How to accept email on port 26, using Iptables port redirection
In some countries, or better said some ISP have started to block port 25 to avoid PC viruses to send copies of themselves by email to all the contacts on you address book.
Well this could be good if you use your ISP smtp server to send email, but what happens if you use your office server, or you are in business trip, and get to a Hotel where you cannot send email through your smtp server because the port 25 is blocked, and you can't use the ISP smtp server because you do not have an account with them.
An approach lots of systems administrators are taking is to use port 26, so you can configure your email client and your colleagues email's clients to use port 26 instead of 25 to send emails.
Here I will show you how to configure your smtp server to accept email connections on port 26, independent of the server you are using, Postfix, or Sendmail or any other server.
First you need to open port 26, to do so, insert this line in your firewall configuration.
iptables -A INPUT -p tcp --dport 26 -j ACCEPT
This will enable the server to accept connections on port 26, from all over the world, next redirect the connections on port 26 to 25, this way you do not need to reconfigure your email server to listen on port 26.
iptables -A PREROUTING -t nat -p tcp --dport 26 -j REDIRECT --to-port 25
With these two line you will make your email server to accept emails on port 26.
In the case of one customer of mine, we had configured his email server, also to be his firewall, here is how it is configured (only the email part)
#Accept connections on ports 25, 26 and 110
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 26 -j ACCEPT
##Next redirect 26 to 25
iptables -A PREROUTING -t nat -p tcp --dport 26 -j REDIRECT --to-port 25
#Block your own clients from accessing port 25 outside their own network, (prevent being banned for sending spam with virus)
iptables -A FORWARD -p tcp --dport 25 -j LOG # To log the packets, -Useful to identify the offending machine
# Drop the packets
iptables -A FORWARD -p tcp --dport 25 -j DROP
Add any other rule you think you may need, do not run your server only with these rules, as this could be dangerous.
Trackback URL for this post:
If you like this article, subscribe to our full rss
Please post your question in our forum and use comments only to leave your comments about the article, thanks.
For me it wouldnt work
For me it wouldnt work without an OUTPUT rule as well. if you are blocking off connections on 25 you might as well just change the port the server listens on. i had to run my smtp server on 2 ports at the same time
I am not blocking
I am not blocking connections to 25, I am blocking connection through the server to port 25, this is because this server is the firewall and the mail server at the same time, so customers are allowed to use it as smtp server, but not to use another smtp server outside the network.
Guillermo Garron
Tremendously useful, thanks!
Tremendously useful, thanks!
Really useful stuff, thank
Really useful stuff, thank you. I'm forced to use port 22 for SSH because my ISP was giving a lower priority to traffic when it was on another port, resulting in very latent SSH connections. I learnt a long time back that it's dangerous to leave SSH open on port 22 (because too many bots go sniffing, tying up connections/log space) so it had to be firewalled.
Other users of the machine have dynamic IPs, so it wasn't appropriate to keep changing the IPs in the firewall so I opened a second port only to the ranges they're likely to use and redirected that to 22. Result: Only people on their ISP would be able to sniff at the SSHD (and even then, they'd have to know the higher-number port was open) while my own data isn't slowed down.
Post new comment