Re: [K12OSN] Please not M$ Exchange

[Huck <dhuckaby paasda org>]

also...is it somehow possible that the webserver on the SM machine only 
accepts requests from INTERAL subnet addresses?

--Huck

James P. Kinney III wrote:
> Is the SquirrelMail machine
> 1. Behind a firewall
> 2. different from the imap server
> 3. different from the smtp server
> ?
>
> A common scenario is to have SM on the mail machine running both smtp
> and imap behind the firewall. If that is the case, all that is needed is
> to open up port 80 and 443 at the firewall and direct the traffic to the
> SM/smtp server.
>
> iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp
> --dports 80,443 -j DNAT --to-destination <internal machine IP>
>
> iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443
> -j ACCEPT
> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> The incoming packets have to cross BOTH the nat AND filter tale so nat
> is used to redirect (--dports may not be in your kernel so use --dport
> and two rules instead). Now the packet is "inside" the system and needs
> to be allowed to be forwarded so the next rule happens. But we still
> don't trust it so the state is checked and only related transfers happen
> afterwards.
>
> Port numbers: You don't need to allow access to port 143 to the outside
> world unless people are checking their email with a client from home.
> If so, you need to set up TLS/SSL encryption or else you will be staring
> at a security breach in the future.
>
> I HIGHLY recommend the excellent book "Real World Linux Security" by Bob
> Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening
> Linux systems. Bob was on the team that ported Unix to Silicon Graphics
> hardware and currently a system security guru.
>
> On Thu, 2007-10-25 at 18:48 -0700, Huck wrote:
> > fought with this for the past hour...gave up again.
> > it's my 3rd attempt..this is on a stand-alone debian box with no gui.
> >
> > I tried the following:
> >
> > iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 143 -j 
> > DNAT --to 10.1.3.5:143
> > iptables -t nat -I PREROUTING  -d $ETH0IP -p tcp -m tcp --dport 80 -j 
> > DNAT --to 10.1.3.5:80
> >
> > didn't work so tried:
> >
> > iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j 
> > DNAT --to-destination 10.1.3.5
> > iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j 
> > DNAT --to-destination 10.1.3.5
> >
> >
> > am I thinking backwards ?  I copied what I have for my e-mail port 25 to 
> > be redirected to my email server...and that I know works =)
> >
> > --Huck
> >
> > Mr Barry Cisna wrote:
> > > Huck,
> > >
> > > To allow users "at home" access to your SM server , just port forward on
> > > your border firewall.
> > > For example your SM servers internal IP address is 1.2.3.4 and you have an
> > > public ip range for your school of 4.3.2.1-4.3.2.10, just port forward
> > > 1.2.3.4 ,> 4.3.2.1.
> > > You will need to port forward, both tcp 143 and tcp 80 to the public ip
> > > address.
> > > To test get on a box "outside" of your lan  and do 'telnet publicipaddress
> > > 143'   and 'telnet publicipaddress 80'. if you get a response on both of
> > > these port numbers your users can access your SM at home as easy as they
> > > can at school.
> > >
> > > Take Care,
> > >
> > > Barry Cisna
> > >
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN redhat com
> > > https://www.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN redhat com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN redhat com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>