# SMTP relay or proxy



## ahgu (Aug 31, 2015)

I have a machine A that is open to internet and has port 25 open.
And I have another machine B that is on internet but port 25 is blocked.

I want to setup so that machine A receives all the email and forward the email to machine B, use machine B as storage for all emails, machine A just a relay/forwarder.
Machine A also act as outgoing mail server with login/password.

How would I realize that? What software should I use? 

Thank you in advance.
ahgu


----------



## gkontos (Aug 31, 2015)

This is a very complicated setup without a particular reason..... 

If you go with postfix then you will need to declare in machine A that machine B is the final destination. Of course you would need to have port 25 open in machine B for machine A.


----------



## ahgu (Sep 1, 2015)

Can they use a different port when transferring the mail?



gkontos said:


> This is a very complicated setup without a particular reason.....
> 
> If you go with postfix then you will need to declare in machine A that machine B is the final destination. Of course you would need to have port 25 open in machine B for machine A.


----------



## tony33 (Sep 2, 2015)

ahgu said:


> Can they use a different port when transferring the mail?



The answer is yes. if you're going to relay the e-mails. The server exposed to the internet must use common ports. The ports where you forward it to your other servers can be any ports. As long that server is setup to send the e-mails using another port.


----------



## phoenix (Sep 2, 2015)

gkontos said:


> This is a very complicated setup without a particular reason.....



This is a very common setup, especially if you are doing spam/virus filtering on the gateway SMTP server, or when hosting multiple mail domains.

All incoming and outgoing SMTP traffic is routed through Machine A (Machine A is the MX for all the different domains).  Machine A has transport rules setup to deliver mail to whichever other machines based on domain.

We have a similar setup at work.  The MX record for every domain is smtp.ourdomain.dom, so all incoming mail for anyone@*.ourdomain.dom is delivered to smtp.  All of the domains are listed in mynetworks and relay_domains in our Postfix config, and the transports map lists where to deliver the incoming messages.

And, every Postfix install on every machine in the district has relayhost set to the central SMTP server.

The central SMTP server does all the spam filtering, virus filtering, message blocking, etc, etc, and provides an extra layer of defense to the actual mail servers (none of which are accessible from the Internet).


----------



## gkontos (Sep 3, 2015)

phoenix, what you are describing is the classic method of having an external mail relay in the Internet and more particularly in the DMZ , doing all the anti spam, anti virus work, etc. The OP wants to have both machines exposed in the Internet which is not so common.


----------



## tony33 (Sep 3, 2015)

gkontos said:


> phoenix, what you are describing is the classic method of having an external mail relay in the Internet and more particularly in the DMZ , doing all the anti spam, anti virus work, etc. The OP wants to have both machines exposed in the Internet which is not so common.



Why both? If he does both... he can still do it but the 2 will only connect to each other. If he expects mail to come externally directly to either one then he cannot do it. He must use the standard ports.


----------



## ahgu (Sep 4, 2015)

Machine B is on dynamic IP with port 25 blocked. 
Machine A is open, I can use postfix to relay to machine B using some random port?


----------



## Jeckt (Sep 4, 2015)

I'd highly recommend Postfix as the mail software on both servers. It's flexible, well documented, sane, and has a good security record.

On server B, configure Postfix to listen on a non standard port. Example: 2552.  Configure the firewall (ipfw or pf) to only accept TCP connections from server A on this port.  Because you control both ends, you can also force TLS as a requirement to increase security.  You can set relayhost in main.cf to server A, or you can use transport_maps (which gives you more flexibility - which you may not need).

On server A use transport_maps to forward any mail for your domains to serverB: port####. Server A must be able to know where server B is located, either by a static-ip address, or a static DNS name. Outgoing mail on server A should be a fairly standard setup with authentication for submission (make sure you don't end up with an open relay). Also make sure your reverse DNS (PTR record) matches the server name or you'll have problems.


----------



## tony33 (Sep 5, 2015)

ahgu said:


> Machine B is on dynamic IP with port 25 blocked.
> Machine A is open, I can use postfix to relay to machine B using some random port?



Yes, you can do this.  Machine B won't connect to the internet. It will conntect to machine A. You can choose any port. You just need to setup machine A and B to communicate on the same port.

However, machine A needs to be using standard ports. Any machine that gets traffic from the internet needs to use standard ports. It's because all machines on the internet uses those standard ports to scan for to connect. You only want this setup if you plan on doing something large. If you do this setup for a small business or doing it for security purpose. You're dead wrong.  There's no security purpose by doing this. It's done only for large volume of traffic.


----------



## ahgu (Sep 8, 2015)

Can I do this on sendmail? instead of postfix?


----------



## rajl (Sep 8, 2015)

Sounds like you're trying to run your own mail server on a home/residential internet connection (since machine B has a dynamic IP and port 25 is blocked) and relay your emails through an external mail server that does not have port 25 blocked.  If this is the case, let me warn you now that the pain is not worth it.



ahgu said:


> Can I do this on sendmail? instead of postfix?



Yes, although I can't tell you how for Sendmail (because I'm more familiar with Postfix).  You can use any mail transfer agent (MTA) (e.g. Sendmail, Postfix, Exim, _etc_.) to do this (or mix of MTA's).  Basically, machine A will be configured to transfer mail to machine B on an unblocked port that you specify.  Machine B will relay mail through machine A and will probably need to be communicating on an unblocked port as well.  A quick Google search will tell you how to configure the MTA of your choice to do this.


----------



## tony33 (Sep 9, 2015)

rajl said:


> Sounds like you're trying to run your own mail server on a home/residential internet connection (since machine B has a dynamic IP and port 25 is blocked) and relay your emails through an external mail server that does not have port 25 blocked.  If this is the case, let me warn you now that the pain is not worth it.
> 
> 
> 
> Yes, although I can't tell you how for Sendmail (because I'm more familiar with Postfix).  You can use any mail transfer agent (MTA) (e.g. Sendmail, Postfix, Exim, _etc_.) to do this (or mix of MTA's).  Basically, machine A will be configured to transfer mail to machine B on an unblocked port that you specify.  Machine B will relay mail through machine A and will probably need to be communicating on an unblocked port as well.  A quick Google search will tell you how to configure the MTA of your choice to do this.



If that is the case he cannot do it. He cannot use a home residential internet connection. Most ISP's  filter and block any server traffic. Even in their terms of service agreement... it will state that they don't permit servers to run on their residential lines. You need to contact your ISP and pay for business graded internet.  Which is way more expensive.  Anyone with a residential package gets such ports blocked. Even if it's not blocked the bandwidth isn't good enough for such things. They will detect it once you clog up their network. They will see the traffic and figure out what customer is doing it. They will then sue your ass for a lot of money.


----------



## rajl (Sep 9, 2015)

tony33 said:


> If that is the case he cannot do it. He cannot use a home residential internet connection. Most ISP's  filter and block any server traffic. Even in their terms of service agreement... it will state that they don't permit servers to run on their residential lines. You need to contact your ISP and pay for business graded internet.  Which is way more expensive.  Anyone with a residential package gets such ports blocked. Even if it's not blocked the bandwidth isn't good enough for such things. They will detect it once you clog up their network. They will see the traffic and figure out what customer is doing it. They will then sue your ass for a lot of money.



This is only partially accurate.  Residential connections have terms of service that state you are not allowed to run a server (and they require you to pay for a business class connection to do so).  If they catch you, they can cut your internet access, terminate your account, charge overage fees, _etc_.  Even if they do catch you, they probably won't care or say a word as long as you're not using enough bandwidth to cause issues with their network or impact other customers.  However, they _*will notice*_ if you clog up their network.  That's when the pain starts.

Technically speaking, the statement that "most ISP's filter and block any server traffic" is false.  ISP's let you run servers all the time -- how many multiplayer PC games require that one of the players "host" the game?  I've always run an externally facing SSH server to allow me remote access to my network when outside the house.  I've also had not problems setting up VPN servers on my residential connections over the years.  Setting up a relay server (local mail server on home network forwarding all mail to an intermediate server) is not uncommon among people first learning how to set up and manage email servers for the sake of curiosity.  However, email servers are finicky beasts that must be appeased on a regular basis with prayers to the gods, blood sacrifices, and ritual incantations (I only half jest).  This is another reason why I warn that there will be pain.  

What most ISPs actually do is block access to certain ports and/or restrict access to certain ports.  As an example, ISP's often put in blanket restrictions for port 25.  Specifically they usually block all incoming port 25 traffic and restrict outgoing port 25 traffic to a specific set of ip addresses (_e_._g_. the ISP's own email servers, email servers owned by vetted hosting providers, _etc_.).  This blanket ban on port 25 has two effects: (1) it significantly decreases botnet spam generated by infected computers and (2) it provides an easy way to convince users to upgrade to business class offerings.  However, setting up your email server on a non-standard port will get around this blanket ban.  It won't be able to communicate with the rest of the world, just the relay server on machine A.  But that may be enough for your purposes.


----------



## ahgu (Sep 27, 2015)

Thanks, But how would I configure Machine A (public with 25 open) to relay all incoming emails to Machine B on port 2525? Where do I set in Machine A that says transfer all incoming mails to B using 2525?  I cannot use .forward setting since it uses port 25. 

I am using sendmail.





rajl said:


> This is only partially accurate.  Residential connections have terms of service that state you are not allowed to run a server (and they require you to pay for a business class connection to do so).  If they catch you, they can cut your internet access, terminate your account, charge overage fees, _etc_.  Even if they do catch you, they probably won't care or say a word as long as you're not using enough bandwidth to cause issues with their network or impact other customers.  However, they _*will notice*_ if you clog up their network.  That's when the pain starts.
> 
> Technically speaking, the statement that "most ISP's filter and block any server traffic" is false.  ISP's let you run servers all the time -- how many multiplayer PC games require that one of the players "host" the game?  I've always run an externally facing SSH server to allow me remote access to my network when outside the house.  I've also had not problems setting up VPN servers on my residential connections over the years.  Setting up a relay server (local mail server on home network forwarding all mail to an intermediate server) is not uncommon among people first learning how to set up and manage email servers for the sake of curiosity.  However, email servers are finicky beasts that must be appeased on a regular basis with prayers to the gods, blood sacrifices, and ritual incantations (I only half jest).  This is another reason why I warn that there will be pain.
> 
> What most ISPs actually do is block access to certain ports and/or restrict access to certain ports.  As an example, ISP's often put in blanket restrictions for port 25.  Specifically they usually block all incoming port 25 traffic and restrict outgoing port 25 traffic to a specific set of ip addresses (_e_._g_. the ISP's own email servers, email servers owned by vetted hosting providers, _etc_.).  This blanket ban on port 25 has two effects: (1) it significantly decreases botnet spam generated by infected computers and (2) it provides an easy way to convince users to upgrade to business class offerings.  However, setting up your email server on a non-standard port will get around this blanket ban.  It won't be able to communicate with the rest of the world, just the relay server on machine A.  But that may be enough for your purposes.


----------

