[afnog] Natting

Peter Nyamukusa peter.nyamukusa at africaonline.co.tz
Fri Oct 17 12:23:52 UTC 2008


Hi SM,

-----Original Message-----
From: SM [mailto:sm at resistor.net] 
Sent: Friday, October 17, 2008 11:50 AM
To: Peter Nyamukusa
Cc: afnog at afnog.org
Subject: RE: [afnog] Natting

>Hi Peter,
>At 22:56 16-10-2008, Peter Nyamukusa wrote:
>>This is very much possible I been having this kind of setup for many
years,
>>see logs from my firewall filter on one of my customers mail servers using
>>Private IP behind NAT
>
>I didn't say that the setup was not possible. :-)
>
>>If you don't want to even waste your mail server you can even configure an
>>ACL on your router and thus you have filtered as close to the source as
>>possible
>
>There's a downside when applying such ACLs for mail traffic.
>
>Can you track down which emails were rejected if there are mail 
>delivery issues?
>
>Can you reject SMTP connections on reverse DNS patterns 
>(user.dialup.example.com)?
>
>Can your content filter do header checks correctly?

I am not sure how your email is system is setup but looking at two
scenarios, in the first you have possibly several thousand broadband
customers and we all know these guys are capable of anything and you don
what them sending email directly or receiving directly from the internet and
hence therefore you would need to apply an ACL somewhere in your network (my
concept is the closer to the source the better) this will make sure only the
servers you permit can only do SMTP in/out and you don't have to spend every
day removing blacklisted IPs, thus this the first level of filtering.

Moving on to the second layer of filtering, for the server IPs that you have
permitted SMTP from the internet & Local Xchange point you can then even
apply server level filtering like you were mentioning before i.e. reverse
dns, RBLS, header & Body checks etc.

You can even go a step further by setting up your spam/virus filtering
box/appliance at your upstream provider because in most cases over 80% of
email received is junk/spam and thus you save your precious international
bandwidth

Regards,
Peter






More information about the afnog mailing list