I'm running my own mail server at home on a dynamic IP. Dynamic IPs are often blacklisted, so I currently send out mails through my provider's relay. I want to change that to sending mail directly, and for that purpose have a vserver somewhere with a fixed IP. The vserver is connected to my local server via openvpn. I would like to use the openvpn tunnel for routing (only) outgoing mail to "the world". All other traffic shall take the normal route.
The vserver (public IP on eth0) runs an openvpn server, IP 10.20.0.1. The mail server (local IP 192.168.168.100) runs the openvpn client, IP 10.20.0.6.
mail server IP routing with openvpn established:
# route
default 192.168.168.1 0.0.0.0 UG 0 0 0 eth0
10.20.0.1 10.9.0.5 255.255.255.255 UGH 0 0 0 tun1
10.20.0.5 * 255.255.255.255 UH 0 0 0 tun1
192.168.168.0 * 255.255.255.0 U 0 0 0 eth0
From my research, I understand that the right way to go should be to mark outgoing mail packets and route them to the vserver. So I tried that on the mail server:
echo 201 mail.out >>/etc/iproute2/rt_tables
ip rule add fwmark 1 table mail.out
iptables -A PREROUTING -t mangle -p tcp --dport 25 -j MARK --set-mark 1
ip route add default via 10.9.0.5 dev tun1 table mail.out
(I will add port 465 later.)
In addition, I have enabled masquerading and IP routing on the vserver.
However, it appears that all outgoing mail traffic is still going out the normal way. Using tcpdump on the vserver, I can't see any trace of outgoing connections to port 25. So connections must still be going direct, outside of the VPN. What have I been missing?
