[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF rules on a Mail gateway



Hello everyone...

Well, wanted to get some help on a setup im running here at our company...

Basically, I setup a mail gateway on our company's DMZ running OpenBSD 3.3. It's sole purpose at this time is to act as a mail relay/gateway/spam checker...I gone ahead and setup Postfix on the server, tested the setup and it is working correctly by forwarding email to our intranet mail server...

The next step I wanted to do was setup PF on the mail gateway to add some more security. However, im having a problem getting my rules setup correctly so the email will be forwarded to our intranet server...

After setting up my initial rules and doing some initial testing, it was not relaying the email correctly. A quick look at the logs showed this:

Sep 9 11:19:17 blowfish postfix/smtpd[3233]: connect from corpmail.xxxxxx.com[192.168.1.166]
Sep 9 11:19:25 blowfish postfix/smtpd[3233]: 1B39FA6856: client=corpmail.xxxxxxx.com[192.168.1.166]
Sep 9 11:19:38 blowfish postfix/cleanup[30027]: 1B39FA6856: message-id=<[email protected]>
Sep 9 10:59:18 blowfish postfix/qmgr[19289]: A0C14A684E: from=<[email protected]>, size=486, nrcpt=1 (queue active)
Sep 9 10:59:18 blowfish postfix/smtp[16261]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Sep 9 10:59:18 blowfish postfix/smtp[16261]: A0C14A684E: to=<[email protected]>, relay=none, delay=21, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)
Sep 9 10:59:21 blowfish postfix/smtpd[22640]: disconnect from corpmail.xxxxxxxx.com[192.168.1.166]


This test was done after I started up PF...

When I flush the rules, everything works correctly. Now, I need to figure out where i've gone wrong on my rules...
A quick note: I telnetd to port 25 from the IP address of 192.168.1.166 (the internal mail server)...the mail server itself, at this time, as 2 IP addresses:
192.168.1.165
192.168.1.166


Here are my rules for PF:

# Define useful variables
ext_if="fxp0"              # External Interface
int_if="fxp1"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"

table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

# Clean up fragmented and abnormal packets
scrub in all

#default Deny all
block log all

#loopback rules
pass in quick on lo0 all

# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>

# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all

# only allow our machines to connect via ssh
#pass in on $IntIF inet proto tcp from $sshHost to any port = 22 keep state

#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state


#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state


# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state

Can anyone point out where i've gone wrong on my rules?

Thanks.

Jason