Re: [exim] NATted exim on receive

Top Page
Delete this message
Reply to this message
Author: Alun
Date:  
To: Tom Kistner
CC: exim-users
Subject: Re: [exim] NATted exim on receive
Tom Kistner <tom@???> said, in message
470A5B5D.5040206@???:

> Alun wrote:
>
> > returns the address of the interface the request came in on, but
> > that's different from the address that was being contacted.
>
> You need to patch Exim to do this. If you use the netfilter (aka
> iptables) REDIRECT target, the original destination address can be
> fetched from the socket using getsockopt(...SO_ORIGINAL_DST...).


Yes, that's the one. I was wondering because the perl gets called in a
context in which a couple of file descriptors are open and connected to
sockets. Assuming that one of these is connected to the other end and
that I knew which one it was I could just call the getsockopt() from
perl and get what I wanted.

> This needs to be done inside Exim. If you want to reject anything
> anyway you could just hack up a small SMTP responder instead. You can
> also use Perl for that, IO::Socket seems to have a getsockopt method.


Indeed. That (the latter) was the original plan, but then I thought of
ACLs and all the handy stuff that exim puts in variables for me and it
seemed more flexible to use exim with a pretty simple config than to
write custom code for each check. Especially since the box already
needs some variant of sendmail installed for forwarding local cron
output.

I already want to 4xx anything that's coming in for a valid aber.ac.uk
address, 5xx anything that's for an aber.ac.uk address that's not
valid, and 5xx, tarpit and blacklist any IP that's trying to relay or
portscan. If I decided to add in load management, reverse lookups,
DNSBLs etc to check addresses before they were added to my blacklist
and so on I'd end up with a fairly complicated SMTP responder which
reimplemented quite a lot of stuff that exim already has.

I think I'll have a quick play with parsing netstat -an --tcp for
$sender_host_address:$sender_host_port to find who the other end is
trying to talk to. This should be close enough to unique for my
purposes.

Thanks for the response,
Alun.

-- 
Alun Jones                       auj@???
Systems Support,                 (01970) 62 2494
Information Services,
University of Wales, Aberystwyth