proxy-helper
proxy-helper for smtp-proxy, part of software.klolik.org
[about]
[scenarios]
[todo]
[bugs]
[downloads]
[security]
[details]
[example]
[manuals]
About
smtp-gated is able to run in split mode (on separate server, other than NAT router). proxy-helper gives the proxy information about source and destination IPs of NAT connections.
Currently, the only supported NAT platform is Linux/netfilter, but smtp-gated itself can work on any supported OS, even without NAT support.
[back to top]
Scenarios
Possible scenarios:
| smtp-gated instance(s) |
NAT router(s) |
high availability and/or high performance |
proxy-helper required |
router OS
(running proxy-helper) |
proxy OS
(running smtp-gated) |
| one | no | no | - | any with smtp-gated supported NAT framework |
| one | one | no | yes | any supported by proxy-helper | any supported by smtp-gated,
NAT support not required |
| one | many | no | yes |
| many | one | yes | yes |
| many | many | yes | yes |
| Using policy routing on any (software or hardware) router combined with smtp-gated running NAT |
|---|
| many | any | yes | no | - | any with smtp-gated supported NAT framework |
For many smtp-gated instances you can setup pool of HA proxies.
[back to top]
TODO
- support for others OS than Linux
[back to top]
Bugs
Binding to 0.0.0.0 will not work below version 1.0.3.
Since I don't use proxy-helper anymore, version 1.0.3 was not tested and may fail. In this case please send me logs produced with --debug 100.
[back to top]
Downloads
Sources released under GNU License.
If you use this software, please send me an e-mail with comment. Thank you.
Latest version:
[2010.09.28] proxy-helper-1.0.3.tar.gz
Older versions:
[2010.02.12] proxy-helper-1.0.2.tar.gz
[back to top]
Security
You need to firewall UDP port where proxy-helper is listening. Otherwise, it's possible
to reveal details about your internal networks to outside world.
There is no need to smtp-gated and proxy-helper to be on public IPs, or even in the same
network segment.
You need to remember, that smtp-gated "calls back" to anyone on the same IP as the
incoming connection from NAT. It's dangerous, unless it's correctly firewalled.
Check it twise or spammer will get (bad) use of your resources.
[back to top]
Details
How does it work?
- router receives connection from 10.1.1.1:10943 (user) to 4.1.1.1:25 (SMTP server)
- router makes SNAT from 194.0.1.1:20119 (user-public-IP) and DNAT to 194.0.22.9:9199 (smtp-gated)
- smtp-gated receives connection but doesn't know anything about 4.1.1.1:25, this is why it needs assistance
- smtp-gated prepares IP:PORT for lookup: takes incoming IP (194.0.1.1) and adds remote_port (default is 114)
- smtp-gated asks 194.0.1.1:114 (proxy-helper) for connection from 194.0.1.1:20119 to 194.0.22.9:9199
- proxy-helper looks up connection in netfilter conntrack, and finds connection was from 10.1.1.1:10943 to 4.1.1.1:25
- proxy-helper replies to smtp-gated: connection was from 10.1.1.1:10943 to 4.1.1.1:25
- smtp-gated uses 10.1.1.1:10943 for logging purposes, and 4.1.1.1:25 as destination address
- smtp-gated connects to 4.1.1.1:25 and does it's usual job
[back to top]
Example
Setup the example above:
# You may skip local IP, it will default to 0.0.0.0 (any IP). Works since 1.0.3.
proxy-helper -p /var/run/proxy-helper.pid
# You can give some local IP to proxy-helper, 0.0.0.0 will also work since 1.0.3.
proxy-helper -I 194.0.1.1 -p /var/run/proxy-helper.pid"
# Remember to do SNAT all connections to smtp-gated thru the IP the helper is listening on.
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 194.0.22.9:9199
iptables -t nat -A POSTROUTING -p tcp -d 194.0.22.9 --dport 9199 -j SNAT --to 194.0.1.1
Use following in smtp-gated.conf:
mode remote-udp
remote_port 114
remote_udp_retries 3
[back to top]
Manuals
All documentation files are distributed within doc/ subdirectory of source package.
You can also view (probably old) documentation online:
[back to top]
(c) 2005-2010 Bartłomiej Korupczyński
