The mail provider where I work is an Exchange-only provider, and refuses to have anything to do with anything else. What this means from a security perspective is that they have none, at least in regards to IMAP or SMTP. From a practical point, in addition to the Exchange ports, they only have the standard port open: 25,110,143, 993 and 995. Note that while they do provide secure ports for IMAP and POP3, they do NOT provide a secure SMTP port.
Before you ask, they do use NTLM security, so at least the communications, once established, are secure.
Our problem came in because most if not all ISPs block port 25 for outgoing except to their own servers. This is an attempt to block spammers; and actually not a bad idea.
Our mail provider refused to open any other port for SMTP, so those employees who actually use email clients other than Outlook were screwed.
So we decided to create our own port-forwarder at our data center. My first thought was to simply create a secure mail relay system using Postfix, TLS and SASL. While successfully created, it did not solve the problem because I would have had to add each employee to the server, creating double work. So after a little searching, I found this little gem called: redir
This gem was written by Sam Creasey, you can get in touch with him at: sammy_AT_sammy.net
This link takes you to his home page: http://sammy.net/~sammy/
This is a simple redirector which works very well. I installed it into the mail server I had previously created, started it up and voila, we had a working smtp relay which simply relayed all incoming on port 587 to port 25 at our mail provider.
Note that this does NOT do any encryption; I simply used port 587 because I know it is always open at the ISP level.
usage: redir --lport=<n> --cport=<n> [options] redir --inetd --cport=<n> Options are:- --lport=<n> port to listen on --laddr=IP address of interface to listen on --cport=<n> port to connect to --caddr=<host> remote host to connect to --inetd run from inetd --debug output debugging info --timeout=<n> set timeout to n seconds --syslog log messages to syslog --name=<str> tag syslog messages with 'str' --connect=<str> CONNECT string passed to proxy server --bind_addr=IP bind() outgoing IP to given addr --ftp=<type> redirect ftp connections where type is either port, pasv, both --transproxy run in linux's transparent proxy mode --bufsize=<octets> size of the buffer --maxbandwidth=<bit-per-sec> limit the bandwidth --random_wait=<millisec> wait before each packet --wait_in_out=<flag> 1 wait for in, 2 out, 3 in&out Version 2.2.1.
And here is the actual command I used. The system is in a VM on a private network; I opened up the firewall to route port 587 on the external address to this VM to make it work.
/usr/local/sbin/redir –lport=587 –laddr=192.168.101.131 –cport=25 –caddr=smtp.hostingprovider.com
The program is also available here:
Redir (41.3 KiB, 203 hits)