[c-nsp] SMTP Redirection
Bruce Pinsky
bep at whack.org
Fri Jun 30 19:07:12 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason Percle wrote:
> Couldn't something like this be done with route maps, similar to the
> interception proxy method with Squid:
>
> For example:
>
> The second line in acl 125 will give the mail server direct access to the
> net to prevent a routing loop
>
> route-map smtp-redirect permit 10
> match ip address 125
> set ip next-hop mail.server.ip
>
> access-list 125 deny tcp any any neq 25
> access-list 125 deny tcp mail.server.ip any
> access-list 125 permit tcp any any
>
> interface (Outbound interface)
> ip policy route-map smtp-redirect
>
I've seen the suggestion of using policy routing in conjunction with NAT to
make it happen. Basically similar to above except you would need to use
NAT to change the destination to your email server's IP address to spoof
the client into thinking they were talking to the outbound mail server they
have configured. Where this could breakdown is if the clients happen to be
using authentication with those servers. Clearly you would not have the
right credentials to spoof the authentication.
I'm not sure that the above route-map and policy routing configuration will
work since policy routing is done on an inbound basis and not outbound.
In general though, why not just block port 25 and tell folks that if they
want to use their own outbound mail servers they need to do it on port 587?
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEpa6gE1XcgMgrtyYRAsQcAKCAjvNDXDEASpY+yB/l8REEO+QzJQCgxziR
2bKO9nrsl39/uafgOLmK3Ew=
=qvaD
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list