Using the LFW as an Unauthenticated Email Relay

The Logical Firewall is capable of accepting and relaying email without authentication however this is disabled by default (to prevent spammers from abusing it).

Because some people have old tools or devices which automatically send email (without authentication) and our campus email relays are now requiring authentication, this page will describe how to setup the LFW as an email relay which does not require authentication. BUT TO PREVENT ABUSE BY SPAMMERS, YOU MUST USE TIGHT FIREWALL RULES TO PREVENT UNAUTHORIZED HOSTS FROM CONNECTING TO YOUR NEW RELAY.

To enable email relaying on the Logical Firewall you must complete two steps:

  1. You must manually add firewall rules to allow connections from only those hosts you want to allow to use the relay. These rules go in the "/usr/local/sbin/tables" file immediately following these lines: and will look something like this: Where SRC_IP1 and SRC_IP2 are the IP addresses of the hosts from which you want to accept email to relay.
    See also Manually Editing Firewall Rules.

  2. You must ensure that there is enough free (ramdisk) space in "/var" to accept at least two copies of a maximum size email. The maximum size email is set by "message_size_limit" in file "/etc/postfix/" and has a default value of 10MB in Gibraltar version 2.3. If you want to do this by increasing ramdisk, see Changing Gibraltar's Ramdisk Size or if you want to reduce the value of "message_size_limit", just edit the file above and then run the command: "/etc/init.d/postfix restart". (It is also possible to add a hard disk for more space in /var/spool but that is more complicated and will not be described here.)

When this is done, those (and only those) hosts listed in the rules should be able to use the firewall's IP (either its public or private IP address) as an SMTP email relay.

Corey Satten
Email -- corey @
Web --
Date -- Mon Jan 28 12:25:29 PST 2008