Re: [Exim] Home network mailhub

Top Page
Delete this message
Reply to this message
Author: Harry Putnam
Date:  
To: exim-users
Subject: Re: [Exim] Home network mailhub
Phil Pennock <Phil.Pennock@???> writes:

> On 2002-03-17 at 18:06 -0800, Harry Putnam wrote:
>> It seems one would want to limit exsposer of local private addresses for
>> security reasons too... yes?
>
> It depends. How are the internal addresses reachable? The NAT box
> _does_ prevent source-routing, yes?


I don't really know what source-routing is. Maybe a description of
what I see happen will provide enough clues for you to tell. If I
send mail from inside the network, as in the example posted, it goes
to the machine running exim. And is then sent on to my ISPs smtp
machine. Then retrieved by fetchmail running on the same machine as
exim. All that traffic goes back and forth thru the firewall.

However, if I go outside the firewall to the internet and try to
telnet to port 25 on my IP address. (The firewall) It is rejected. No
connection is allowed.

So somehow port 25 traffic gets thru on request but not if initiated
from outside. Far as I know the internal machines cannot be contacted
from outside. I have made no special setting at the firewall
involving port 25 other than to say that all internal machines can
send packets out unhampered.

The only thing I have actually NATed, (Hope that is the correct term)
is traffic on ssh port 22 to a specific internal machine.

> Otherwise, reaching the internal addresses means compromising the
> gateway; at which point, the attacker _knows_ what your internal
> addresses are.


OK, I see your point here. If the attacker breaches the firewall all
bets are off.

> Unless you're providing some way for an attacker to inject packets onto
> the local network (source-routing; unfiltered opportunistic IPsec WANs,
> etc) then it's not really going to buy you much.


I think the only thing reachable from outside is port 22 on one
specific internal machine.

[...]

>> Which header represents SMTP Envelope Sender?
>
> In normal transit, it's not a header. It's around the headers.


[...]

> It's the one in the MAIL FROM: line. At final delivery, it might be
> prepended as "Return-path:".


That description and annotations alone made my day. I've wondered
about that for quite a while. ... thanks

>> > Another option is to set $received_header_text; make sections of it
>> > conditional upon $sender_host_address and put your sanitised information
>> > in the new header, if so.
>>
>> This sounds like the way to go, but I'll admit that the syntax of
>> these things has largely eluded me.
>
> This, I'm afraid, is a time for you to go digging in spec.txt. It would
> be enough for me to construct an example that I'd have already done
> _all_ the real work and you'd have learnt nothing. With me gaining
> nothing.
>
> If you prefer HTML, then try the online version on the website. "The
> Exim Specification".


Thanks... I like the texi format best but it appears spec.txt is a
separate critter. But am I correct in thinking that If all I do is
set primary_hostname = adsl-66.51.210.228.dslextreme.com, as you've
indicated further along, that my mail setup would be acceptable and
not present any undue security risks.

Using the $received_header_text posted will be sufficient?


>> After your mentioning `primary_hostname', I looked it up in the exim
>> info manual. I don't have it set so exim runs a uname to get it.
>> That is apparently where expi.local.lan gets set.
>>
>> What should that be set too? (My IP?)
>
> Not an IP. The hostname which that IP resolves to in reverse DNS, and
> for which forward DNS already exists.


Showing the true depths of my ignorance here, but what does `reverse
DNS' really mean? Just getting alphabetical name from number?

> Static IP on DSL ... not many ISPs providing that. Nice. (I'd plug my
> employer as one, but that would be officially associating them with my
> private address ;^) )


Seems to be fairly common around here. I've had two that did in the last
year. (One went out of business). These are not big interstate
operators though.