collin@p3:~> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
collin@p3:~>
My ISP of course doesn't have an rfc1918 address, so when I want to send SMTP email,
my computer connects to mail.myisp.com port 25
by going through my router/firewall (see the default gateway line in the
table, shown in this color) then out through the modem.
Accordingly, my ISP's MTA (also Postfix I think) sees an incoming connection from a DHCP address assigned by my ISP (i.e., one of its own) and allows relaying to gmail.com or earthlink.net or wherever I want to send email.
But if I'm connected to my office via vpnc(8), my routing table will be altered to look something like this:
collin@p3:~> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
10.55.72.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
216.240.19.24 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0
collin@p3:~>
In this condition, when I connect to my ISP, it won't see one of its own
IP addresses; the routing table's default gateway line
directs packets through the tunnel, thence over the VPN to my office. Then my ISP's MTA
sees a connection from an alien address, rather than one of its own. Accordingly,
it won't relay any email; I can only send to SOMEONE@myisp.com.
(And yes, I have tried it and seen the bounce message -- "You, Mr. Foreign IP address,
aren't allowed to relay email through this server.")
Today I figured out what to do about it, and wonder of wonders, it actually worked. So I thought I'd share it with you. Here's the secret: I have another computer. Actually it belongs to the lovely Carol. It's a mac mini, running the Postfix MTA. I could use it as my relay host, rather than my ISP. The mac mini would relay email to my ISP, and the ISP would see email coming from one of "its own" IP addresses, since the mac doesn't VPN anywhere in this reality. So on my Linux box (OpenSuSE 12.3) I modified main.cf to read:
collin@p3:/etc/postfix> grep relayhost main.cf # The relayhost parameter specifies the default host to send mail to # no relayhost is given, mail is routed directly to the destination. #relayhost = [mail.myisp.com] relayhost = 192.168.1.99 collin@p3:/etc/postfix>(where of course 192.168.1.99 is the IP address of the mac).
Now this didn't quite do it, as the mac won't relay email for any other host. Web searches told me where to find the config files, and the config files told me what to tweak. Basically I did this:
bash-3.2# cd /etc/postfix/ bash-3.2# diff main.cf.install main.cf … 663c668,669 < mynetworks = 127.0.0.0/8 --- > # collin 2013-11-16. This should be safe as DHCP assigns above 200 or so > mynetworks = 127.0.0.0/8, 192.168.1.0/28 bash-3.2#You see, the mac formerly would only relay email for, ah, itself. That 127.0.0.0/8 thing—so elitist! So I switched it to let in the first, oh, 16 or so addresses from my local net. As the comment says, DHCP is configured to assign only addresses near the upper end of the 192.168.1.0/24 range.
That was it. I gave it a quick test, emailing to a couple different domains (gmail, yahoo) and reading the headers.
No comments:
Post a Comment