Search Site:








Edit - To Do - AllRecentChanges

Recent Changes Printable View Page History Edit Page

This page is part of the EmailServer article.

Alternate Access

It is not uncommon for ISP to deal with the problem of spam and other email annoyances by forcing users to go through their own email services.
Most often, they will block the SMTP port 25, barring your roaming or external users or offices to directly connect to your mail server to deliver their mail.

Another species of more devious filtering seems to be common in places like China. The largest provider, China Telecom, seems to have strange ways of limiting (or filtering) access to IMAP and POP services when connecting to servers outside of China.
I'm not sure how and why, but access to these ports would be OK for w while, then would suddenly be blocked while all other traffic would still be available.

To solve these issues I'm discussing here 2 solutions:

  • opening alternate ports to our SMTP or POP and IMAP services.
  • offering alternative encrypted channels for STMP or POP and IMAP services.

The first one may be enough to circumvent the restrictions imposed by most ISP and will work fine as long as their filter only block the usual email ports 25, 110 or 143.
We use IP forwarding to poke a hole in the firewall and redirect any incoming traffic to the standard ports.

The second also requires that we poke holes in our firewall, but we'll just ask stunnel to listen to other ports as well as the standard SSL ones discussed in the SecureAccess article.

Forwarding traffic from one port to another

So let's implement the first solution.
I'll chose to arbitrarily use ports 725, 710 and 743 for SMTP, POP and IMAP.

As discussed in the Firewall chapter, I use the strong firewall rules scripts provided by the Linux IP Masquerade HOWTO.

In the FORWARD section of the script, I add the following entries:

echo "     - FWD: Aternate SMTP, POP3 and IMAP ports"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 725 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 725  -j DNAT --to $INTIP1:25
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 710 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 710  -j DNAT --to $INTIP1:110
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 743 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 743  -j DNAT --to $INTIP1:143

Now restart the script (should be saved as /etc/rc.d/rc.firewall) and modify your email client to send and receive its mail using the new ports.

Secure alternate access

Again, we're going to use alternate ports 825, 810 and 843 as our arbitrary secure ports.

First, we poke holes for these ports in our firewall, so just edit /etc/rc.d/rc.firewall and add the following to the OUTPUT section of the script:

echo -e "      - Allowing access to Alternate Secured Email ports"
          -p tcp -s $UNIVERSE -d $EXTIP --dport 825  -j ACCEPT
          -p tcp -s $UNIVERSE -d $EXTIP --dport 810  -j ACCEPT
          -p tcp -s $UNIVERSE -d $EXTIP --dport 843  -j ACCEPT

Restart the script and add the following entries in the the stunnel configuration file /etc/stunnel/stunnel.conf discussed in the SecureAccess chapter:

accept  = 843
connect =  143

accept  = 810
connect =  110

accept  = 825
connect = 25

Restart stunnel (service stunnel restart if you installed the init script for it) and modify your email clients to use SSL and the alternative ports.

< AlternateAccess | EmailServer | MboxMaildirMigration >

Leave your comments below
Enter your comment (no links allowed): Author:

Edit Page - Page History - Printable View - Recent Changes - WikiHelp - Search - RSS -
Page last modified on Wednesday 24 May 2006, at 11:07 GMT+8 - Viewed 382 times