I realize I need to provide better context and information. I’ll do my best.
The mail configuration is like this, and again, this is just something that’s already in place and unfortunately it’s not within my control to make a ton of changes. I don’t think what I’m asking for is impossible and I understand that it looks irregular. Two MTAs, one is running Ciphermail. The ciphermail host relays mail to the “permanent home” MTA where mail gets delivered to users and dovecot runs for retrieval of mail. The hosts are internal only hosts. SSH port forwarding is being used to basically export port 25 from the Ciphermail host to an externally accessible AWS node. I guess the idea is if the instance gets compromised, they’re not actually on the real MTA. This, again, is where I’m saying “don’t do that” isn’t really in my control and I’d like to just make this work without trying to alter the overall design. What I experience when the port forward is enabled is suddenly “things” out there are attempting to just email random addresses at the AWS instance hostname. Logs from Ciphermail (using links because majordomo doesn’t like the number of characters I’m pasting): http://skidrowstudios.com/mta/cmx01-logs.txt Logs from "dovecot server”: http://skidrowstudios.com/mta/mx1-logs.txt At this point you can see the mail looping and it continues as such until I stop the port forward. Here is my conf’s for each MTA. The goal is to basically stop the loop or just flat out reject mail being sent to the aws domain pattern. Ciphermail host: http://skidrowstudios.com/mta/cmx01.txt Dovecot host: http://skidrowstudios.com/mta/mx1.txt Please let me know what other information is useful and I appreciate the help. Thank you! -jeremy > On Friday, May 20, 2022 at 8:50 AM, @lbutlr <krem...@kreme.com > (mailto:krem...@kreme.com)> wrote: > On 2022 May 19, at 12:56, Jeremy Hansen <jer...@skidrow.la> wrote: > > I’m trying to do a ssh port forward of port 25 from my local mta to an aws > > node so my mta doesn’t have to be directly on the routable internet. > > Why does your mta need port 25 at all if it's not routable? > > > I’m seeing an interesting problem due to the fact that aws ip’s are so > > heavily probed. > > > > When a prober tries sending email to <random user>@<aws predictable > > hostname>, the mail tries to bounce back to the recipient’s address. Well > > since we’re port forwarding, the address it’s bouncing to is actually > > ourselves. Hence the loop and a really big mail queue. > > > > So in this scenario, how would I break this chain? > > That really depends on your actaul1setup and what you are actaul1l trying to > do. The simplest solution based on waht1you've said is "connect to the was > server, not to an ssh tunnel. > > > I thought sender/recipient address verification would break the loop but > > I’m having trouble figuring this out. > > What do your logs say? > > But mostly, what exactly are you trying to accomplish because I'm having > trouble thinking f a reason that you would be doing this. > > > I think it may be good enough if I was able to tell postfix to just drop > > any mail coming from or destine to amazonaws.com but I’m not sure how to do > > this gracefully. Any suggestions on this aside from “don’t do that” :-) > > Sometimes "don't do that" is the right answer. > > > -- > It was the sort of grin people use when they stare at your left ear > and tell you in an urgent tone of voice that they are being spied > on by secret agents from the next galaxy. It was not a grin to > inspire confidence. More horrible grins had probably been seen, > but only on the sort of grinner that is orange with black > stripes, has a long tail and hangs around in jungles looking for > victims to grin at. >
signature.asc
Description: PGP signature
