<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>We’ve configured an e-mail gateway to allow packet users to send to Internet email addresses. But JNOS has no way to control when the gateway is used. We really need a way to control when the smtp gateway is used (and not used).<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Background:<o:p></o:p></p><p class=MsoNormal>JNOS can talk SMTP just fine with other JNOS systems. But it evidently does not adhere to the current protocol very well which makes it problematic when talking with non-JNOS SMTP mailers. For example, I get this message in the log ever time JNOS connects to a current SMTP mailer:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> Dec 5 20:58:31 cpk postfix/smtpd[10138]: improper command pipelining after HELO from w6xsc-4.ampr.org[44.4.50.4]<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Another problem with the JNOS SMTP server is a complete lack of security mechanisms, such as checks, filters, etc. which are part of any typical internet mail gateway. This isn’t a complaint, just a fact.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Scenario:<o:p></o:p></p><p class=MsoNormal>I’d like to allow JNOS to talk directly to any machine in my domain.txt, and any machine with either a 44.x address or an ampr.org domain name. Anything else should go to the smtp gateway for handling. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Problem:<o:p></o:p></p><p class=MsoNormal>The “smtp gateway” command is described in the manual as:<o:p></o:p></p><p class=MsoNormal>Displays or sets the host to be used as a “smart” mail relay. Any mail sent to a host not in the domain.txt file or not found via a nameserver query, will instead be sent to the gateway for forwarding.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The problem with this is that JNOS does a DNS query for any mail destination that is not in domain.txt. We can turn off MX queries (with smtp usemx no) but JNOS still performs an A record query. When it receives the answer, it attempts to connect directly to the remote host. With “smtp usemx yes” it will attempt to connect directly to the MX for the remote host. So there’s no way to control when JNOS uses the smtp gateway. In fact, as long as DNS is configured, and you’re sending to a proper internet email address, JNOS will NEVER use the gateway since it will always get an answer from the nameserver. That’s just not right.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Workaround:<o:p></o:p></p><p class=MsoNormal>I currently have iptables set to disallow SMTP connections on the JNOS-to-Linux tunnel that are from JNOS to anything other than the SMTP gateway. This means that JNOS will try over and over, but will be unsuccessful in contacting the remote host. It will then try to send to the gateway. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>However, this workaround has a problem. Since it relies on a connection failure, it can end up being used unintentionally, such as when the remote system is another JNOS system. If that remote system is down temporarily, JNOS tries and fails to connect, so it ships it to the gateway. The gateway then tries to deliver it via the internet (out to the internet, back in via the UCSD gateway, etc.) which is not allowed on many JNOS systems.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Solution:<o:p></o:p></p><p class=MsoNormal>What we really need is a way to tell JNOS when and when not to use the “smtp gateway”. I think the easiest approach would be to define when JNOS should attempt a direct connect and then let the SMTP gateway handle anything else. It seems that the best approach would be to allow either IP address or domain name nomenclature. Here’s one example:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>smtp direct local # host is in domain.txt<o:p></o:p></p><p class=MsoNormal>smtp direct address 44.0.0.0/8<o:p></o:p></p><p class=MsoNormal>smtp direct domain ampr.org<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Instead of “direct”, something like “nogateway” could be used.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This basically says, if the host is in domain.txt or it has an address of 44.x or it has a domain of ampr.org, then send it direct. Otherwise, use the gateway.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is this doable?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Michael<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>