[svlug] Gateway/Linux box intercepting email?

Eric N. Valor ericv at cruzio.com
Tue Dec 6 08:10:48 PST 2005

Previous message: [svlug] Gateway/Linux box intercepting email?
Next message: [svlug] Gateway/Linux box intercepting email?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is linux1.butte.com acting as a mail relay, ie all internal traffic is
routed to it and then it routes SMTP out to the mt.net mail server?

You might also check with the ISP to see if perhaps they are refusing to
route your mail for a little while (until your virus problems are
confirmed resolved).

From linux1, try doing a full SMTP transaction by hand to see what error
messages the mt.net mail server gives you.  

On Tue, 2005-12-06 at 15:19 -0800, Andrew Chant wrote:
> Hm,
>  My first comment about the firewall rules I meant to delete... consider 
> that thinking out loud, I don't think that's the problem.
> 
> You don't really want to replace rules by hand - there's some sort of a 
> system that sets this up when the system gets rebooted/etc, so the 
> problem will just return if you ever lose power  / etc.  I really 
> suggest you try to contact whoever set this up, and ask them what they 
> were trying to do.  I bet there's an SMTPd on that system thats aching 
> to send 1,000,000 messages out.   Once you fix the routing, there may be 
> a bit of a flood. 
> My inkling is that you don't want to change that DNAT rule, but add a 
> rule in iptables to allow port 25 to the IP you gave.  tcpdump won't be 
> much help to you - I didn't realize those two names were the same machine.
> 
> I'd be really hesitant to add that rule without understanding the system 
> - namely, the configuration of the mail server on linux1.butte.com, and 
> the configuration of whatever it is that set up those firewall rules.
> 
> -Andrew
> 
> Skip Evans wrote:
> 
> > Hi Andrew,
> >
> > Well, I guess since they have no sys admin over there, the user is 
> > going to be me for this one. If it is set up with scripts, where would 
> > I find/run them from?
> >
> > Actually, THIS box is named buttepro.static.mt.net.
> >
> > Is one possible solution to replace this:
> >
> > >> DNAT       tcp  --  anywhere             anywhere     
> > to:192.168.6.50:25
> >
> > with
> >
> > >> DNAT       tcp  --  anywhere             anywhere     
> > to:206.127.64.140:25
> >
> > (206.127.64.140 is the address of the mail server they should be 
> > connecting to.)
> >
> > I'll look up tcpdump now. I've never used it before, but will give it 
> > a try.
> >
> > Skip
> >
> >
> >
> > Andrew Chant wrote:
> >
> >> Hi Skip,
> >> it looks like the order of the rules in the firewall is messed up.
> >> Is there anyway you could get the user to flush all the firewall 
> >> rules and re-run the scripts ( I hope this is set up with scripts) 
> >> used to set them all up?
> >>
> >> It looks to me like, indeed, there is DNAT going on to an SMTP server 
> >> running on linux1.butte.com
> >> linux1.butte.com looks like it *should* be forwarding all smtp mail 
> >> to buttepro.static.mt.net
> >>
> >> maybe that's where the problem is occuring? perhaps run a tcpdump 
> >> scanning for port 25 traffic outbound from linux1.butte.com to 
> >> buttepro.static.mt.net
> >> send an email, and see if it leaves.  If thats the case, its not your 
> >> client's setup thats a problem, its buttepro.static.mt.net
> >>
> >> otherwise you've got some SMTP config to look at :D
> >>
> >> -Andrew ( should probably have asked you to obfuscate the IPs/Names a 
> >> little) Chant
> >>
> >>
> >>>
> >>> Chain SMTPProxy (1 references)
> >>> target     prot opt source               destination
> >>> ACCEPT     all  --  anywhere             localhost
> >>> ACCEPT     all  --  anywhere             linux1.butte.com
> >>> ACCEPT     all  --  anywhere buttepro.static.mt.net
> >>> DNAT       tcp  --  anywhere             anywhere      
> >>> to:192.168.6.50:25
> >>
> >>
> >>
> >>
> >>
> >
> 
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
> 
-- 
Eric N. Valor
ericv at cruzio.com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE  C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.svlug.org/archives/svlug/attachments/20051206/141e794b/attachment.bin

Previous message: [svlug] Gateway/Linux box intercepting email?
Next message: [svlug] Gateway/Linux box intercepting email?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list