From owner-freebsd-hackers Sat Nov 18 7:21:55 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 8EDCA37B479 for ; Sat, 18 Nov 2000 07:21:52 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5F22A3E5C; Sat, 18 Nov 2000 16:21:51 +0100 (CET) Date: Sat, 18 Nov 2000 16:21:51 +0100 From: Jesper Skriver To: John Hay Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001118162151.B81075@skriver.dk> References: <20001117211013.C9227@skriver.dk> <200011180819.eAI8J1V20277@zibbi.icomtek.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011180819.eAI8J1V20277@zibbi.icomtek.csir.co.za>; from jhay@icomtek.csir.co.za on Sat, Nov 18, 2000 at 10:19:01AM +0200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Nov 18, 2000 at 10:19:01AM +0200, John Hay wrote: > > > > I'm currently looking at how various operating systems react to a 'ICMP > > administratively prohibited'. > > > > My motivation is setup's where access to the primary mailserver is > > blocked by filters (usually to block open relay's), and all mail has to > > go via the backup MX, a example from a customer of ours. > > > > jesper@freesbee$ host -t mx nemo.dyndns.dk > > nemo.dyndns.dk mail is handled (pri=10) by nemo.dyndns.dk > > nemo.dyndns.dk mail is handled (pri=20) by backup-mx.post.tele.dk > > > > Here we block access to tcp/25 on nemo.dyndns.dk (a ADSL users), but > > provide a backup MX for him to use, but when a mailserver wants to send > > mail to him, they will experience a timeout before sending the mail to > > backup-mx.post.tele.dk, which can send the mail onwards to > > nemo.dyndns.dk. > > You can also solve the problem another way. You can remove the MX for > the customer machine, so that your backup-mx is the prefered MX for his > mail. Then on backup-mx you can add a mailertable entry to direct the > mail to his machine. Something like: > > nemo.dyndns.dk smtp:[nemo.dyndns.dk] I know, but this require per-domain/user configuration on backup-mx, something we want to avoid at any cost, now you're going to ask how we make sure backup-mx is not a open relay. This is ensured by a patch(*) I wrote for postfix, from sample-smtpd.cf # permit_auth_mx_backup: accept mail if all ip address(es) of the primary MX is # within $auth_mx_backup_networks, See auth_mx_backup_networks # # The auth_mx_backup_networks parameter specifies a list of networks # where Postfix will act as a backup MX host if the primary MX is # within these networks, and permit_auth_mx_backup is configured. # # The list is used by the anti-UCE software. See permit_auth_mx_backup # in the sample-smtpd.cf file. > This way you don't have to worry how someone else's machine is going > to handle those icmp packets. Your solution is a good one, if the product has a margin that allow for user specific configuration on the backup-mx, but in this case it's a ADSL product for home users, with a very little margin ... *) See the postfix.users archive for history (the above patch is the same, only relative to 20001030 instead of 20000531. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message