LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Let's try to verify this before I implement it: Check the logic of my madness.
I own an ISP and have dial-up customers and customers that use my email server as their SMTP outbound server. Simple enough but I have a firewall running NAT at the border, the dial-up customers are within that NATted environment, and the traffic flows to another firewall running NAT again, which in turn forwards the traffic to my Web and Email servers. Spamfilter and the email application are on the same server.
So for email the flow is as such:
WEB email (25)--Firewall 1(NAT)(25)---Firewall 2(NAT)(25)---SPAMfilter(26)----Email
The problem I am running into is when my external customers want to relay I would efectively have to know each of their external IP addresses and place them in the Whitelist. This is of course unacceptable as IP addresses change for external customers. So I am proposing this solution:
Routing the external IP of my mail server on Firewall 1 from port 25 to port 26 of the NATted mail server ip on Firewall 2 where Spamfilter process and forwards to port 25 of the same server. That takes care of the inbound mail. 
I would also take the external IP of another of my servers NOT running SMTP and on Firewall 1 port redirect that IP on port 25 requests to the NATted mail server ip on Firewall 2. The next step is to have my external customers that use my mail server as their outgoing SMTP server change their outgoing SMTP server ip address to this ip address. (the ip of the server NOT running SMTP). This way the customers are logging directly into the SMTP server and bypassing the Spamfilter for relay.
As for the dial-up customers they don't have to change anything as they route directly to the mail server on port 25.
So the new flow would be as such:
external (25)--FW1(26)----(26)FW2(26)---SPAMfilter--Mail Server
and
external (25)--FW1(25)----(25)FW2(25)----Mail Server 
Any thoughts?

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
mspivey Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 02 February 2005 Location: United States Status: Offline Points: 2	Post Options Post Reply Quote mspivey Report Post Thanks(0) Quote Reply Topic: ISP with Dual NAT Posted: 02 February 2005 at 12:58pm
	Let's try to verify this before I implement it: Check the logic of my madness. I own an ISP and have dial-up customers and customers that use my email server as their SMTP outbound server. Simple enough but I have a firewall running NAT at the border, the dial-up customers are within that NATted environment, and the traffic flows to another firewall running NAT again, which in turn forwards the traffic to my Web and Email servers. Spamfilter and the email application are on the same server. So for email the flow is as such: WEB email (25)--Firewall 1(NAT)(25)---Firewall 2(NAT)(25)---SPAMfilter(26)----Email The problem I am running into is when my external customers want to relay I would efectively have to know each of their external IP addresses and place them in the Whitelist. This is of course unacceptable as IP addresses change for external customers. So I am proposing this solution: Routing the external IP of my mail server on Firewall 1 from port 25 to port 26 of the NATted mail server ip on Firewall 2 where Spamfilter process and forwards to port 25 of the same server. That takes care of the inbound mail. I would also take the external IP of another of my servers NOT running SMTP and on Firewall 1 port redirect that IP on port 25 requests to the NATted mail server ip on Firewall 2. The next step is to have my external customers that use my mail server as their outgoing SMTP server change their outgoing SMTP server ip address to this ip address. (the ip of the server NOT running SMTP). This way the customers are logging directly into the SMTP server and bypassing the Spamfilter for relay. As for the dial-up customers they don't have to change anything as they route directly to the mail server on port 25. So the new flow would be as such: external (25)--FW1(26)----(26)FW2(26)---SPAMfilter--Mail Server and external (25)--FW1(25)----(25)FW2(25)----Mail Server Any thoughts?
	Access International

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4106	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 02 February 2005 at 5:30pm
	mspivey, Having all your external customers change their email client configuration could be quite a hassle if theres many of them. If you own the ISP most likely you have multiple internet (external) IP addresses available to you. Have you considered leaving your SMTP server's IP address and port as is, thus avoiding any client changes, and simply configure SpamFilter to listen for incoming traffic on a new IP address? You would then modify your DNS MX record to point it to the new IP address SpamFilter uses rather than the one assigned to your SMTP server. This will cause all inbound email to be delivered to SpamFilter, without having to modify any configurations on neither your SMTP server nor your clients.
	Roberto Franceschetti LogSat Software Spam Filter ISP

mspivey Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 02 February 2005 Location: United States Status: Offline Points: 2	Post Options Post Reply Quote mspivey Report Post Thanks(0) Quote Reply Posted: 03 February 2005 at 12:34pm
	Actually in the way I have it set up now the only customers that have to make any changes are those not dial-ed to me and have my mail server listed as the outbound SMTP server. They only had to make one change (the IP address of the new redirected port). This solution works great and I don't have to change my MX record. I require authentication on the email server to email, and Spamfilter only has my local domains liisted to receive email. I can send you a PDF outlining this setup if you or anyone else interested. Mark
	Access International

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4106	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 03 February 2005 at 3:49pm
	If the number of "not dial-ed in" customers is so small that you don't have problems having them change their config, then yes, your solution will work just fine!
	Roberto Franceschetti LogSat Software Spam Filter ISP

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

ISP with Dual NAT