Sendmail or MSMTP as Relay Agent - Config Help

[radams]

I did a good deal of searching the SNB forums and the internet before posting here and found a few things that are close, but nothing that solves my issue.

My setup:
I have a main router for my network, an rt-ac86u; and a second router for my IoT subnet, an rt-ac68u. Both are running the latest version of Merlin FW (386.2_6). I have used the "Block Internet Access" option on my main router to prevent any of the devices on the second router from accessing, well, the internet. This is to prevent any device from calling home. I need to receive alerts via email from the IoT devices as needed.

What I've been able to do:
If I temporarily allow internet access from the main router, my devices can send email alerts directly to my gmail account just fine.

I have successfully tried both Sendmail (the included Busybox version/binary) and MSMTP (installed via Entware) to send test emails with no issues to my gmail account with relative ease - the configs were fairly simple and straight-forward. These test emails were sent from my main router via command line, not from my devices.

My dilemma:
I have no clue how to use either Sendmail or MSMTP (I have no philosophical preference for either) to accept the emails from my devices and forward them to my gmail account? I've pointed the devices to the IP address of the main router - do dice. Any suggestions?

So in a nutshell:
How do I configure either Sendmail or MSMTP (or any other alternative) to simply act as a relay agent? I don't want a full-blown email server, I only want to forward emails from devices inside my network to my gmail account.

PS - I've looked into Nullmailer from untroubled.org and, while it looks like what I need, I'm wary of installing any additional programs onto my router. I tend to follow the Linux philosophy in that each component should do one or two things and do them well.

Thank you!

 

[radams]

Can anybody assist?

 

[Maverickcdn]

If IoT is on the secondary router and has its own DHCP (subnet) and you need some internet access its easier IMO, re-enable internet access and just use a firewall-start script and create rules to block access except to mail servers on the secondary router... these rules rule block 'calling home' but allow the IoT device to use its own mail send client

#!/bin/sh
# firewall rules for ipcams/iot switch, allow 2 IoT to mail servers, IoT devices are 10.2.2.20-10.2.2.60 range

MAILIP_PRIMARY=1.2.3.4   # ip address of mail.server.com
MAILIP_SECONDARY=4.5.6.7  # alt ip address of mail.server.com

# first rule in script is last checked against in iptables
iptables -I FORWARD -m iprange --src-range 10.2.2.20-10.2.2.60 -j DROP   # drop everything from IoT that isnt already accepted
iptables -I FORWARD -p tcp --dport 587 -m iprange --src-range 10.2.2.51-10.2.2.52 -d $MAILIP_PRIMARY -j ACCEPT   # accept IoT to mail.server.com IP 1
iptables -I FORWARD -p tcp --dport 587 -m iprange --src-range 10.2.2.51-10.2.2.52 -d $MAILIP_SECONDARY -j ACCEPT   # accept IoT to mail.server.com IP 2
iptables -I FORWARD -m iprange --src-range 10.2.2.20-10.2.2.60 -m state --state ESTABLISHED -j ACCEPT   # allow connections from router 1 subnet to IoT devices (view cameras with phone on home network)

I have another script that dns checks the mail server name to ensure the IPs in this script are up to date (they've never changed in 5+ years)

If the IoT device uses its own DNS lookup server (hard coded 8.8.8.8 maybe?) you will need to either create an ACCEPT rule to allow it access to that DNS server address as well or DNSFilter may work in this case as well forcing all DNS to the router

 

[radams]

Thank you very much for your response!

The idea is to completely disable direct internet access to/from the IoT subnet. I'm sending all DNS queries on that subnet the black holes of 0.0.0.0 (primary) and 10.0.90.1 (secondary with no route to the 10.0.90.x network). It's also much easier (and not a security risk) to simply enter the IP address of my primary subnet's router for email alerts. thereby removing the need for DNS resolution.

I'm ashamed to say that I'm not well-versed with IPTables. I've always used Cisco and Fortinet firewalls professionally, so the need to properly learn IPTables was never pressing. Plus, every time I think I *finally* get IPTables, I read one more paragraph and I'm lost all over again. Mental block? Probably.

My cameras try to call out to servers in China on port 443 and I know that most home routers' firewalls, even those with ASUS-Merlin firmware, will not block outgoing HTTPS traffic; will the use of IPTables properly block 443 outgoing? If so, I'll give your solution a whorl while I'm trying to find my "perfect solution".

By the way, it seems the Sendmail implementation in ASUS-Merlin can only be used to send mail that originates from the router itself and cannot act as a mail relay. I did some more research and installed the Entware package "E-mailrelay". This has the ability to act as a simple email proxy but I can't seem to get it to work correctly. I've even tried using my laptop on my main network, just to make sure the problem isn't with my subnet or the cameras. Any thoughts there?

Thanks again for your time and help!

 

[Maverickcdn]

Thank you very much for your response!

.........

Thanks again for your time and help!

No worries, I understand what you're trying to accomplish as I wanted the same thing years ago but quickly learned the solution I recommended is far easier than configuring any kind of relay within your own network.

Most IoT devices Ive come across will only allow a FQDN address (myhouse.myrouter.lan) in the mail fields, you can't directly enter an IP, which rules out the ability to send mail from IoT to your router by IP. If you were to use your routers internal FQDN this would require at least some DNS. If you're not familiar with iptables Im curious how you've black holed the DNS for IoT

The first iptables rule in the solution I offered will drop ALL traffic from those IoT addresses regardless of destination port (443) or destination address (52.1.1.1 china address) from going out the WAN if setup on router 2, router 1 never even sees the traffic let alone pass it to the internet (China). You could even change -j DROP to -j logdrop if you wanted to log in the router log everytime an IoT device was attempting to call home.

iptables is tricky at first but I think you can get the jist pretty quickly, unfortunately the solution I provided with the use of the iptables -m option are some of the more complicated command strings, they could be written more simply but would require writing a rule for every device.

iptables -I FORWARD -m iprange --src-range 10.2.2.20-10.2.2.60 -j DROP   # drop everything from IoT that isnt already accepted

the above could be written and as
iptables -I FORWARD -s 10.2.2.20 -j DROP
iptables -I FORWARD -s 10.2.2.21 -j DROP
etc....

Basically rules 2 and 3 in my solution say, any traffic that is TCP, destined for port 587 (email port), coming from devices .51 and .52, and destined for IP (mail.server.com IP address) you can allow it. If the IoT traffic doesnt match any of that, it hits the drop rule in iptables. The confusing part of scripts and iptables using -I is rules in your script are in reverse order of how iptables checks against them. All traffic is checked against rules 1 by 1 till something about the traffic matches.

If I were you, Id re-enable internet access across the board and then create a firewall-start script on r2 and copy and paste the code above and edit the addresses as needed. If you use a laptop or your phone on router 1 to connect to your IoT devices (remote view cam etc) Id also disable your firewall on router 2, if you dont need devices on r1 to access devices on r2 you can ignore the last rule. The last rule allows incoming connections from r1 devices to IoT devices back out to r1.

Hope this helps, basically setting up an internal relay is a rabbit hole that will consume a lot of time compared to 5-10 lines of rules that accomplish everything you need.