[Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)

Mark Sapiro mark at msapiro.net
Thu Nov 25 00:49:32 CET 2010 

On 11/24/2010 11:16 AM, Scott Race wrote:
> Thanks for the reply.
> 
> So it sounds like my iptables rule:
> 
> iptables -A INPUT -p tcp --dport 25 -j REJECT
> 
> also blocks outbound mail too.  Is there a preferred way to secure mailman SMTP traffic with iptables?  In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:
> 
> # accept mail from two hosts, drop the rest
> iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j REJECT


I can't really answer that without knowing much more detail about your
Mailman/Barracuda/Postfix configuration, but by default, Mailman
delivers output (all list posts and other messages FROM Mailman) via
SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you
reject packets with addressed to port 25, Mailman won't be able to
deliver anything. Every message in the out/ queue will result in a
connection refused upon attempted delivery and will be logged in
Mailman's smtp-failure log and put in the retry/ queue to be retried at
intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of
DELIVERY_RETRY_PERIOD (default 5 days).


Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably
won't help at all with Mailman's outgoing delivery as those connects
come from localhost (127.0.0.1).

As far as delivery of Mail to Mailman is concerned, this mail is queued
by Postfix in Mailman's queues so it gets to the Barracuda appliance
somehow which then delivers it to Postfix on some port other than 25 and
Postfix either pipes it to Mailman's mail wrapper based on aliases or
perhaps via some script like postfix_to_mailman.py depending on how
Postfix is configured, and Mailman's Mail wrapper queues the message for
Mailman.

If you want to secure all SMTP traffic, I suggest you set up a separate
SMTP listener in Postfix on some unused port and tell Mailman to deliver
to that port by setting SMTPPORT in mm_cfg.py. Then you can block port
25 with iptables or just configure Postfix to not listen on port 25 at all.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list