[afnog] SMTP Traffic Redirect

Brian Candler B.Candler at pobox.com
Fri Jun 11 14:54:45 UTC 2010


On Thu, Jun 10, 2010 at 04:40:54PM +0200, Fredy Kuenzler wrote:
> Am 10.06.2010 11:12, schrieb Christian Muhirwa:
> >However I was wondering if solution #3 (2) would work for me since my
> >SMTP server is not a next-hop to the router, it's three hops away on a
> >different subnet.
> 
> That should not be a problem, as long as the next hop router has a route
> (best path) to the SMTP server.

I think the question was about *transparent* redirection of SMTP (i.e. 
client connects outbound to any address x.x.x.x port 25 on the Internet, and
this gets forced into the local SMTP relay instead)

I can think of three options:

1. Rewrite the destination address of the packets to be the SMTP server's
address (NAT).

2. Plug in another NIC to the SMTP server and connect it to a subnet which
the router is directly connected to (or trunk a VLAN through).

3. Set up a tunnel interface between the router and the SMTP server, e.g.
IP-IP or GRE, and policy-route the traffic down that.

Option 1 is widely implemented by "load balancer" type appliances, but
implementing it on a regular router might be more challenging. You also have
to arrange that the return traffic from the SMTP server to the client goes
back via the same path for de-NATing, which can be tricky.

Setting up an IP-IP tunnel under FreeBSD or Linux is pretty straightforward,
and may be the best option here given that the SMTP server is several hops
away.  Make sure you set a suitably low MTU on the remote endpoint (e.g. 
1480 for ipip / RFC1853) to avoid PMTU discovery problems.

HTH,

Brian.



More information about the afnog mailing list