Redirecting SMTP connections

James Gray james at grayonline.id.au
Mon Jun 5 01:10:25 IST 2006


On Mon, 5 Jun 2006 09:35 am, Richard Lynch wrote:
> This may be a little off topic but it is related to the setup of a
> MailScanner gateway.
>
> I have a customer who needs to be able to send and receive encrypted
> messages to some of their clients.  This is a medical center and I'm
> sure some of this is related to HIPPA regulations.  They are doing this
> using server  to server encryption (MS Exchange).  I'm uncertain what
> product they are using to provide this functionality but my
> understanding is that the mail will be encrypted between MS Ex servers
> using STARTTLS.  Currently we are filtering all of their internet mail
> using MailScanner on a server with their MX DNS entry pointing to our
> server.
>
> They have asked me to redirect certain connections based on the incoming
> IP address directly to their server which will comply with this
> protocol.  I don't really know how to achieve this.  I think it may be
> possible using the redirect function in iptables.  Basically, I want to
> take incoming connections to our server and, based on the IP address,
> redirect it to their server to handle the encrypted message exchange.
>
> Has anyone ever done anything like this and know how to do it?  I hope
> I've been clear on what I'm trying to do.  Any help is much appreciated.

You mention iptables so I assume this is a Linux box.  You need to create a 
destination NAT (DNAT) rule to rewrite the destination address if the source 
address (and maybe source/destination ports too) match appropriate values.  
Then once the DNAT is created, you need to ADD a rule to the FORWARD chain 
that ALLOWS packets from the original source to the NEW DESTINATION (again, 
possibly matching other connection details).

Depending on the encryption scheme they are using this may break the 
end-to-end security and cause the connection to barf (ipsec springs to mind) 
but TLS should be ok with DNAT - I've done this sort of thing before with 
TLS+DNAT on Linux routers.

Google is your friend.

Cheers,

James
-- 
We are what we pretend to be.
		-- Kurt Vonnegut, Jr.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060605/78a11269/attachment.bin


More information about the MailScanner mailing list