Topic: Using port 2525 for SMTP traffic

[pwalter]

I decided to request that my ISP upgrade my dynamic ip address to a static ip address, forking over more money. They complied; and then "enhanced" my service for me by blocking incoming email traffic (port 25). I am trying to figure out how to reconfigure SME 6.0.1 to receive mail on port 2525 instead, but searching the forum has only turned up vague references. Can anyone point me to a thread or a HOWTO?

Thanks,

Peter

[meanpenguin]

Sorry to tell you the bad news but it can't be done (without help from the outside).
All the email servers in the world deliver to port 25.

Only way is to use an external email server which will forward you the email on port 2525.

There are some services out there that will do this.

Ed

[pwalter]

Ed,

Yes, I understand that some of the work would have to be done from my registrar - they are backup spooling my email anyway. it is the weekend here, and their tech support is closed, so I will not be able to get them to make changes for a couple of days. However, I have gone ahead and made the following changes to my server:
a) downloaded and installed Muzo's sme-6.0-masq-manager-0.1-2.noarch.rpm as detailed in
http://no.longer.valid/mylinks/singlelink.php?cid=123&lid=372

b) opened TCP port 2525 in the installed server manager panel "Firewall Management"
c) copied template fragment /etc/e-smith/templates/etc/services/10standard to the templates-custom tree
d) edited the fragment to change the SMTP port to 2525
e) ran /sbin/e-smith/expand-template /etc/services
f) ran /sbin/e-smith/signal-event email-update
g) ran service smtpfront-qmail restart

I *think* qmail is now listening on port 2525 - at least, I can now *send* mail via that port. But, since I have never done this before, I am not sure that I have covered the bases sufficiently so that when my registrar forwards the port, I can receive mail again. is there anything else I should be doing?

Peter

[cc_skavenger]

pwalter,
I m confused.  
Outbound mail goes out port 25 (smtp).
Incoming mail comes in on port 110 (pop).

Are you trying to change the port to send out mail?

[pwalter]

cc_skavenger,

The sequence of events as I have it:
1) my mail server is working fine for incoming mail. Outbound mail is routed by SME through Really Big ISP's mail server because my dynamic IP addresses are RBL'ed.
2) Being tired of pptp connection issues etc. to other servers, I apply for a static ip address so I can try IpSec VPN instead.
3)I Get a static address. Incoming mail delivery stops. Outbound mail delivery continues. I call up the Really Big ISP to help diagnose why inbound mail has ceased. They tell me it is because they block port 25 connections to non-commercial static ip addresses, so other mail servers can no longer "talk" to mine. They explain  that outbound mail continues because my mail server is routing mail through their mail server; which they have to allow because both commerical and non-commercial customers route through the same outbound server.
4) In desperation for a solution, other than doubling my DSL bill by becoming a commercial customer, I check the FAQ at my registrar. http://support.easydns.com/tutorials/Portforwarding/
It suggests redirecting the port. That is what I am attempting to set up.

AFAIK, port 110 is relevant when a *mail client* connects to a mail server for POP mail - the situation here is mailserver-to-mailserver issues. But I have been wrong before and might be wrong now. Perhaps there is someone out there who understands mail systems better than I do who would be willing to confirm whether I am an on the right path or not.

Peter

[pwalter]

Well, I finally got it working, and am receiving mail again. However, it appears that there is a simpler way of reconfiguring SME to use an alternate SMTP port - one that does not require so much messing with configuration files. See the thread
http://forums.contribs.org/index.php?topic=5236.0
I am not sure it will work with 6.0.1 - but I will report back if it does or not.

Peter

[meanpenguin]

pwalter,
I m confused.  
Outbound mail goes out port 25 (smtp).
Incoming mail comes in on port 110 (pop).

Are you trying to change the port to send out mail?

It's all relative....
It all depends on the point of reference

When a machine out in the internet is delivering mail to you (SME), it connects to your server (SME) on port 25.

When your client (i.e thunderbird or outlook) wants to send email, it delivers by connecting to your mail server (SME) on port 25.

But from the SME's point of view, it is always receiving email.  And it receives on port 25 (SMTP)


Same thing applies to the POP just in reverse...

Thanks,
Edward

[meanpenguin]

Well, I finally got it working, and am receiving mail again. However, it appears that there is a simpler way of reconfiguring SME to use an alternate SMTP port - one that does not require so much messing with configuration files. See the thread
http://forums.contribs.org/index.php?topic=5236.0
I am not sure it will work with 6.0.1 - but I will report back if it does or not.

Peter

One thing that the other method will give you is that your port 25 is still functional.

Your method does not allow mail delivery on port 25.
(So if you have thunderbird, and point it to your sme as the smtp server, you will have to specify port 2525).  The SMTP server is not listening on port 25...


Using the method specified in the link, it just redirects all traffic going to port 2525 to 25 so both  ports work....

did that make sense....?

But i'm not sure if it's easier....

Ed

[pwalter]

One thing that the other method will give you is that your port 25 is still functional.

Your method does not allow mail delivery on port 25.
(So if you have thunderbird, and point it to your sme as the smtp server, you will have to specify port 2525). The SMTP server is not listening on port 25...

Yes, port 25 is no longer functional. I have reconfigured my mail client to send on port 2525 instead. However, I am concerned that the reconfiguration has broken other things - RBL rejection (Knuddi's spamassassin contrib) seems to be broken now, and I have no idea what else. At the same time, Charlie Brady has pointed out http://forums.contribs.org/index.php?topic=5233.msg18479#msg18479 That the redirection using the redir script might compromise security:

That would likely make external connections appear as though they were connection from a local network address (127.0.0.1), which will give public access to things which should be local only

If this is true for port 25, I am concerned about inadvertently opening up the mail server to external access, possibly mail relaying. I am not sure what the "best practices" would be here. Can anyone with more technical knowledge comment on this?

[meanpenguin]

You many want to go over the developers mailing list and do a search on mailfront, qmail, ...  

SME has a layered approach to email and I believe mailfront is the first in line.  There are "proper" ways to hook into the email chain (allowing spamassassin to work properly).

By changing the services file, that may have broken the chain.  You may be bypassing the mailfront as well and that is a bad thing....

Ed

[pwalter]

You many want to go over the developers mailing list and do a search on mailfront, qmail, ...

Yes, been there, done that - didn't see anything that might be applicable to my situation, or, more likely, what I saw I didn't understand. From what I see, posting  a question to the dev list might, at best, be ignored, and, at worst, I would probably get a flaming reply that it is not a dev question, but a configuration issue. That is why I am posting here. I had hoped that I might get an answer from someone who is knowledegable about the email chaining in SME 6.0.1, and could advise on the best method to use, keeping mail security in mind. I imagine that others who need to run their mail server on an alternate port would benefit from a HOWTO, which I would write after testing it first. I would much prefer to keep the SMTP port at 25, using the redir script, but I am mindful of creating security holes, too.

[pwalter]

A final update ...
Everything seems to be working ok, except that RBL rejection in Jesper Knudsen's spam filter panel no longer works. Jesper (may his paypal account overflow) was kind enough to explain that the RBL rejections no longer occur because my registrar is now *forwarding* my mail to my alternate mail server port, instead of merely informing the mail sender of the ip address of my mail server; therefore, all mail has the "sender ip" of my registrar, and RBL rejection depends upon examining the sender ip. But I can live with that - my registrar has very kindly turned on RBL checking themselves, so my server no longer has to do it anyway. The only downside I can detect to the method I used is that all the mail clients have to be reconfigured to send mail on port 2525, instead of 25 - which may be a hassle in a large installation, but, then, a large installation probably does not have port 25 blocked, anyway.

I hope this helps someone else with a similar problem.

Peter

[TrevorB]

Peter.

I have been using the redir method for a couple of years now, but the only variation on that post was that I set up a simple script smtp-redir (and similar for www-redir as my isp also blocks port 80) that uses the settings for my $OUTERNET that is called as part of the ip-up and ip-change processes.

<Script (smtp-redir located in /etc/e-smith/events/actions):>
#!/bin/sh

#------------------------------------------------------------
# Hacked script to try to redirect smtp traffic from external
# port 2525 to internal port 25
#------------------------------------------------------------

# description: Configures IP redirection from an external port to an alternate internal port.

    OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
    /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=127.0.0.1 &

exit 0
</script>

and include symlinks in /etc/e-smith/events/ip-up & ip-change of S88-smtp-redir that point at this script :
ln -s /etc/e-smith/events/actions/smtp-redir /etc/e-smith/events/ip-up/S88-smtp-redir
ln -s /etc/e-smith/events/actions/smtp-redir /etc/e-smith/events/ip-change/S88-smtp-redir

This will start the redirection every time you boot and on a change of ip (if you are assigned a dynamic ip - not necessary for you at the moment, but may be needed in the future or by others).

Trevor B

[pwalter]

Trevor B,

Thanks for the instructions - they may become useful to me in the future, for dynamic ip addresses. I assume you have not had any of the security issues Charlie warned about in his post. Your method avoids having to reconfigure the mail clients, and leaves port 25 still functional.

Peter

[TrevorB]

A quick update (triggered by an e-mail/post from Charlie Brady  a while ago...)

Please change --caddr=127.0.0.1 to --caddr=$OUTERNET, otherwise your external port 2525 looks like an internal port (with inherent security & relay risks).

The updated script is:
<Script (smtp-redir located in /etc/e-smith/events/actions):>
#!/bin/sh

#------------------------------------------------------------
# Hacked script to try to redirect smtp traffic from external
# port 2525 to internal port 25
#------------------------------------------------------------

# description: Configures IP redirection from an external port to an alternate internal port.

    OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
    /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET &

exit 0
</script>

Trevor B

[pwalter]

Trevor B,

Thanks for the updated script. I had a small problem with the original script - I use pppoe to connect to my isp, and, whenever the pppoe connection disconnected, it would not restart automatically because it the ip-up event is "supervised" - and, since ip-up never really terminated because of the redir program, supervise never recognized that ip-up should be restarted. I fixed that by using "exec" to start redir, but then I ended up with multiple copies of redir running. My bash skills are very poor - I tried to modify the script to detect if redir was already active, and skip starting it if it was, but failed miserably. Can you suggest a method of avoiding this problem?

Peter

[TrevorB]

I use pppoe to connect to my isp, and, whenever the pppoe connection disconnected, it would not restart automatically because it the ip-up event is "supervised" - and, since ip-up never really terminated because of the redir program, supervise never recognized that ip-up should be restarted. I fixed that by using "exec" to start redir, but then I ended up with multiple copies of redir running. My bash skills are very poor - I tried to modify the script to detect if redir was already active, and skip starting it if it was, but failed miserably. Can you suggest a method of avoiding this problem?

Peter

Peter,

this would obviously happen for me too (but I'm on cable and my IP has only chnaged twice in the many years I've been with them...).

Would suggest that it is easiest to include all redir bits in one script (I have seperate ones for smtp & www) and do a kill of all running redir processes before starting the new ones (but be carefull that there aren't any other processes running that will be caught by your script).

I will play with this at some stage (just not right now, some tax stuff to sort this weekend), but you could look at using something like (but don't quote me - I'm doing this from memory & my scripting skills are a little rusty
for pid in 'ps -ef | grep /usr/local/sbin/redir'
do
  kill 'echo $pid | cut -f2 -d" "'
done

Trevor B

[pwalter]

Trevor B,

Thanks for the suggestion - I will try it out.
In the meantime, this is what I have been using:
[smtp-redir script in /etc/e-smith/events/actions]

#!/bin/bash

#------------------------------------------------------------
# Hacked script to try to redirect smtp traffic from external
# port 2525 to internal port 25
#------------------------------------------------------------

# description: Configures IP redirection from an external port
# to an alternate internal port.
ISREDIR=$(pidof -x redir.pl)
if [ $ISREDIR="" ] ; then
   OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
   echo /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET
   exec /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET
fi
exit 0

But, for reasons I think are unrelated to the script, pppoe would not restart in a timely fashion (my isp connection seems to fail a lot), so I also have a cron job as follows:

OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
PPPUP=$(/sbin/ifconfig | grep pppoe)
if [$PPPUP = ""]
then
   PID=$(svstat /service/pppoe)
   PID=${PID%%)*}
   PID=${PID#*pid}
   kill -s 9 $PID
   ADMIN=$(/sbin/e-smith/db configuration get AdminEmail)
   echo "pid $PID killed because ppp0 was not found." | mail -s "Restarted PPPOE" $ADMIN
fi

Klugey, but it works.

Peter

[TrevorB]

I took an equally klugey, but different approach.

I called this script restart-redir and symlinked it in rather than the www-redir & smtp-redir ones as I had previously.
ln -s /etc/e-smith/events/actions/restart-redir /etc/e-smith/events/ip-up/S88restart-redir
ln -s /etc/e-smith/events/actions/restart-redir /etc/e-smith/events/ip-change/S88restart-redir

I guess that if I added a configuration item redir which had matching pairs, it would be easy to automate the script (and then I'd need a simple panel and ......

Trevor B

Code: [Select]

#!/bin/sh

#------------------------------------------------------------
# Hacked script to try to redirect traffic from external
# ports 2525 & 940 to external port 25
# and port 8080  to external port 80
#------------------------------------------------------------

# kill all the existing redir sessions prior to starting the new ones

killall -eq /usr/local/bin/redir

# Configures IP redirection from an external port to an alternate external port.

OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
/usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET &
/usr/local/bin/redir --lport=940 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET &
/usr/local/bin/redir --lport=8080 --laddr=$OUTERNET --cport=80 --caddr=$OUTERNET &

exit 0

[pwalter]

Trevor B,

Your kluge *is* superior to my kluge - far more extensible. I am going to revise mine to match yours.

Hmmm... I am sure that this is something that would be useful to others, if only (sigh) we could get a FormMagick / rpm guru involved to create a sme-redir rpm and a configuration panel. Are there any SME gurus out there willing to spend an hour or so on doing this? it would be a nice addition to SME 7.x, particularly if it also opened the specified ports without needing the port-opening contrib.

Peter

[TrevorB]

Hmmm... I am sure that this is something that would be useful to others, if only (sigh) we could get a FormMagick / rpm guru involved to create a sme-redir rpm and a configuration panel. Are there any SME gurus out there willing to spend an hour or so on doing this? it would be a nice addition to SME 7.x, particularly if it also opened the specified ports without needing the port-opening contrib.

Peter

Don't need a guru, I can build the panel, package, etc. (have done a couple, but am certainly NOT a guru). It is more when, as I'm just a little busy at the moment.

You don't have to use FormMagick, you can use perl, but it should be easier with FormMagick, once you know how....

I have a couple of issues
1. the best way of opening/closing the ports, and
2. the best way to store the port pairs.

Not exactly sure the best way to open the ports and a little worried about the closing the ports when you disable a redir, in case it was wrongfully set or an important port. May need a 'Do you want to also close the port?' query on the panel...

I was thinking I might need a sepearte config database with a line per pair (called redir?):
<name>|status|<enabled|disabled>|External_Port|<external port>|Internal_Port|<internal port>

example:
smtp|status|enabled|External_Port|2525|Internal_Port|25
http|status|enabled|External_Port|8080|Internal_Port|80

Anyway, need the basics first. So off scripting I go and then  panel building....

Trevor B

[gordonr]

I have a couple of issues
1. the best way of opening/closing the ports, and
2. the best way to store the port pairs.

Sorry to come in so late on this thread, but what's wrong with setting up a Port Forward from port 2525 to port 25 via the Port Forwarding panel?

In 6.0/6.5, you need to port forward to your _external_ IP address, which is a challenge for dynamic IP addresses. But in 7.0 you can use "localhost" as the destination and have the dynamic IP change tracked automagically.

Backporting that change to 6.x wouldn't be hard if someone felt like a small challenge. It would seem to be far simpler than duplicating this with redir, a new db, panel, etc.

Am I missing something?

[TrevorB]

Sorry to come in so late on this thread, but what's wrong with setting up a Port Forward from port 2525 to port 25 via the Port Forwarding panel?

In 6.0/6.5, you need to port forward to your _external_ IP address, which is a challenge for dymamic IP addresses. But in 7.0 you can use "localhost" as the destination and have the dynamic IP change tracked automagically.

OK, wasn't sure that this would work (but I guess if redir works, then so would using the external IP in port-forwarding.

The dynamic IP thing will be a problem for Peter and those with rapidly changing IP's, but shouldn't worry me.

I'll be running 7.0 as soon as I can - once I get setup properly and help you guys with the testing etc. (my old test box is a P1, so won't work with 7.0..., and I can easily live with what I have (have been for > 3 years)

Backporting that change to 6.x wouldn't be hard if someone felt like a small challenge. It would seem to be far simpler than duplicating this with redir, a new db, panel, etc.

Am I missing something?

Glad you came by.

No, I don't think you missed anything. I guess we didn't realise that it would be so easy with 7.0 (BTW, won't using localhost expose the mail server for relaying etc.?).

I'll finish off the script (using my redir db to prime the ports) as I've almost finished the script and it is easy to update the db (/sbin/e-smith/db redir setprop smtp status enabled, etc), but not do a panel or package.

Thanks Gordon
Trevor B

[gordonr]

OK, wasn't sure that this would work (but I guess if redir works, then so would using the external IP in port-forwarding.

Yep. And port forwarding will be more efficient - the data doesn't have to come down to a user space process.

The dynamic IP thing will be a problem for Peter and those with rapidly changing IP's, but shouldn't worry me.

The changes in 7.0alpha handle dynamic IPs correctly. I haven't tried it, but the 7.0 version of e-smith-portforwarding may well work on 6.x

I'll be running 7.0 as soon as I can - once I get setup properly and help you guys with the testing etc. (my old test box is a P1, so won't work with 7.0..., and I can easily live with what I have (have been for > 3 years)

Sorry, there comes a time...you can get a very powerful box with mirrored drives for around AUD$900 these days.

No, I don't think you missed anything. I guess we didn't realise that it would be so easy with 7.0

We aim to please

(BTW, won't using localhost expose the mail server for relaying etc.?).

No. "localhost" is just used as a database token and expanded to the current external IP when we adjust the firewall. If you enter any of $ExternalIP, $InternalIP, localhost or 127.0.0.1 into the panel, we store it as "localhost" and fix it up on the fly.

I'll finish off the script (using my redir db to prime the ports) as I've almost finished the script and it is easy to update the db (/sbin/e-smith/db redir setprop smtp status enabled, etc), but not do a panel or package.

I think it would be more valuable to try the later e-smith-portforwarding on 6.x and fix any breakage. That way you know that the changes will be catered for during an upgrade to 7.0 and we wouldn't need redir at all.

[pwalter]

Trevor, Gordon,

Thanks for the discussion. For myself, the news of portforwarding improvements have finally tipped the balance, and I now have a good reason to try out SME 7.0 - my system has always been near the "bleeding edge" anyway.

I did have a brief look at extracting the rpms from the SME 7.0 Alpha 26 distro and applying them to my 6.01 system - but it seems that the time would be better spent investigating what I need to change on my system to accomodate 7.0, since I will be moving my production system to 7.0 (after Alpha 3,272) anyway  

[TrevorB]

Sorry, there comes a time...you can get a very powerful box with mirrored drives for around AUD$900 these days.

Yeah, I know, but I just recycled the kids PC's (very cheaply - thanks MSY), so I need to be cautious around 'she who must be obeyed'. I'll have to look at finding a box to put the working bits from the kids discards in.

I think it would be more valuable to try the later e-smith-portforwarding on 6.x and fix any breakage. That way you know that the changes will be catered for during an upgrade to 7.0 and we wouldn't need redir at all.

Effort redirected. I can do this on the old P1

Trevor B