Date: Sat, 18 Nov 2000 16:21:51 +0100 From: Jesper Skriver <jesper@skriver.dk> To: John Hay <jhay@icomtek.csir.co.za> Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001118162151.B81075@skriver.dk> In-Reply-To: <200011180819.eAI8J1V20277@zibbi.icomtek.csir.co.za>; from jhay@icomtek.csir.co.za on Sat, Nov 18, 2000 at 10:19:01AM %2B0200 References: <20001117211013.C9227@skriver.dk> <200011180819.eAI8J1V20277@zibbi.icomtek.csir.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 18, 2000 at 10:19:01AM +0200, John Hay wrote: > > > > I'm currently looking at how various operating systems react to a 'ICMP > > administratively prohibited'. > > > > My motivation is setup's where access to the primary mailserver is > > blocked by filters (usually to block open relay's), and all mail has to > > go via the backup MX, a example from a customer of ours. > > > > jesper@freesbee$ host -t mx nemo.dyndns.dk > > nemo.dyndns.dk mail is handled (pri=10) by nemo.dyndns.dk > > nemo.dyndns.dk mail is handled (pri=20) by backup-mx.post.tele.dk > > > > Here we block access to tcp/25 on nemo.dyndns.dk (a ADSL users), but > > provide a backup MX for him to use, but when a mailserver wants to send > > mail to him, they will experience a timeout before sending the mail to > > backup-mx.post.tele.dk, which can send the mail onwards to > > nemo.dyndns.dk. > > You can also solve the problem another way. You can remove the MX for > the customer machine, so that your backup-mx is the prefered MX for his > mail. Then on backup-mx you can add a mailertable entry to direct the > mail to his machine. Something like: > > nemo.dyndns.dk smtp:[nemo.dyndns.dk] I know, but this require per-domain/user configuration on backup-mx, something we want to avoid at any cost, now you're going to ask how we make sure backup-mx is not a open relay. This is ensured by a patch(*) I wrote for postfix, from sample-smtpd.cf # permit_auth_mx_backup: accept mail if all ip address(es) of the primary MX is # within $auth_mx_backup_networks, See auth_mx_backup_networks # # The auth_mx_backup_networks parameter specifies a list of networks # where Postfix will act as a backup MX host if the primary MX is # within these networks, and permit_auth_mx_backup is configured. # # The list is used by the anti-UCE software. See permit_auth_mx_backup # in the sample-smtpd.cf file. > This way you don't have to worry how someone else's machine is going > to handle those icmp packets. Your solution is a good one, if the product has a margin that allow for user specific configuration on the backup-mx, but in this case it's a ADSL product for home users, with a very little margin ... *) <http://freesbee.wheel.dk/~jesper/permit_auth_mx_backup.20001030.diff>; See the postfix.users archive for history (the above patch is the same, only relative to 20001030 instead of 20000531. <http://x71.deja.com/[ST_rn=ps]/getdoc.xp?AN=648703086&CONTEXT=974559861.626524165&hitnum=26>; /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001118162151.B81075>