setting up a local outbound mailserver at home for dialup

Stephen P. Schaefer sschaefer at acm.org
Wed Nov 19 01:16:53 EST 2003 


Joseph Mack NA3T wrote:
> I have a group of machines at home NAT'ed behind a linux router/dial-up
> box. All machines are on 192.168.1.0/24.
> 
> If I send e-mail from one of these machines I will usually get a refusal
> from the recipient because of a failure in reverse DNS. Presumably DNS
> can't resolve my local internal domain name because it is private.

If you're NATed, then any failure of reverse DNS would be a failure to 
reverse DNS the address to which you are NATed, which is presumably a 
public address, and not a 192.168.1.0/24 address.  I've heard that some 
ISPs use private addresses and then then NAT at the central office, but 
you don't say, so I'll presume this is the more usual 
I'm-natting-at-my-house.

> 
> If I use my ISP's outbound mailserver (eg mail.isp.net) as the first
> hop for my mail (eg when using netscape as the mail client), I am asked
> for my username/passwd for the first mail. After that, all mail is
> forwarded without a request for authentication.
> 

Asked for a username and password using what protocol?  POP before SMTP?
Some sort of HTTP transaction?

> I would like to setup mail at home so that the outbound mailserver
> for local machines is my router (192.168.1.1), so that internal machines
> do not have to be re-configured when I'm using a different ISP (I move
> my setup from place to place occassionally and wind up using different
> ISPs).
> 
> I then need to setup the router so that it can handle the authenticion
> request from the ISP, without user intervention

This depends on the protocol.  It would be an interesting perl exercise 
to implement a mail server (using copious CPAN help, of course) that, if 
there had been a signficant lapse of time (or other indication of loss 
of authentication) would automatically initiate (or accept?) the 
authentication mechanism.  I could be a lot less vague if I knew what 
protocols were involved.

  or it can send directly to
> the recipient. If I went the latter route, would it work if I bound the
> MTA to the dynamic IP on the outside of the router? (Presumably this
> dynamic IP is reverse DNS-able by the recipient). 

There has been talk on the trilug list that many ISPs are now blocking 
SMTP from non-whitelisted addresses, to prevent spam.  That could mean 
your SMTP could be blocked.  This may, indeed, be your primary problem. 
  In this case, I believe the prevention is worse than the disease, 
because it means the ISPs become the gatekeepers to our freedom to 
communicate.  Call me "Mad-Eye Moody".

If binding to the
> dynamic IP works, then presumably the MTA at 192.168.1.1 which is
> forwarding mail from user on the boxes on the NAT'ed network, will
> have to be setup to forward mail to the MTA on the dynamic IP.
> 
> Any thoughts?
> 

Unless I've completely understood, you've got a Linux box with two 
addresses, 192.168.1.1, and, for illustrative purposes, 66.66.66.66.
To send mail out, you will want to listen only to 192.168.1.1.  The MTA 
will see the To: address, do it's DNS, and then initiate a connection 
from a random high TCP port at 66.66.66.66 to port 25 of the public IP 
address of the recipients MTA.  You haven't expressed a need to 
passively receive e-mail from the public internet, which is the case in 
which you would bind your MTA to the public side (an exercise fraught 
with pitfalls).  Instead, I'll assume you're using fetchmail or some 
other mechanism wherein your ISP holds your e-mail.

A Mail Transfer Agent's job is to relay(transfer) mail.  Most do the job 
by default.  If you're using sendmail on a Red Hat distribution, do this:

cd /etc/mail

Find the line in /etc/mail/sendmail.mc that goes

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Add a line that goes

DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.1, Name=MTA')dnl

Run "make sendmail.cf"

Make sure the sendmail daemon is running:

chkconfig --level 2 3 4 5 sendmail on
/etc/init.d/sendmail restart

Make sure DNS is looking up internet answers properly on the Linux 
"router".  Then you can tell all your inside machines to use the Linux 
box as their relay.  This will work, so long as you don't find yourself 
on the wrong side of your recipient's whitelist.

> Thanks Joe
> 
> 

Hope this helps,

     - Stephen

More information about the ncsa-discussion mailing list