Prev: Help! need to write a rule....only allow send mail to aspecific account
Next: TDS.net and smart host
From: Grant Taylor on 18 Mar 2010 19:43
Michael wrote:
> I have a multihomed host with 2 independent wan connections
> (different providers/gateways). I would like to restrict outbound
> mail traffic to one of the wan's. I have tried various combinations
> of ClientProtOptions and DaemonPortOptions with the end result that
> sendmail always binds to the same wan.... the wrong one consistently.

I think it is possible to do what you are wanting to do. Granted, I
don't think it's going to be with any one piece, it will take multiple
in combination.

> iproute2 in use

Based on "iproute2" I'm taking it that you are running Linux. Good, I
have an idea how to do this with Linux.

> 75 is the main route
> 208 is the second route

> iptables routes packets destined for port 25 to 208xxx

How are you "routing" packets? With the IPTables "ROUTE" target?

I think you are going to need a combination of Sendmail options and
IPRoute2 features to do what you are wanting to do.

First, I'm thinking you will need your email traffic to leave the system
with a 208 IP address, not the 75 IP address. I'm worried that your 208
ISP will possibly enable egress / reverse path filtering, thus filtering
traffic that does not originate from it's 208 IP address range.

Second, I think you need to cause Sendmail to make sure that it sends
email out the 208 DaemonPort. I think this can be done with a Sendmail
option to cause email to leave the same interface that it came in. This
means that you will have to have your 75 and 192 DaemonPorts SmartHost
through the 208 DameonPort. This also means that you will have to
enable a the Sendmail option to cause it to not worry if mail is looping
back to its self.

Third, you need to use IPRoute2 to use a different routing table for any
(locally originated) traffic that is destined to TCP port 25. Yet, you
want to still allow inbound traffic that is coming from port 25 to go
out the same route that it came in. I.e. if a mail server sends traffic
from a source port of 25 to the 75 DaemonPort, you want that reply
traffic going back to port 25 to be exempt from your rule routing SMTP
traffic out your 208 provider.

To pull this off, you will need an additional routing table that is used
for SMTP traffic that uses your 208 provider as it's default route. (1)
You will also need some IPRoute2 rules to cause any locally originated
SMTP traffic to use the new alternate routing table.

Sorry, I can't give you any more specifics than this high level
overview. It's been too long since I've done this and I don't have a
lab that I can test it in. I'm sure that there is an IPTables /
IPRoute2 guru that can help you with the ip rules and I know that there
are Sendmail gurus in this newsgroup that can help with the Sendmail
specific pieces.



Grant. . . .
 | 
Pages: 1
Prev: Help! need to write a rule....only allow send mail to aspecific account
Next: TDS.net and smart host