Gentoo Archives: gentoo-user

From: Daniel Frey <djqfrey@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Mail forwarder on LAN
Date: Mon, 24 Dec 2018 15:29:07
Message-Id: cd20e60e-21c5-cbd5-fe20-b1f9e46d803c@gmail.com
In Reply to: Re: [gentoo-user] Mail forwarder on LAN by Grant Taylor
1 On 12/23/18 8:21 PM, Grant Taylor wrote:
2
3 > Can the phone server in A talk to a system in B?  Or does the magic need
4 > to happen on a multi-homed host that is in both the Voice VLAN (A) and
5 > data VLAN (B)?
6
7 Yes, I control the router, poking a hole allowing port 25 from the phone
8 server IP to the mail relay IP is trivial. This would lessen the need
9 for a multi-homed server - although that is possible too as the
10 infrastructure is virtualized.
11
12 >
13 >> I've never had to deal with a server in this manner before... needing
14 >> to go through a different vlan/vpn. Hence my thought of a mail relay.
15 >
16 > I believe the mail relay, particularly if it's multi-homed in both voice
17 > and data VLANs, is a viable option.
18 >
19 >> I was messing with source and destination nat but because of the site
20 >> vpn addressing, and the phone server not being in that address
21 >> range... I'm pretty sure that's why it wasn't working.
22 >
23 > Depending where you do it, I would expect that the NAT would work.
24 >
25 > Hypothetical scenario:
26 >
27 > Voice VLAN = 192.0.2.0/24
28 > Local Data VLAN = 198.51.100.0/24
29 > Remote Data VLAN = 203.0.113.0/24
30 >
31 > I'm guessing that you need to get voice messages as attachments from the
32 > VoIP PBX, 192.0.2.123, to the corporate email server, 203.0.113.234. The
33 > problem is the site-to-site VPN only allows 198.51.100.0/24 and
34 > 203.0.113.0/24 to communicate.  Meaning that the site-to-site VPN won't
35 > pass traffic from the VoIP PBX.
36 >
37 > Here's an important question:  Does the VoIP PBX have a default gateway
38 > configured?  Or does it /only/ know about the voice VLAN, 192.0.2.0/24?
39 > Because if it doesn't have a default gateway, then (what it knows as)
40 > the mail server will have to be local to the voice subnet.
41 >
42 > We already know that the local side of the email solution will have to
43 > be in the 198.51.100.0/24 subnet to bee able to use the VPN.
44 >
45 > You could probably fairly easily have a multi-homed host that is in both
46 > the Voice VLAN, 192.0.2.252, and the Local Data VLAN, 198.51.100.252.
47 >
48 > That would allow you to run an MTA on the multi-homed host and forward
49 > email at the SMTP application layer.
50 >
51 > That would also allow you to use NAT to translate the SMTP traffic as it
52 > passes between the VoIP PBX and the corporate email server.
53 >
54 > Let's say that eth0 is in the Voice VLAN, 192.0.2.252, and that eth1 is
55 > in the Local Data VLAN, 198.51.100.252.
56 >
57 > # Traffic from the VoIP PBX to the corporate email server.
58 > iptables -t nat -A PREROUTING -i eth0 -s $PBXIP -d 192.0.2.252 -p tcp
59 > --dport 25 -j DNAT 203.0.113.234
60 > iptables -t nat -A POSTROUTING -o eth1 -s $PBXIP -d 203.0.113.234 -p tcp
61 > --dport 25 -j SNAT 198.51.100.252
62 >
63 > # Traffic from the corporate email server to the VoIP PBX.
64 > iptables -t nat -A PREROUTING -i eth1 -s 203.0.113.234 -d 198.51.100.252
65 > -p tcp --sport 25 -j DNAT $PBXIP
66 > iptables -t nat -A POSTROUTING -o eth0 -s 203.0.113.234 -d $PBXIP -p tcp
67 > --sport 25 -j SNAT 192.0.2.252
68 >
69 > That should get quite close to what you need.  That alters both the
70 > source and destination IP addresses as the traffic passes through the
71 > multi-homed host, in each direction.
72 >
73 > Aside:  I call that "Double NAT" because it NATs two different addresses
74 > on one device (as two distinct operations).  But the rest of the world
75 > thinks "Double NAT" is something else.  :-/
76 >
77
78 So it basically comes down to picking a package and then locking it down
79 so it only forwards mail to that specific IP, and only allows mail to be
80 received from the phone server.
81
82 It would be easier to use the public IP but due to regulations it has to
83 go over the VPN.
84
85 Dan