};
};
Create master / mydomain.ru:
$ORIGIN .
$TTL 259200 ; 3 days
mydomain.ru IN SOA ns.mydomain.ru. root.mydomain.ru. (
23840 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns.mydomain.ru.
$ORIGIN mydomain.ru.
@ IN MX 10 mail.mydomain.ru.
ns A 192.168.0.1
mail A 192.168.0.3
imap CNAME mail
smtp CNAME mail
Checking with nslookup. All!