Saturday, November 16, 2013

Sending SMTP mail through my ISP’s server while VPNed to the office

Until today, my home computer's relay host settings (both t-bird’s outgoing mail host setting and Postfix’s relayhost) were set to my ISP’s mail server, This works well, since most of the time that's how it gets to the internet. You can see my routing table here:
collin@p3:~> netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 eth0       U         0 0          0 lo     U         0 0          0 eth0   U         0 0          0 eth0
My ISP of course doesn't have an rfc1918 address, so when I want to send SMTP email, my computer connects to port 25 by going through my router/firewall (see the default gateway line in the table, shown in this color) then out through the modem.

Accordingly, my ISP's MTA (also Postfix I think) sees an incoming connection from a DHCP address assigned by my ISP (i.e., one of its own) and allows relaying to or or wherever I want to send email.

But if I'm connected to my office via vpnc(8), my routing table will be altered to look something like this:

collin@p3:~> netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         U         0 0          0 tun0   U         0 0          0 tun0       U         0 0          0 lo     U         0 0          0 eth0   U         0 0          0 eth0 UGH       0 0          0 eth0
In this condition, when I connect to my ISP, it won't see one of its own IP addresses; the routing table's default gateway line directs packets through the tunnel, thence over the VPN to my office. Then my ISP's MTA sees a connection from an alien address, rather than one of its own. Accordingly, it won't relay any email; I can only send to (And yes, I have tried it and seen the bounce message -- "You, Mr. Foreign IP address, aren't allowed to relay email through this server.")

Today I figured out what to do about it, and wonder of wonders, it actually worked. So I thought I'd share it with you. Here's the secret: I have another computer. Actually it belongs to the lovely Carol. It's a mac mini, running the Postfix MTA. I could use it as my relay host, rather than my ISP. The mac mini would relay email to my ISP, and the ISP would see email coming from one of "its own" IP addresses, since the mac doesn't VPN anywhere in this reality. So on my Linux box (OpenSuSE 12.3) I modified to read:

collin@p3:/etc/postfix> grep relayhost
# The relayhost parameter specifies the default host to send mail to
# no relayhost is given, mail is routed directly to the destination.
#relayhost = []
relayhost =
(where of course is the IP address of the mac).

Now this didn't quite do it, as the mac won't relay email for any other host. Web searches told me where to find the config files, and the config files told me what to tweak. Basically I did this:

bash-3.2# cd /etc/postfix/
bash-3.2# diff
< mynetworks =
> # collin 2013-11-16.  This should be safe as DHCP assigns above 200 or so
> mynetworks =,
You see, the mac formerly would only relay email for, ah, itself. That thing—so elitist! So I switched it to let in the first, oh, 16 or so addresses from my local net. As the comment says, DHCP is configured to assign only addresses near the upper end of the range.

That was it. I gave it a quick test, emailing to a couple different domains (gmail, yahoo) and reading the headers.

No comments: