several external interfaces-traffic balancing & ebox services (mail)

[pituhdo]

Hello all

I've been using Ebox for several time on version 0.11.101 and recently I have successfully run and configure the mail module, but i have one "little" problem... Let me explain:

My environment:

                  |          |-eth1(ext)->IP1->myexternaldomain.com---------------------> Gateway1
eth0 (int) -|EBOX|
                  |          |-eth2(ext)->IP2 (without a domain)------------------------------>Gateway2

In this environment I have succesfully configured firewall rules, two gateways (Gateway1 & Gateway2) and also load balancing for my internal network to use both external lines. All is working as desired but...

Problem description:

I have configured a mail server on the EBOX box. I have succesfully configured  the DNS to point myexternaldomain.com to point to IP1 and I'm able to get messages sent to my domain. The problem comes when I try to send message from the box to an external domain (for example gmail). It seems when an email must be sent, EBOX select one external interface randomly (load balancing) and send the email over this interface. If EBOX select where the externaldomain.com is binded there is no problem. The problem arrives when EBOX selects eth2 and gmail reject the message with the following message:

<xxxxxxx@gmail.com>: host gmail-smtp-in.l.google.com[74.125.79.114]
    said: 550-5.7.1 [IP2] The IP you're using to send mail is not
    authorized to 550-5.7.1 send email directly to our servers. Please use the
    SMTP relay at your 550-5.7.1 service provider instead. Learn more at
    http://mail.google 550 5.7.1 .com/support/bin/answer.py?answer=10336
    5si126839eyf.38 (in reply to end of DATA command)

Troubleshooting so far:

I have tried to add a multigatewayrule for all the outgoing SNMP traffic (port 25), but it seems this rule doesn't affect the traffic generated on the box itself (feature/bug?)

Also I have figured that on the "Filtering rules for traffic coming out from eBox" firewall rule you could specify a gateway in each rule, but it seems there is no way to achieve it

Also I have been searching in the forums and I have found the following thread: http://forum.ebox-platform.com/index.php?topic=599.0 which seems similar to my problem but in the solution it uses:

pf "-t nat -I POSTROUTING -s IP_OF_SERVER -o OUT_IF -j SNAT --to SOURCE_IP";

but as far as I understand my problem is not related with NAT table.

Any idea would be really appreciated

Thanks you very much in advance.

[javi]

Hi,

I have tried to add a multigatewayrule for all the outgoing SNMP traffic (port 25), but it seems this rule doesn't affect the traffic generated on the box itself (feature/bug?)

It's a feature Seriously though, this is a limitation in our current stable version, but it's already fixed in our repository. IIRC this is fixed as of 1.2-alpha3 which is due in a few days, you can pick eBox as traffic a source to add a multigw rule.


There's a workaround though until you install the upcoming 1.2. You must play with the mangle table, that's the netfilter table that is used to mark  packets to make them come out by a given gateway.

Run this command:

Code: [Select]

sudo iptables -t mangle -A OUTPUT -p tcp --destination-port  25 -j MARK --set-mark 1

Note that mark 1 tells iptables to use the router 1, as you have 2 routers,  maybe you need to use mark 2. It depends on your conf.

[pituhdo]

Hi Javi,

Thanks a lot for your quick and accurate response. It seems the command you mention has done the trick.

Muchísimas gracias

PItu