Allowing all hosts that can connect to port 26 be trusted networks.

C

CRCinAU

Renowned Member
May 4, 2020
191
53
68
crc.id.au
Hi all,

So I have a mate that I'm relaying email via my PMG instance. He's on a dynamic IP - which due to DNS updates works fine for sending mail TO his mail server, but having mail sent via PMG port 26 becomes difficult because I can't add a dynamic IP to the list of trusted networks.

Given I have a firewall that *does* understand dynamic IPs etc, how can I allow relay access via any host that can connect to port 26?

I can't seem to add 0.0.0.0/0 or 0.0.0.0/2 and 127.0.0.0/2 as networks to emulate adding 0.0.0.0/0 as a trusted network.
 
CRCinAU said:
Given I have a firewall that *does* understand dynamic IPs etc, how can I allow relay access via any host that can connect to port 26?
Click to expand...
adapt the postfix config (https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine) to allow all IPs for the listener on port 26.

I'd strongly recommend against adding 0/0 to the trusted networks - as those are added to postfix `mynetworks` which is allowed on the external port as well - you'd be creating a open relay that way

I hope this helps!
 
I have a bash script that runs via crontab.

It knows the DDNS hostname(s) that are connecting to port 26.
It keeps track of their IP addresses.
If anything changes,
- it writes to /etc/pmg/mynetworks
- it runs pmgconfig sync to make it active.
 
Stoiko Ivanov said:
adapt the postfix config (https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine) to allow all IPs for the listener on port 26.
Click to expand...

Had a chance to take a look at this today.

I've done modifications to templates before, so not a huge learning curve here - but on the postfix config side, if I'm understanding it right, I just have to add `-o mynetworks=0.0.0.0/0` to the section for pmg.mail.int_port (which is port 26 in my case) in master.cf.in

Does this seem sane?

the end result after pmgconfig sync is:
Code: 
26       inet  n -       -       -       100      smtpd
  -o smtpd_proxy_filter=127.0.0.1:10023
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_client_connection_count_limit=10
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_data_restrictions=
  -o smtpd_forbid_bare_newline=no
  -o mynetworks=0.0.0.0/0

That seems sane to me - but its been a number of years since I've looked at postfix config now...
 
CRCinAU said:
I've done modifications to templates before, so not a huge learning curve here - but on the postfix config side, if I'm understanding it right, I just have to add `-o mynetworks=0.0.0.0/0` to the section for pmg.mail.int_port (which is port 26 in my case) in master.cf.in
Click to expand...
to achieve your goal of letting anyone who has access to port 26 relay mails to anyone - this seems correct (did not test it explicitly)

CRCinAU said:
Does this seem sane?
Click to expand...
In context of having a separate firewall which restricts access to port 26 in your setup - this can work - Writing this here explicitly - lest someone reads this skims this thread in the future and adds 0.0.0.0/0 to their trusted networks, without such external access control :)

I hope this helps!
 
Thanks.

And yes, for the sake of anyone coming across this later on and skim reading, DO NOT do this unless there is a functional access restriction that limits the world from using your system - or it'll make you an open relay to everyone and be a massive abusive target.
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.
Top Bottom