Re: [exim] NATted exim on receive

Top Page
Delete this message
Reply to this message
Author: Alun
Date:  
To: Leonardo Boselli
CC: exim-users
Subject: Re: [exim] NATted exim on receive
Leonardo Boselli <leo@???> said, in message
Pine.LNX.4.21.0710091507070.3870-100000@???:

> On Tue, 9 Oct 2007, Alun wrote:
> > > the 2xx for what use is reserved? it looks that you are rejecting
> > > or delaying anything, never accepting anyting
> > Yes, that's correct. Nothing legitimate can ever come in on this
> > server.
>
> I assume that @aber.ac.uk is outside your subnet ..... otherwise
> would be difficult get any e-mail ...


Hi,

OK, I'll try to explain it again. The situation is this. We have an MX
record for aber.ac.uk which points to mailserv.aber.ac.uk and
mailserv2.aber.ac.uk. We don't have MX records for every machine within
aber.ac.uk or a wildcard MX. We have considered both options but they
both have problems which we'd not want to try to tackle.

If someone incorrectly publicises their address as e.g.
auj@??? rather that auj@??? then a machine
trying to deliver mail to them from outside will lookup the MX
record for machine.aber.ac.uk, find that there isn't one and fall
back to using the A record. They'll then try to contact port 25 on
machine.aber.ac.uk. Our firewall will block that connection attempt
and the message will sit on the remote server's queue for an
indeterminate amount of time before bouncing to the sender.

auj@??? is NOT a valid address here but people make
the mistake often enough that it would be nice to bounce the mail
early with a meaningful error message rather than a week later with
a meaningless timeout message.

So I've told the firewall to redirect port 25 on any machine within our
network (except the real mail servers) when accessed from outside. The
redirect is to a copy of exim configured to reject all mail. No
legitimate mail will ever hit that copy of exim - legitimate mail to
aber.ac.uk will use the MX record and go to the real servers on our
network; incorrectly addressed mail will be rejected by the copy of exim
on the firewall, and attempts to relay mail through it will be
rejected, the offending IPs tarpitted and recorded in a blacklist which
our users can, at their option, use to filter their real inbound mail.

This is all done now and works according to plan. My question, which
started this off, was whether it was possible, from the embedded perl
interpreter, to identify the file descriptor of the socket that's
connected to the remote host. Tom confirmed that I wasn't missing
anything in the spec, and I implemented what was needed for my purposes!

The blacklist now has 819 entries.

Cheers,
Alun.

-- 
Alun Jones                       auj@???
Systems Support,                 (01970) 62 2494
Information Services,
University of Wales, Aberystwyth