Transparent SMTP proxies?
Ben Scott
dragonhawk at gmail.com
Wed Jan 23 08:41:25 EST 2008
On Jan 22, 2008 8:53 PM, Bill McGonigle <bill at bfccomputing.com> wrote:
>> Use IPtables to intercept all
>> TCP/25 traffic and redirect it to your existing SMTP relay server.
>
> I think this will hose up anybody configured to do SMTP AUTH if it
> runs through a 'regular' SMTP relay.
You could configure your SMTP relay to accept any authentication
attempt (regardless of credentials) from IP addresses on/behind the
router. Hmmm. Thinking further on it, though, it would have other
problems. In particular, it breaks SPF, SenderID, and the like.
Never mind.
I suppose you could just block TCP/25 destined to !you. That's
increasingly common these days. The idea is that if you're a roaming
node, you really should be using an MSA anyway.
> My assumption is that the transparent proxies do AUTH-by-proxy for them (if you don't want me
> potentially logging your password, please stop sending it in cleartext).
Makes sense to me. Not that that counts for much. :)
I don't know much about how SMTP+TLS (SSL) works, but it seems
likely that might also be a problem (i.e., it might see the
transparent proxy as an intercept attack (which it is)). But see
above about MSA.
> True - I figured I'd alias up an eth0:x interface on my 'network'
> server and run the proxy there. So far, it works in theory. :)
No need for a separate IP address; just configure the proxy to
listen on an alternate TCP port, and use IPtables to redirect all
connections originally destined to TCP/25 to the alternate port on
your server.
-- Ben
More information about the gnhlug-discuss
mailing list