Forums

t1ck3ts
t1ck3ts
Offline
Resolved
0 votes
Hi guys

So a client has asked me to block anyone connecting to the mail server that's outside of the country, which is all good and fine, but the problem is, it seems that most of the forwarding
source is getting caught up in the block too.

For example:
iptables -I FORWARD -i enp2s0 -m set ! --match-set countryblock src -d 192.168.37.1 -j DROP

* Using the FORWARD chain as the mail server is behind the ClearOS box and uses port forwarding for people to get their mail outside of the office
This should block anything that's NOT part of the country ip addresses inside the hash, right?

But I'm getting blocks from everyone inside the LAN side, also, their mail server cant send anything to gmail server's, for instance.

Is the rule I'm using incorrect?
Thursday, September 14 2017, 06:03 PM
Share this post:
Responses (2)
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Thursday, September 14 2017, 09:50 PM - #Permalink
    Resolved
    0 votes
    That's what I've been trying to tell them.

    But that's what their mail server is doing, picking up external (for their personal inbox) and then having the internal server deal with sending etc,
    removing any sort of sneaky software trying to spam from the network.

    I know that they do have a new Tech on hand that's giving them ideas and such, so I'm guessing these request from from him. He's probably been sniffing around logs
    and seen many access attempts (which I've setup fail2ban to lock them down)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 14 2017, 09:04 PM - #Permalink
    Resolved
    0 votes
    I find it hard to imagine why you would geo-block a fully functioning mail-server as you have no idea where peoples sending mail serversare located. It will only work if fetchmail is used to pick up mail from externally to internal distribution otherwise external mail servers will not be able to connect to you if they are outside the country.

    You have a number of strategies available. To allow sending mail, you could add "-m state --state NEW" to your rule. This will stop external devices from making a connection but will allow them to respond when connected to.

    I personally use a different strategy. For SMTP I do not allow authentication on 25. If you want your users to authenticate from external, use SMTPS on port 465 or STARTTLS on 587. Then you can exclude port 25 from the above rule with a "-p tcp ! --dport 25". You will then need another rule to block UDP on all ports, and you would not need the state switch. I also fun fail2ban and instantly ban anyone trying to relay through me and I block any login failure immediately (so I configure PC's/phones when they are are on the LAN in case I make a mistake)
    The reply is currently minimized Show
Your Reply