Re (2): [Oberon] SMTP/SSH tunnel

W B Hacker wbh at conducive.org
Sun Mar 25 10:54:50 MEST 2007


peasthope at cablelan.net wrote:
> Bill,

*snip*

> 
> H is my Debian Linux system at home.  It has 
> exim4, a connection to my home LAN and a 
> continuous cable connection to P. 

I don't 'DO' Windows or Linux, but the minute you say 'Exim4' I know the 
configuration *may be* handled very differently from Exim on Unix.

Does the same job - but configuration is structured and managed differently, so 
you need to look at Marc Haber's docs and Exim-Debian specific mailing list 
archives and postings to be sure you are making the appropriate config settings 
in the correct place.

And/or ask Marc. But go forth with accurate and detailed information, i.e. 
hostnames and IP's not just 'H' and 'W' and 'P'.

Any of us sufficiently smtp-aware to help can find all that out anyway, but we 
resent pulling teeth.

> 
> P belongs to the ISP and is beyond my control.
> 

Given.  But amazed thay accept your relay on port 25.

> When W is on the LAN with H, H relays 
> messages to P with no problems.  Apparently 
> W, H and P all use port 25.  SSH is not 
> involved.
> 
> When W is away from the home LAN but can 
> connect to H through the Internet, messages 
> should go from W to H through a SSH tunnel.  
> H should continue to relay messages to P as 
> mentioned above.  The tunnel should be invoked 
> by W.  
>

'H' can have more than one set of interface ports and protocols,
and may need them.

> wh> Best to use 587.
> 
> So /etc/exim4/exim4.conf.template should 
> contain this line?
> tls_on_connect_ports = 587
>

With the added information of the intervening boxen, I am no longer sure you 
even *need* the particular change initially suggested.

It is odd that your ISP is allowing relay via port 25 at all, odder still that 
it fails when you are accessing a box back of the relay host from different 
places but still coming to the ISP from the same 'last mile' box.

> H should continue to allow a local
> connection on port 25 ...
> 
> and this might open the tunnel from W to H?
> 

Pass.  May be unrelated.

> SSH.StartForwarding peter at peasthope.yi.org 25:localhost:587 ~
> 
> This will be the data flow?
> 
> [W:Oberon MUA:25] ==(SMTP in SSH tunnel)==>

>   [587:H:exim:25] ==(SMTP in cable)==> [25:P]
> 

Something like Home (Oberon) opens ssh tunnel on 44444 TO 66666, 587-as-SSL, or 
whatever, at WORK (Exim+Linux).  Oberon will need fixed port numbers at both 
ends, and Exim can 'meet' it there, but probably best to stay OFF 25 and 587 
entirely for that.

How 'weird' the port and protocol assignments are depends on whether Oberon is 
locked to specific ports. You do not want to 'depart' off port 25, for example, 
but rather some port well above 1024.


WORK (Exim+Linux) opens 'conventional' smtp to P (the ISP mailhost)

That last part is a road well-traveled and should need nothing 'weird'.

See Marc's docs and such for configuring Exim to 'submit' traffic to a smart 
host. But you seem to have that part working already.

> Thanks again for all the information,
>              ... Peter E.
> 
> Desktops.OpenDoc  http://carnot.pathology.ubc.ca/
> 

More digging of facts is needed, and my lack of both Oberon AND Linux awareness 
makes me the wrong guy for the rest of that.

The generality (from DOS) is:

Mailer-too-stupid-to-accept-other-than-port-25-as-a-target ==>

port-25-intercepted-on-same-box-and-diverted-to-local-end-of-tunnel ===>

tunnel-departing-on-arbitrary-port-above-1024-to-receptive-port-on-MTA-such 
as-465 ====>

With the MTA accepting SSL, at least from the specific local box,  on 465 or 
some other chosen port. MTA-onward is 'standard'.

I actually used port 666 for the MSDOS Win-boxen.....

QED.


;-)

Bill







Best,

Bill
> --
> Oberon at lists.inf.ethz.ch mailing list for ETH Oberon and related systems
> https://lists.inf.ethz.ch/mailman/listinfo/oberon
> 




More information about the Oberon mailing list