Topic: AAARRRGGGG!!! boss wont get rid of exchange server

[cryblood]

Hello all,

I finally convinced my boss that we need a firewall on our dedicated ISDN and the e-smith box I set up to do this works great!  However, while the boss would admit that any firewall I could come up with with a linux base would kick the tar out of any NT based firewall he could find, He still insists on being Microsnot boy and wont let me use the e-smith server for our e-mail.  In his defence, I think that decision may have come from higher up, but i'm not sure.  
 
Any way,  I need to know how to allow the NT box to have a static IP address accessable from the internet, and still be behind the firewall (I think).  If i cant come up with a way of doing this he's treatening to AXE my beloved e-smith server for something more costly and much more annoying, so any help you might extend would be greatly appriciated.

btw, we already have a set of valid IPs so getting the IP itself isn't a prob, just getting it seen/sending-recieving through the e-smith is the prob.

[Joseph Morrison]

I'm sorry to hear you have to use an NT mail server, but am delighted to hear our e-smith software referred to as  "beloved"

A good solution to this problem has already been posted by Charlie Brady and Gordon Rowell.

Here are the steps:

1. Log into the e-smith console (Ctrl-Alt-F3, user "root" with the current system password).

2. Edit the file:

/etc/e-smith/templates/var/qmail/control/locals

and delete the two lines from it, leaving it a zero-length file.

3. Edit the file

/etc/e-smith/templates/var/qmail/control/smtproutes

and delete everything that's there, then replace it all with the following single line:

your.domain:[192.168.100.100]

and replace "your.domain" with your actual domain name and 192.168.100.100 with the IP address of your NT mail server.

4. Update the e-smith configuration by executing the following commands:

/sbin/e-smith/config set DomainName your.domain
/sbin/e-smith/config set SMTPSmartHost on
/sbin/e-smith/signal-event manager-misc

again replacing "your.domain" with your actual domain name.

5. Type "logout" and Ctrl-Alt-F1 to return to the main console.

With this configuration, the e-smith box will still be your server and gateway, but incoming mail will be forwarded to your NT box. Therefore you don't need to create individual user accounts on the e-smith box.

Good luck!
- Joe Morrison

[Charlie Brady]

Joseph Morrison wrote:

> I'm sorry to hear you have to use an NT mail server, ..

And exchange is no fun, from most reports..

> A good solution to this problem has already been posted by
> Charlie Brady and Gordon Rowell.

A few minor amendments...

> Here are the steps:
>
> 1. Log into the e-smith console (Ctrl-Alt-F3, user
> "root" with the current system password).
>
> 2. Edit the file:
>
> /etc/e-smith/templates/var/qmail/control/locals
>
> and delete the two lines from it, leaving it a zero-length file.

I would leave the full e-smith hostname there. It won't stop qmail from relaying domain mail to the exchange box, but it will ensure that mail to
cryblood@e-smith.domain.name can still work if all else fails. The mail thing is to make sure that domain.name isn't in locals.

> 3. Edit the file
>
> /etc/e-smith/templates/var/qmail/control/smtproutes
>
> and delete everything that's there, then replace it all with
> the following single line:
>
> your.domain:[192.168.100.100]
>
> and replace "your.domain" with your actual domain
> name and 192.168.100.100 with the IP address of your NT mail
> server.
>
> 4. Update the e-smith configuration by executing the following
> commands:
>
> /sbin/e-smith/config set DomainName your.domain
> /sbin/e-smith/config set SMTPSmartHost on

I was almost going to correct Joe on that, but I see what he is doing.

/sbin/e-smith/config set SMTPSmartHost dummy

would work just as well.

If it was important to you that qmail didn't act as a relay on incoming mail, but SMTP connections were patched straight through to the exchange server, you could do it by using ip aliasing on eth1, and configure TCP wrappers to either run qmail locally, or make a socket connection to the exchange server, depending on the destination IP address used. But I'd recommend the solution proposed by Joe first. You can claim to have a real firewall that way.

Charlie

[cryblood]

Thanx,

I won't know if it works until our shinny new isp finally gets off their duffs and takes over email from the old isp, for now, we have to dial in to the old isp with the NT box for the exchange to get the email but once the new one comes online we'll use the ISDN connection  As you see, our network is a bit of a kluge, thank god we got rid of the novel server, I'd hate to see what adding that monstrosity into the mix would do at this point.

[Charlie Brady]

cryblood wrote:

> I won't know if it works until our shinny new isp finally gets
> off their duffs and takes over email from the old isp, for
> now, we have to dial in to the old isp with the NT box for the
> exchange to get the email but once the new one comes online
> we'll use the ISDN connection

If the exchange server is collecting mail using POP protocol, then it will be able to do so via the e-smith server using ipmasq (although your password will be going cleartext between it and your old ISP). Or you could configure fetchmail on the e-smith server to collect your mail using POP, and it will then forward it to the exchange server. Or you could configure e-smith to dial up your old ISP rather than use the ISDN connection (short term). As the perl adage goes - there's more than one way to do it...

Cheers

Charlie