Topic: multiuser POP3 account / excessive POP3 connections

[Andy Butcher]

Hi,

I'm currently setting up SME server as a local email server for collecting all mail to our domain.

At present I have a Windoze 2K exchange server that I have a POP3 plugin for (called exchangepop3) - the plugin currently logs into our existing ISP's email server using a single multiuser account (all mail for the domain is stored there and the pop3 plugin uses a single password to access all email addressed to @domain.com). It then passes it on to Exchange, which sorts it all and sends it to the relevant user. (I don't trust the Win box to be directly accessible from the net, hence the need for another local email server)

Problem 1 - ideally I'd like the same set up for the SME server so that the Windows pop3 plugin could access a single multiuser account on the SME server. I can't see a way of doing this though, since every account set up in the web config tool is a single user (I can create a group, but if I forward email to this group it then loses details of who the intended recipient was, and so Exchange doesn't know where to send the mail). Hence -

Problem 2 - if I can't set up a single account that allows me to login once for all mail, but retains the final addressee so that Exchange can forward it correctly, then I have to set up a load of individual accounts and log in to each of them. I've tried this with about 15 accounts, but when the pop3 plugin attempts to login to them (it think it tries all of them simultaneously) I get the following:

mail xinetd[886]: Deactivating service pop-3 due to excessive incoming connections.  Restarting in 10 seconds.
mail xinetd[886]: Activating service pop-3

I picked up in an earlier forum topic that over 60 connections can cause this, but I'm only using 15 and it still falls over.

Any ideas how to fix either of these?

Andy

[Kelvin]

Hi Andy,

I used to do this with some clients before they got broadband. After they did get broadband, it does not make sense to continue doing this.

In any case, to get around this issue, create one account on the SME server. Install Vincent Filali's Multi-pop add on to your server. Set up through the multipop add on for this account to collect e-mails from the "Domain Mailbox" held by the ISP. This will collect the mails from the ISP and put it into this mailbox no matter who it says it is for.

Then, in Exc$ange, instead of pointing exc$ange to the ISP "Domain Mailbox", point it to the mailbox of the account you just setup on SME in the previous step.

Regards,

Kelvin

[Andy Butcher]

Hi Kelvin, we've spoken before!

Think I've found the multi-pop add-on you mentioned, but not sure it'll do what I want it to - in order to configure the multipop3 part, it also seems to require that the SME server pop to the ISP's domain mailbox in order to populate the SME mailbox.

What I want to do is ditch the ISP mail service altogether and have the SME server act as the only internet-available SMTP mail server. The SME server would store all email under a domain account rather than an individual one (like our ISP's mail server currently does), and the exc$ange server would login to the SME server under a single login in the same way it currently does to the ISP mail server.

Have I misunderstood the purpose of the add-on, or do you know if there's an add-on that just sets up a domain account on the SME server that is populated by SMTP but accessible using POP3?

Andy

[Kelvin]

Hi Andy,

>in order to configure the multipop3 part, it also seems to require that the SME
>server pop to the ISP's domain mailbox in order to populate the SME mailbox

No, it's not a mistake. The multipop add-on requires you to set SME to multi-drop mode in order to let SME know that it needs to collect mail using the fetchmail program instead of SMTP or ETRN. However, any and all accounts to collect from can be configured from the add-on's panels. The username and password for mail collection in SME's own multi-drop mail configuration can be set to anything as we are going to ignore it in the add-on's panels.

> What I want to do is ditch the ISP mail service altogether

OK, now this is more interesting. What kind of internet connection have you got ? If you have a static IP address, it is far easier to :-
1. Set SME's mail setting to Standard
2. Make sure SME's domain (or has a virtual domain) is set to the domain of your company
3. Make changes to your domain MX records (usually held by your ISP unless you intend to take it away from him) and point the Primary MX to your IP address.
4. Set SME's Delegate mail server setting to the Exc$ange server's IP address.
5. Get rid of the Exc$ange server's POP3 collection module - greatest source of Exc$ange crashes on some of the sites I've seen.

Don't need any additional add-ons for this then.

>The SME server would store all email under a domain account rather than an
>individual one (like our ISP's mail server currently does)

This is actually not an efficient way to handle mail and should not be used if you can help it. Multidrop mail like these have limitations and problems (search these forums for multidrop and you will come across some of them).

Let me know how you get on.

Cheers,

Kelvin

[Andy Butcher]

Hi Kelvin,

I have a static IP here, so the first part of what you're suggesting is cool - the problem is this however; my company located here (the UK) and the US. The real benefit of the SME server for us is that it would be available for webmail and for POP3 access to the Americans over the web, whilst us local UK noddies would simply get our email from the exchange box (much as I hate to admit it, Micro$oft has the whole Exchange-Outlook thing taped in a way that Linux mail services have yet to achieve).

If I reroute email to the exchange box, I'd also have to expose it to port 25 from the DMZ of the firewall (which is where the SME server is) and allow webmail and POP3 access directly to the exchange box from the web.

Andy

[Kelvin]

Hi Andy,

>I'd also have to expose it to port 25 from the DMZ of the firewall

I can't see how you are going to avoid this whether you use the multidrop method or the delegate mail server method. You'ld also need port 110 for POP3 access.

As an alternative, this thread may interest you :-

http://forums.contribs.org/index.php?topic=17942.msg70245#msg70245

Kelvin

[Andy Butcher]

Hi again Kelvin.

The difference between exchange being directly as opposed to indirectly exposed is that if it is directly available from the net then it is exposed on port 25, 80 (or whatever port I use for webmail), 110 to any incoming threats. If however it sits in the green zone of my firewall and merely POPs to the SME server in the DMZ, then the exchange box is fully protected (the only connection it has to the outside world is outgoing requests such as the POP3 request). Maybe I should point out at this point that my exchange box is also my domain controller, my file server, my print server etc etc...

I am not too worried about having a separate (SME) mail server exposed to the net since it would only collect mail and this mail would be offloaded at fairly short intervals via POP. If it got hacked then I'd merely wipe it and reinstall.

By having SME accessed by POP FROM exchange instead of forwarding TO exchange you get

Smtp mail/hackers --> SME server  <-- exchange

instead of

Smtp mail/hackers --> SME server  --> exchange.

The link is interesting though... Routing webmail out through the SME server would give me at least one safety blanket between the exchange box and the web...

Cheers,

Andy

[Kelvin]

Hi Andy,

>The difference between exchange being directly as opposed to indirectly
>exposed

I was actually referring to the fact that you need to access the e-mails from your US office as well. Whether you sit Exchange behind SME or in front of it, given the scenarios you have described so far, you still must give external POP access to your exchange server before your externel office can collect their e-mails from the exchange server, since all the real mailboxes are there, not on SME. Giving only external POP access to SME will not allow your external office to collect their e-mails.

>Smtp mail/hackers --> SME server --> exchange.

Now, I don't pretend to be an e-mail expert (there are better things to be in life ). But as I understand it, under the delegate server scenario, External "hackers" cannot directly access Exchange anyway. When SMTP mail gets delivered to SME, SME does NOT merely pass the SMTP traffic to Exchange to handle. The External SMTP traffic is only between the external source and SME. Once the SMTP transaction is complete, SME actually processes the mails (that is why your are able to put AV software on SME to filter the mails before they get to Exchange -- products like RAV do NOT scan an SMTP stream to detect viruses, it only scans a file given to it by the smtp front end program before giving it back to Qmail). Then QMail initiates an SMTP transaction with Exchange to send the e-mails on to Exchange for final delivery.

Kelvin

[Andy Butcher]

Hi Kelvin,

Ah - I see what you were getting at!

My bad - I should have explained things more clearly; I wanted to avoid confusion so I never mentioned this bit: we have 2 domains. One is used globally by everyone (UK and US) and the other is a .co.uk domain used solely by us in the UK.

What I wanted to do is have the SME server primary domain as testroniclabs.com (the global domain for all staff) and a virtual domain testronic.co.uk (the UK staff-specific one).

Mail for both domains would then be processed on a user-specific basis - mail for US staff would remain on the SME server and be accessed by webmail and remote POP logins whenever Outlook is run on their pcs (they have no main server), whilst mail for UK staff would be routinely POP'd down (ideally under a single POP account for testronic.co.uk, but individually if necessary) every 2 mins from the SME box by exchange. (yes the UK staff would have no webmail but we can live with that!)

I like what I hear about the SME box actually processing delegated mail - so you're saying that the SME box forwards SMTP mail rather than simply bouncing it to another IP, which means that in that case it'd be necessary to hack the SME box before anyone could gain access to the exchange one?

Andy

[Kelvin]

Hi Andy,

Sorry, I've been otherwise occupied.

One way to do what you want to do (not necesarily the only way) is this :-

Have your ISP host both domains and have them dropped into their own respective multidrop mailboxes (ie. mailbox1 for testronicslabs.com and mailbox2 for testronic.co.uk)

On, your SME server, install Vincent's multipop add-on and set SME to multidrop mode, and then set the username and password for collecting multidrop mail to the username and password for mailbox1 in SME's mail retrieval panel. Make your SME box's main domain name testronicslabs.com. You don't actually need to set a virtual domain for testronic.co.uk but you can if you want to. You will need to create mailboxes for all the required users under the testronicslabs.com domain in the SME server. Create one additional user account to hold the mails for the testronic.co.uk domain, eg. let's call this account ukmail.

In the panel for Vincent's multipop add-on, select to use SME's multidrop (which disables Vincent's multidrop processing but still continues to collect additional pop mailboxes that you define - ties in with the above step). Look for the account we created (ukmail) and create a pop collection entry, with the necessarily info to collect from mailbox2 at the ISP.

What this does so far, is to collect and distribute mails for the .com domain in SME. It also collects the mail for the uk domain but does not distribute them, just drops them into the mailbox for account ukmail.

Now, setup Exchange to collect (via the pop3 module) and distribute the mails for the uk domain from the account ukmail on SME.

Setting it up this way means the .com mails are accessible externally from SME but the uk mails are not (if you have not allowed it).

Is this what you are after ? Not elegant, but should work.

Kelvin