Topic: Mail forwarding through SME to MS Exchange

[dc121401]

I'm having difficulty trying to get email forwarding through SME to MS Exchange Server - hoping someone can assist.

I've read through the SME 7.0 manual and configured the delegate mail server entry to point to the Exchange Server. The SME box is currently on the LAN with a Cisco box providing Internet firewall, but plan to move SME so that it passes all Internet network traffic as transparent Squid proxy.  SME is configured as server/gateway, with two NICs.  Currently everything is connected on local LAN.  No local mail on SME box is required or configured.

I redirected Cisco to point incoming port 25 from Exchange box to SME but can't seem to get any mail through and can't seem to find any clues about debugging where the mail is getting stuck.  Bit of a newbie on this, sorry.

All of the FAQs I've read seem to gloss over this feature of SME, but I dearly want to do some spam filtering. Any suggestions or links would be gratefully received.

Daz

[Mjohnson]

I am wondering why you have the SME box set up as a Gateway/Server given your network description.  Have you tried Server Only?  I would think that would work well given your network setup.

[CharlieBrady]

I redirected Cisco to point incoming port 25 from Exchange box to SME but can't seem to get any mail through and can't seem to find any clues about debugging where the mail is getting stuck.

You'll get more useful help if you define "can't seem to get any mail through". You should describe exactly what you have done, and what you see happening or not happening.

[Mjohnson]

The reason I was suggesting the Server Only mode, if I am understanding your network configuration, is that you may have set up a mail delivery loop which does not end up destinated to the Exchange Server.  Depending on how your Server/Gateway is configured, if the gateway NIC is connected to the internet directly then you have no way of reaching the Exchange Server via port 25.  

Changing to the Server Only mode will result in a tidy setup whereby the SME server passes the mail directly to the Exchange Server via the LAN, all set up on the same IP subnet.

I have an SME server setup exactly as I suggest.  The servers whole purpose is to screen the inbound email and it works flawlessly in that role.

[dc121401]

The reason I was suggesting the Server Only mode, if I am understanding your network configuration, is that you may have set up a mail delivery loop which does not end up destinated to the Exchange Server.  Depending on how your Server/Gateway is configured, if the gateway NIC is connected to the internet directly then you have no way of reaching the Exchange Server via port 25.  

Hi MJohnson,

Thanks for the suggestion. I did consider Server only configuration however my intention is to install the SME box as a transparent squid proxy and route all internet connections through SME to the second NIC.  This is why I installed Gateway/Server mode.  I have a temporary second internet connection which is proving the proxy server part.

I wanted to confirm that the mail filtering operates before I start reconfiguring the primary internet connection to sit on the "other" side of the SME box. I naively thought that simply redirecting port 25 of the external internet connection from MS Exchange to the SME box (on local LAN), and then configuring SME to send mail to a delegate server (MS Exchange) also on the local LAN would work. I would have thought that the SME didn't care which NIC the incoming mail connection was on.

This is all new territory to me so I was looking for some sort of brief or FAQ about this sort of configuration. I'm normally OK at working through such problems but have no idea where to start in this case.  I can't see where I would be getting a "mail delivery loop" - could you elaborate a littl e please?

Daz

[dc121401]

You'll get more useful help if you define "can't seem to get any mail through". You should describe exactly what you have done, and what you see happening or not happening.

Hi CharlieBrady,

My apologies..

The current "working" configuration has a Cisco network appliance providing a firewalled connection to the internet. The Cisco forwards internet port 25 to a MS Exchange server on the local LAN.  This has been working well for a long time but is getting overwhelmed with spam.

I have installed SME in Server/Gateway mode, with two NICs, intending to [eventually] place it into the path between the outside world and the local LAN. However, since the network is functioning and - as you can imagine - heavily used, I wanted to test the mail filtering before I did a mjaor network reconfiguration.

So the SME box is connected to the local LAN with a temporary external internet connection on the WAN port. This allowed me to confirm squid proxy operation. This is not the IP address where our mail is directed to. The SME box is virtually an "out of the box" installation, with the local LAN and WAN NICs configured and most of the other features left untouched aside from disabling SMTP proxy and configuring a delegate mail server. I am not familiar with SME other than via the web admin pages.

To test filtering, I simply changed the Cisco to point port 25 from the MS Exchange to SME (all on the local LAN) and tried sending mail through from an external source. Result: No mail received at MS Exchange. If I reconfigure Cisco back to MS Exchange and send another mail message, it comes through MS Exchange.  I don't know where to look in the SME box to determine if it is receiving and/or filtering mail. I'm assuming it is not getting past this point.  Would it be rejecting the SMTP connection on the local LAN? I can connect via telnet to port 25 on the local LAN so I thought this would work.

I've looked through the forums and the manual but it isn't clear how this mechanism works or is configured.  Many people say they are happy with the results, so I'm assuming I've done something fundamentally wrong.

Any assistance or suggestions would be gratefully received.

Daz

[JonB]

You have been given the answer. Change the server to Server only. You can change it back to Server/Gateway at a later stage.

You have external SMTP connections coming in on the local/internal interface. These will be processed by the SMTP proxy, which is enabled by default, and try and be delivered by the external interface which is not connected to anything.

Jon

[dc121401]

You have been given the answer. Change the server to Server only. You can change it back to Server/Gateway at a later stage.

You have external SMTP connections coming in on the local/internal interface. These will be processed by the SMTP proxy, which is enabled by default, and try and be delivered by the external interface which is not connected to anything.

Jon

Hi Jon,

I was hoping to avoid changing the configuration, however as you suggest I will look at temporarily changing the server to Server only and see what happens then.  The problem remains that I am none the wiser about tracing the mail path inside the SME server.

I am a little confused by what you are suggesting as I have disabled the SMTP proxy, so I wouldn't have expected to get an SMTP connection on the local LAN port in this instance.

Daz

[dmay]

The problem remains that I am none the wiser about tracing the mail path inside the SME server.

You may view mail activity by entering this command:

Code: [Select]

# tail -f /var/log/qpsmtpd/current | tai64nlocal

Darrell

[dc121401]

You may view mail activity by entering this command:

Code: [Select]

# tail -f /var/log/qpsmtpd/current | tai64nlocal

Hi Darrell,

Thanks very much for the pointer.. That has helped heaps.  I am now able to see what is happening when I try to connect through the WAN port to the SMTP service and why it is failing.

When I try to connect from an external IP address to the LAN port on the box, I can see that the connection is not being made. Therefore I assume it is being dropped by iptable filtering as it is an external source on the local LAN. I'd like to open port 25 on the local LAN globally rather than just the local subnet... guess I need to look at the iptables config.

Daz

[dmay]

You stated earlier:

So the SME box is connected to the local LAN with a temporary external internet connection on the WAN port.

IIUC, to activate mail on your server/gateway test scenario why don't you simply change your DNS MX record to use the temporary external IP address of your SME box.

Darrell

[dc121401]

You stated earlier:

So the SME box is connected to the local LAN with a temporary external internet connection on the WAN port.

IIUC, to activate mail on your server/gateway test scenario why don't you simply change your DNS MX record to use the temporary external IP address of your SME box.

Darrell

Hi Darrell,

You are absolutely correct. I did consider doing this but thought it would be *easier* to simply change the routing on the local network. This way I can quickly change the mail back should there be problems without any MX TTL issues.

I really need to understand how eth0 (local LAN) is handling messages from outside the local subnet and where it would be dropping them.  I've tried adding some logging rules but can't seem to generate any log entries for eth0.

Daz

[MSmith]

You are *hugely* overthinking this.  The answer has been given to you:  server-only mode for now, reconfigure later when your needs change.  

If you want to have fun tracing the mail flow in an unsupported configuration (server-gateway when SME's not the actual gateway) then go ahead, but I can assure you from personal experience that server-only will work just fine.  This is a common setup for me now as I still am responsible for keeping a couple of Exchange 5.5 boxes operating and the only way i can keep them from grinding to a halt under the spam load is to preprocess the incoming SMTP stream with SME.  

In server-only mode.

[dc121401]

OK..   Thanks everyone for the feedback.

I accept the recommendation to use server only mode, and configured another computer to operate in this mode. In this way I can continue to test some of the internet connectivity issues and still get spam filtering.

It has also been very informative because I can see the CPU load it places on the server to filter out spam and it looks like I need to upgrade the box before deploying.

Thanks to all for your help.

Daz