Koozali.org formerly Contribs.org

GeoIP & Smarthost

GeoIP & Smarthost
« on: July 07, 2020, 05:21:47 AM »
Howdy Brainstrust

I have an SME 9.2 box set as a Smarthost for an Exchange server, setup is as follows:

Router - SME (Mail & SSH) in subnet1 - Exchange (in subnet2)

and

Router - (other services) in subnet2

When inspecting the qpsmtpd logs it shows all connections from outside as coming from the clients public IP & not from the IP of the connecting host, log extract follows:

2020-07-07 11:07:01.635627500 9378 Accepted connection 1/40 from xxx.xxx.xxx.xxx / mail.XXX.com.au
2020-07-07 11:07:01.635710500 9378 Connection from mail.XXX.com.au [xxx.xxx.xxx.xxx]
2020-07-07 11:07:02.966050500 9378 (connect) earlytalker: pass, not spontaneous
2020-07-07 11:07:02.966579500 9378 (connect) relay: skip, no match
2020-07-07 11:07:02.994457500 9378 (connect) check_badcountries: GeoIP RemoteIP: xxx.xxx.xxx.xxx
2020-07-07 11:07:02.994458500 9378 (connect) check_badcountries: GeoIP City: Forest Hill
2020-07-07 11:07:02.994471500 9378 (connect) check_badcountries: GeoIP Country: AU
2020-07-07 11:07:03.323622500 9378 (connect) dnsbl: pass
2020-07-07 11:07:03.323817500 9378 220 gateway.XXX.com.au ESMTP
2020-07-07 11:07:04.358277500 9378 dispatching EHLO User
2020-07-07 11:07:04.360043500 9378 (ehlo) helo: pass
2020-07-07 11:07:04.361334500 9378 250-XXX.com.au Hi mail.XXX.com.au [xxx.xxx.xxx.xxx]
2020-07-07 11:07:04.361375500 9378 250-PIPELINING
2020-07-07 11:07:04.361377500 9378 250-8BITMIME
2020-07-07 11:07:04.361394500 9378 250-SIZE 15000000
2020-07-07 11:07:04.361427500 9378 250-STARTTLS
2020-07-07 11:07:04.361455500 9378 250 AUTH PLAIN LOGIN
2020-07-07 11:07:05.886706500 9378 dispatching RSET
2020-07-07 11:07:05.887049500 9378 250 OK
2020-07-07 11:07:07.456318500 9378 dispatching AUTH LOGIN
2020-07-07 11:07:07.457011500 9378 334 VXNlcm5hbWU6
2020-07-07 11:07:09.031236500 9378 334 UGFzc3dvcmQ6
2020-07-07 11:07:10.541857500 9378 (auth-login) auth::auth_cvm_unix_local: fail: authentication failure for: berri@com.au
2020-07-07 11:07:10.542291500 9378 (deny) logging::logterse: ` xxx.xxx.xxx.xxx   mail.XXX.com.au User                    auth::auth_cvm_unix_local       901     auth failure (100)      msg denied before queued
2020-07-07 11:07:10.542438500 9378 535 LOGIN authentication failed for berri@com.au - auth failure (100)
2020-07-07 11:07:12.126060500 9378 dispatching QUIT
2020-07-07 11:07:12.126458500 9378 221 XXX.com.au closing connection. Have a wonderful day.
2020-07-07 11:07:12.126555500 9378 click, disconnecting

Suggestions on what to tweak to get the connecting IP to show instead of the clients public IP?

Cheers

..................

Offline ReetP

  • *
  • 2,794
Re: GeoIP & Smarthost
« Reply #1 on: July 07, 2020, 10:40:50 AM »
Without providing a better diagram and some example IPs it is hard to guess.

If SME is just a smarthost, why are users connecting? Surely all connections should be to Exchange?

Or have you got some other trickery that you haven't told us? Or mixing your metaphors? :-)

I think you need to take a step back and describe the layout better.

Also, have you fixed this?

Quote
LOGIN authentication failed for berri@com.au
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: GeoIP & Smarthost
« Reply #2 on: July 07, 2020, 05:28:41 PM »
Ok, more info on router:

Router (Public IP), LAN (2 subnets, 10.0.0.x & 172.16.0.x)

10.0.0.x is main LAN with the router on 10.0.0.1.  Within the router I've configured the IP 172.16.0.2  to be routed to SME for SMTP (port forward) on 172.16.0.1, 2nd NIC in SME is on 10.0.0.247 & connected to main LAN.   SME is in public gateway mode.  I've configured 10.0.0.x as a 2nd subnet on the router for the main LAN.

The qpsmtpd extract shows:  Accepted connection 1/40 from xxx.xxx.xxx.xxx / mail.XXX.com.au

Qpsmtpd seems to consider the connection from 172.16.0.2 as coming from the public IP as that is what it's reporting.

Exchange is configured to send & receive email via the SME on 10.0.0.247 & SME is configured to relay to the Exchange server.

Email send & receive work fine.

The lack of correctly reported IP/host means I can't fine tune my antispam or get fail2ban to work fully.

The email address is evidence of a brute force against SMTP, these addresses are nonexistant.
« Last Edit: July 07, 2020, 05:30:47 PM by smeghead »
..................

Offline ReetP

  • *
  • 2,794
Re: GeoIP & Smarthost
« Reply #3 on: July 07, 2020, 06:28:33 PM »
Quote
Accepted connection 1/40 from xxx.xxx.xxx.xxx / mail.XXX.com.au

So exactly which machine is this?? Is that xxx.xxx.xxx.xxx a IP on the interwebs or local? Where IS the clients server? What has that IP/domain got to do with anything?

What happens if you ping mail.XXX.com.au from SME? Where is it? Or is this just an irrelevance?

Quote
Qpsmtpd seems to consider the connection from 172.16.0.2 as coming from the public IP as that is what it's reporting.

What is connecting via this IP?

Sorry but it is still not overly clear here. Please, draw a little diagram or something and indicate which way the mail follows and where it is going wrong.

You have it all clear in your head but it is all a bit muddy from here with some bit that are missing.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: GeoIP & Smarthost
« Reply #4 on: July 07, 2020, 08:14:01 PM »
.. as already stated the xxx.xxx.xxx.xxx is the public IP of the router on the Internet, I don't know of any other way to state it, it's public NOT private.

The clients server is behind the SME, if you look at my statement:

"10.0.0.x is main LAN with the router on 10.0.0.1.  Within the router I've configured the IP 172.16.0.2  to be routed to SME for SMTP (port forward) on 172.16.0.1, 2nd NIC in SME is on 10.0.0.247 & connected to main LAN.   SME is in public gateway mode.  I've configured 10.0.0.x as a 2nd subnet on the router for the main LAN."

It shows the SME connected to the router on 172.16.0.1 & the local LAN on 10.0.0.247, the Exchnage server is on 10.0.0.7.

So Inbound SMTP traffic flows as follows (port 25 on the router is port forwarded to the SME on port 25):

Public IP - 172.16.0.2 - 172.16.0.1 (SME WAN NIC) - 10.0.0.247 (SME LAN NIC) - 10.0.0.7 (Exchange).

If I ping the mail.xxx.com.au host on the SME itself it resolves to the SME LAN IP, namely 10.0.0.247

I've stated email traffic is connecting to the public IP & then routed to an Exchange server via an SME server.

So exactly which machine is this?? Is that xxx.xxx.xxx.xxx a IP on the interwebs or local? Where IS the clients server? What has that IP/domain got to do with anything?

What happens if you ping mail.XXX.com.au from SME? Where is it? Or is this just an irrelevance?

What is connecting via this IP?

Sorry but it is still not overly clear here. Please, draw a little diagram or something and indicate which way the mail follows and where it is going wrong.

You have it all clear in your head but it is all a bit muddy from here with some bit that are missing.
..................

Offline ReetP

  • *
  • 2,794
Re: GeoIP & Smarthost
« Reply #5 on: July 08, 2020, 12:56:30 AM »
.. as already stated the xxx.xxx.xxx.xxx is the public IP of the router on the Internet, I don't know of any other way to state it, it's public NOT private.

Actually no you didn't exactly. Hence the question. Despite what you think we are not asking for the fun of it, but to try and clarify your layout in our OWN heads.

Remember, you have this all in your head, and it all makes perfect sense to you. We do not.

And please remember, you are the one with the problem. We are trying to understand it so we can try and help you, not to wind you up. Forgive us if the questions might seem simple or stupid. That's just the way it is.

Ok. So  xxx.xxx.xxx.xxx  / mail.XXX.com.au is on the WAN side of the router? (Humour me!!)

At a guess it looks like something is going on in your router. SME would appear to be seeing a connection from your router, and not direct from the interwebs/external mail servers themselves. It can only report the connections that it sees AFAIAA.

eg it is seeing a packet that goes:

1.2.3.4 -> x.x.x.x -> 172.16.0.2 -> 172.16.0.1

So it sees a connection from 172.16.0.2, or the WAN IP x.x.x.x

In reality it should see:

1.2.3.4 -> 172.16.0.1

Correct?

So what sort of router is it? is it running some sort of proxy/AV filtering?

If we look at say this:

https://github.com/smtpd/qpsmtpd/blob/master/qpsmtpd-forkserver

Code: [Select]
  ::log(LOGINFO,
"Accepted connection $running/$MAXCONN from $ENV{TCPREMOTEIP} / $ENV{TCPREMOTEHOST}"

So we have "Accepted Connection 1/40 from TCPREMOTEIP / TCPREMOTEHOST"

TCPREMOTEIP comes from $nto_iaddr which is retrieved right at the start of the  connection.

Code: [Select]
        # get local/remote hostname, port and ip address
        my ($port, $iaddr, $lport, $laddr, $nto_iaddr, $nto_laddr) =
            $qpsmtpd->lrpip($server, $client, $hisaddr);

The point being that this is what SME sees - a connection from the router, not the remote server. Don't know how or why.

Can you also just confirm whether ALL traffic flows via SME, or does say JUST the port 25 traffic of it go to SME and the rest go direct to the 10.0.0.x network from the router (which is entirely possible with your layout from the looks of the excellent picture!)?

Remember, you do have two routes from the router to SME there.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation