Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Receive Mail From a Secondary-MX Proxy
exim-users at exim
Aug 25, 2021, 1:58 PM
Post #1 of 5 (384 views)
Permalink
I am thinking about how I’ll manage to send and receive mail from the Internet by way of a proxy, with SOCKS for outbound and proxy-protocol for inbound mail, where the proxy is also potentially a backup MX. The idea is that I will run the mailer on a network with a dynamic connection, and use a VPS with a fixed IP for connectivity that’s trustworthy for other MX hosts, which only accepts mail when the ISP connection goes down for a noticeable period. I could even extend the client connection through a VPN, so the ISP is oblivious to how it’s used (the country in question has a very flexible approach to civil liberties).

The doc says Exim recognises a proxy host by IP; does this mean I can’t receive ordinary mail from it as a secondary MX? If not, how do you think I ought to go about this?

What about if I extent this setup so that my mailer machine only makes outbound connections to the proxy host—can I still receive inbound mail, through a forwarded port perhaps? SSH seems like the obvious answer, but then I’d lose sender information, yes? I could use an inner VPN, perhaps. But something that only carries application-layer traffic would be nicer. Exim supports SOCKS, but not the bind method—perhaps that would be useful.

Any thoughts appreciated.

Cheers,
Sabahattin


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Receive Mail From a Secondary-MX Proxy [ In reply to ]
exim-users at exim
Aug 26, 2021, 4:36 AM
Post #2 of 5 (384 views)
Permalink
On 2021-08-25, Sabahattin Gucukoglu via Exim-users <exim-users@exim.org> wrote:
> I am thinking about how I’ll manage to send and receive mail from the Internet by way of a proxy, with SOCKS for outbound and proxy-protocol for inbound mail, where the proxy is also potentially a backup MX. The idea is that I will run the mailer on a network with a dynamic connection, and use a VPS with a fixed IP for connectivity that’s trustworthy for other MX hosts, which only accepts mail when the ISP connection goes down for a noticeable period. I could even extend the client connection through a VPN, so the ISP is oblivious to how it’s used (the country in question has a very flexible approach to civil liberties).
>
> The doc says Exim recognises a proxy host by IP; does this mean I
> can’t receive ordinary mail from it as a secondary MX? If not, how do
> you think I ought to go about this?

Tell the proxy protocol host to deliver email to it's own extenal ip
address, that will cause it to open a proxy connection to the exim server.

> What about if I extent this setup so that my mailer machine only makes outbound connections to the proxy host—can I still receive inbound mail, through a forwarded port perhaps? SSH seems like the obvious answer, but then I’d lose sender information, yes? I could use an inner VPN, perhaps. But something that only carries application-layer traffic would be nicer. Exim supports SOCKS, but not the bind method—perhaps that would be useful.

I'm not sure what you mean.

--
Jasen.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Receive Mail From a Secondary-MX Proxy [ In reply to ]
exim-users at exim
Aug 29, 2021, 4:45 AM
Post #3 of 5 (384 views)
Permalink
On 26 Aug 2021, at 12:36, Jasen Betts via Exim-users <exim-users@exim.org> wrote:
> On 2021-08-25, Sabahattin Gucukoglu via Exim-users <exim-users@exim.org> wrote:
>> The doc says Exim recognises a proxy host by IP; does this mean I
>> can’t receive ordinary mail from it as a secondary MX? If not, how do
>> you think I ought to go about this?
>
> Tell the proxy protocol host to deliver email to it's own extenal ip
> address, that will cause it to open a proxy connection to the exim server.

Of course. Thanks! Presumably I’ll need to do some work to ensure TLS validation succeeds and that Exim doesn’t trip over any loop detection logic, but I’m not sure why I didn’t think of that.

>> What about if I extent this setup so that my mailer machine only makes outbound connections to the proxy host—can I still receive inbound mail, through a forwarded port perhaps? SSH seems like the obvious answer, but then I’d lose sender information, yes? I could use an inner VPN, perhaps. But something that only carries application-layer traffic would be nicer. Exim supports SOCKS, but not the bind method—perhaps that would be useful.
>
> I'm not sure what you mean.

Imagine the dynamic host has no means of listening to a routable address, perhaps because it is behind a CGNAT. Can I arrange it so that I only maintain (presumably health-checked with heartbeats) an outbound connection to the proxy host, but still receive SMTP traffic directed at the proxy host’s publicly-routed address(es), such that I get to keep sender information? I want to do this at the application-layer, if possible, since VPN access for the client is already protecting all of that machine’s traffic. Perhaps SOCKS bind support (connect to a SOCKS server, ask for a listening port) or running the proxy protocol inside another protocol, maybe SSH. Shall have to think some more about that.

Cheers,
Sabahattin


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Receive Mail From a Secondary-MX Proxy [ In reply to ]
exim-users at exim
Aug 29, 2021, 5:50 AM
Post #4 of 5 (384 views)
Permalink
On Wed, 25 Aug 2021, Sabahattin Gucukoglu via Exim-users wrote:

> What about if I extent this setup so that my mailer machine only
> makes outbound connections to the proxy host—can I still receive
> inbound mail, through a forwarded port perhaps? SSH seems like the
> obvious answer, but then I’d lose sender information, yes? I could
> use an inner VPN, perhaps. But something that only carries
> application-layer traffic would be nicer. Exim supports SOCKS, but
> not the bind method—perhaps that would be useful.

Sounds as though ETRN might be what you want.
The "real" server connects to the secondary with SMTP, gives the command
"ETRN" and the secondary then sends any waiting email down the connection.

I've never tried this so can't say much about the pitfalls or other details
but it appears to have been designed for dial-up mail servers.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Receive Mail From a Secondary-MX Proxy [ In reply to ]
exim-users at exim
Sep 1, 2021, 10:51 AM
Post #5 of 5 (380 views)
Permalink
On 29 Aug 2021, at 13:50, Andrew C Aitchison <andrew@aitchison.me.uk> wrote:
> On Wed, 25 Aug 2021, Sabahattin Gucukoglu via Exim-users wrote:
>> What about if I extent this setup so that my mailer machine only
>> makes outbound connections to the proxy host—can I still receive
>> inbound mail, through a forwarded port perhaps? SSH seems like the
>> obvious answer, but then I’d lose sender information, yes? I could
>> use an inner VPN, perhaps. But something that only carries
>> application-layer traffic would be nicer. Exim supports SOCKS, but
>> not the bind method—perhaps that would be useful.
>
> Sounds as though ETRN might be what you want.
> The "real" server connects to the secondary with SMTP, gives the command
> "ETRN" and the secondary then sends any waiting email down the connection.
>
> I've never tried this so can't say much about the pitfalls or other details
> but it appears to have been designed for dial-up mail servers.

Unfortunately ETRN is just a “remote queue start”, i.e. triggering a queue run, so the server connects back. The follow-on solution was “Authenticated TURN”, which is the traditional TURN with authentication first, i.e. does as you describe. Exim’s support for ETRN is powerful, and in combination with “batched SMTP” makes it quite possible to put together a solution for intermittent hosts, but I’m looking for a solution that simply makes the client host accessible as a server; the secondary can do a traditional backup MX role when the client isn’t connected or is down, but when it’s up, it should be reachable from the public Internet. It is also preferable that I not store a spool on a public computer, though that’s probably taking paranoia a bit far.

I think running the proxy protocol over SSH should work. I’m also looking at Postfix’s support for this using its “XCLIENT” command.

Cheers,
Sabahattin


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal