My current network setup looks somewhat like this:
________ \ / ________ __________ | | / \ | | _________| |___| ADSL- |____\ Internet /____| root | LAN | firewall | | router | / \ | server | |__________| |________| \ / |________| ^ / \ ^ :..............................................: OpenVPN tunnel
My local Internet connection (left-hand side) does not have a fixed IPv4 address, so I used to send outgoing e-mails through my mail-hosting provider, who unfortunately went south last month.
The root-server on the right-hand side, which hosts some virtual machines, has a fixed, global IPv4 address, and since I control the DNS zone file, I decided to have it handle outgoing as well as incoming e-mail traffic.
One of the virtual machines on the root-server hosts a Postfix mail-server, another hosts an Apache web-server.
The easy part was to route incoming traffic to those VMs using iptables on the root-server:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination "IP of Postfix VM" # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination "IP of Apache VM" # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "global IP of root-server"
Now, routing outgoing e-mail traffic from my LAN through the root-server without passing all traffic through the VPN tunnel was a bit more tricky.
First, declare a new routing table for iproute2 on the firewall; let's call it "smtp" and assign it the (arbitrary) number 25:
# echo "25 smtp" >> /etc/iproute2/rt_tables
Next, when the VPN tunnel comes up, add a default route using the new table smtp and force marked packets through that route:
# ip route add default via "root-server IP on VPN" table smtp # ip rule add fwmark 0x01 lookup smtp
(the above two commands could be placed in the OpenVPN "up" script).
Finally, mark outgoing SMTP packets using iptables on the firewall:
# iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x01
Et voilà - SMTP packets originating on the firewall (which queues outgoing e-mails using Postfix) are routed through the VPN tunnel and exit from the root-server (using its global IP address).
With outgoing e-mail traffic originating from a fixed IP address, configuring DKIM and SPF is now possible.