|
-
April 27th, 2004, 07:25 PM
#9
This advice is rubbish - Ignore - See this thread fro reasons why:
http://www.antionline.com/showthread...049#post740397
Originally posted here by steve.milner
It seems this thread has been moved - My apologies if this has not been security related enough.
Okay, for anyone interested This solution is relevant not just for the use of phones in this way, but also for remote users dialing in through ISP connections, but with fixed hardware - EG A company worker using a company laptop.
The issue : - How can I prevent my SMTP server from becoming an open realy, while still allowing 'authorised' users from untrusted IP addresses within a known netmask (dial in to a specified isp) to send mail through my server.
There are a number of options offering various degrees of protection.
SMTP Authorisation by key or password - This is not available on all devices.
POP/IMAP before SMTP - It may not be possible to configure all devices to manage their connections in that order.
Secify that the MAIL FROM domain must match a pattern - This is easily circumvented.
Use MAC address matching to ensure that the device sending the mail is known - This is what I have done to resolve my problem (above) It is done like this (RH9 default install, but applicable to any other users of iptables)
firstly
su - to gain access. Then dump the current iptables to a file
iptables-save>/etc/sysconfig/iptables
Then edit /etc/sysconfig/iptables to add the appropriate filtering:
Code:
# Allow the company users access
# Fred's Laptop MAC Address aa:bb:cc:dd:ee:ff - Dial into OurISP
-A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
# Steve's Phone MAC Address 00:11:22:33:44:55
-A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
# Prevent other users of OurISP from using this as an open relay - OurISP Dial UP Netmask 192.168.0.0/16
-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 25 -j DROP
# Prevent other users of Steve's phone service provider from any access - Gateway IP 10.0.0.10
-A INPUT 10.0.0.1 -j DROP
Load this configuration into iptables:
iptables-reload</etc/sysconfig/iptables
A PM/Email telling me where the thread had moved to would have been nice.
Steve
edit:
Forgot to mention - add 10.0.0.1, 192.168.0.0/16 into mynetworks in the /etc/postfix/main.cf
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote