1. Home
  2. Virtual Private Networks
  3. E-mail routing over VPN

E-mail routing over VPN

I'm sitting at a T-Mobile hotspot, and for the second time in a week it's causing me no end of trouble with e-mail. Apparently, as an "anti- spam" measure, T-Mobile intercepts all SMTP traffic, no matter what server you're trying to use, and shoves it through its own SMTP relay server. Problem is, T-Mobile's SMTP relay server has been on a major spam block list for weeks! So, anything sent through it vanishes into the ether, never to be seen again.

I have a working VPN connection between my laptop (running SoftNet Remote) and my home office (using a Linksys BEFVP41). Works great - I can see all the local systems at home, access the printer there, retrieve files from my servers, everything you'd want.

My mail servers are hosted externally, not on my home office network.

What I'd like to do is route my inbound (POP) & outbound (SMTP) mail over the VPN (POP also because the SMTP servers "authenticate" by seeing a connection to the incoming box first). But I'm having trouble with the configuration ... ROUTE PRINT isn't showing me any sort of gateway or interface associated with the VPN (so, no idea how the VPN is successfully routing traffic but it is!), and any ROUTE ADD attempts I make tell me that "the interface index is wrong or the gateway doesn't lie on the same network as the interface".

How can I specify that I want all traffic to 38.118.142.x to go through my VPN instead of directly over the T-Mobile internet connection?

Thanks!

-- Chris ________*________ Chris Barnabo, snipped-for-privacy@spagnet.com ____________ \\_______________/

formatting link
\\__________/ / / __\\ \\_______/ /__ "The heck with the Prime Directive, \\_______________/(- let's destroy something!"

Reply to
Chris Barnabo
Loading thread data ...

Chris Barnabo schrieb:

What kind of vpn software do You use that allows split tunneling in the first place?

Good VPN Software routes *all* traffic through the vpn tunnel without You having to configure anything!

Reply to
Martin Bodenstedt

Hello Martin,

I'm using SafeNet's SoftRemote VPN product. It allows you to specify which range of IP addresses should be directed down the VPN path, everything else goes down the direct pipe to the internet provider.

When I was working at IBM the SINE and AT&T MTS remote access products did a similar split, directing only the IBM internal traffic down the VPN path and leaving everything else on the internet path - otherwise the internet traffic simply congested the internal network (in through the VPN, then back out through the SOCKS servers ...)

As it happens, I've resolved the immediate problem by pumping the POP and SMTP traffic through OpenSSH to a server at home, and I may even tear down the VPN entirely in favor of SSH at some point - but I'm still curious how to setup the split tunnel properly.

-- Chris ________*________ Chris Barnabo, snipped-for-privacy@spagnet.com ____________ \\_______________/

formatting link
\\__________/ / / __\\ \\_______/ /__ "The heck with the Prime Directive, \\_______________/(- let's destroy something!"

Reply to
Chris Barnabo

Chris Barnabo schrieb:

How in this case do You prevent malicious software downloaded from the internet frim infecting the corporate network through the VPN?

Reply to
Martin Bodenstedt

Bear in mind that I'm a VPN user, not a network engineer ... :-)

I can't speak for SafeNet's capabilities in this regard, but the other products I've used that provide for split tunneling are supposed to block any routing of traffic from the internet pipe to the VPN pipe (and vice-versa). Of course, that only works presuming that the person at the keyboard isn't trying to actively subvert it, but then if they were planning to do that you're already exposed by virtue of them having access to the network at all.

The VPN network would also be exposed to the posibility of malware infection through the connected machine - someone could pick up bad code down the internet path that turns around and tries to connect down the VPN path. But that risk could also exist if the user were solely connected to the VPN - e.g. the user could surf to a site which installs malicious code by going through the VPN and out through that network's proxy servers, etc. A clear case where defense in depth is needed - reliable code on the user workstation to prevent infections, AND reliable mechanisms within the VPN network to defend against problems. Too many folks think that the firewall is going to protect their internal network, only to have it compromised when they plug an infected machine into it from the inside.

-- Chris ________*________ Chris Barnabo, snipped-for-privacy@spagnet.com ____________ \\_______________/

formatting link
\\__________/ / / __\\ \\_______/ /__ "The heck with the Prime Directive, \\_______________/(- let's destroy something!"

Reply to
Chris Barnabo

I think you mean "Inflexible" rather than "Good" here. There are times when sending everything over the vpn is the right thing to do, but in many cases you are trying to access remote system, not use some remote site as your one and only connection.

OpenVPN allows specification of the routing it provides, as an example. It allows multiple offices to connect seamlessly while not pushing outside traffic over the vpn and then out a single WAN pipe to the net in general. At least with Linux I have the ability to put firewall rules in place on each vpn, to provide the level of access needed.

Reply to
Bill Davidsen

If you are doing split-tunnel, normally you can specify how to route things out. If you dont have a route for it, then it defaults to your gateway.

Whats the platform you are using?

Mart> Chris Barnabo schrieb:

Reply to
Lourdes Alcantara

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.