Topic: SMTP for known external IP

[Tillebeck]

Hi
I am having some headackes trying to make a SME webserver handle outgoing mail (smtp) from a remote network with a single know IP.

Somthing like:

Code: [Select]

User_cannotSend (192.168.1.6, cannot send email, but really wants to)
  |
LocalRouter1 (Public IP: 77.66.55.10, local IP: 192.168.1.1)
  |
  |
Internet ---- User_toReceiveEmail with email bob@gmail.com
  |
  |
LocalRouter2 (Public IP: 130.129.128.10, local IP 192.168.2.1 and 192.168.3.1)
  |  \   
  |   \
  |   smeserver.mydomain.com (192.168.3.3, sme 7.3)
  |
  | 192.168.2.4 (can send email)
  User_local (localuser@mydomain.com)
This is the setup:
Sender: User_cannot_send and user_local placed on each there network
Receiver: bob@gmail.com (not a domain on my SME server)
smtp-server: smeserver.mydomain.com

Result:
User_remote cannot send email. Cannot even connect using port 25 to IP 130.129.128.10
User_local can send emails to anyone using port 25 to local IP 192.168.3.3

How...
can I allow any user behind the remote router (77.66.55.10) to send emails through my SME-server (accessed through the public IP 130.129.128.10)? All users jsut want to type in an smtp-server and send emails without authentification?

Bonus question:
If I am running SpamAssasin allready, will the outgoing mail also be filtered?

BR. Anders

[brianr]

For a start you are trying to open up port 25 on the SMEserver to unauthenticated users?  This is very silly.  The spammers will be on you in seconds, and will load up your server with millions of spam for sending out.  You are creating an "open relay".  I kid you not, I have had to empty a server of millions of emails due to port 25 being open.

In order to use a remote SMEServer for sending emails, you must use the secure SMTP mode and all in coming email will need to be authenticated with a user and password on the SMEServer.

You'll need to forward the SSMTP port from the router to the server, and the senders email program will need to be configured to use the SSMTP and also authenticate.  You'll also have to configure the SMEserver using server-manager to be able to receive the SSMTP sent email.

I hope that helps

[mercyh]

I would suggest that you use the LocalRouter1 site's ISP's SMTP server for those users to send mail. You can still setup External POPS access for them to receive their mail through the SME.

If your reason for sending the mail through SME is related to the Bonus Question, you are not going to achieve what you want anyway.

[CharlieBrady]

I would suggest that you use the LocalRouter1 site's ISP's SMTP server for those users to send mail.

I endorse that recommendation.

[Tillebeck]

I agree to...

But the problem is that the ISP's smtp for LAN1 is timing out quite frequently and then I get support tickets from 125 users located on LAN1. So I need someway to make sending mails more reliable for the 125 users on LAN1.

I can set up a local SME server on LAN1 and let it act as "buffer" SMTP-server and let it send out all mails through the ISP's SMTP-server. The SME-server will then handle any timeouts and just send the mails whenever the ISP's SMTP-server is up and running.
 - this will cost me one old box plus some support now and then.

But since I allready have a SMTP-server on another LAN in a great invironment I hoped I could use that instead. And then send all mails for both networks out through LAN2's ISP's SMTP-server since that is up and running 99,9%

Is it still considered an Open Relay if port 25 trafic only is accepted from local LAN plus a few trusted IP's?

I cannot set up distinct authentication for each user. In best case I can create one that will be shared amoung them all. I guess that is not much better than nothing...

Will you still recommend a new local SME-server to act as buffer SMTP-server until it can send mails to LAN1's ISP's SMTP-server? Or can it somehow send it to LAN2's ISP's SMTP-server through the SME-server located on LAN2?

Hope it makes sense.
Thanks for the advices til now

BR. Anders

[CharlieBrady]

IBut the problem is that the ISP's smtp for LAN1 is timing out quite frequently and then I get support tickets from 125 users located on LAN1. So I need someway to make sending mails more reliable for the 125 users on LAN1.

Move to a better ISP.

[raem]

Tillebeck

I'm not sure if this applies to physically remote networks, but you could add the remote network to the main sme servers trusted network in the Local networks panel, and then remote users will effectively have local access to the main sme servers smtp server. Doing that will allow access to more than just the smtp server though.

[brianr]

Tillebeck

I'm not sure if this applies to physically remote networks, but you could add the remote network to the main sme servers trusted network in the Local networks panel, and then remote users will effectively have local access to the main sme servers smtp server. Doing that will allow access to more than just the smtp server though.

It also depends upon the LAN1 internet connection being on a fixed P address.

Will you still recommend a new local SME-server to act as buffer SMTP-server until it can send mails to LAN1's ISP's SMTP-server? Or can it somehow send it to LAN2's ISP's SMTP-server through the SME-server located on LAN2?

If you have an SMEServer on LAN1 it can act as an SMTP email sender without using the ISP mailserver.  Still need a fixed IP though. This is the best solution IMO.

[CharlieBrady]

I'm not sure if this applies to physically remote networks, ...

It doesn't.

[mercyh]

from Tillebeck post #5

I cannot set up distinct authentication for each user. In best case I can create one that will be shared amoung them all. I guess that is not much better than nothing...

But you already have if they are a user on the SME and receive their mail from it.

Or do you not host User_CannotSend's email domain on that server??

[raem]

Tillebeck

How...
can I allow any user behind the remote router (77.66.55.10) to send emails through my SME-server (accessed through the public IP 130.129.128.10)? All users jsut want to type in an smtp-server and send emails without authentification?

Your remote users could establish a VPN connection and then they effectively have "local" access to the smtp server for mail.

Otherwise...

If you thought to use VPN, then you need to set them up as users on sme, so in that case you might as well just enable ssmtp access in server manager and configure email clients appropriately.

[Tillebeck]

Thanks for all your input.

As answer to mercyh:
yep, you are right. I host none of the domains that people are using as sender emails. So the SME server may not be the right product to use for this single job at all.

To RayMitchell and CharlieBrady
Good idea with adding the network. I allready had tried that with no success. So guess CharlieBrady is right

Status:
I see that I try to use the SME server in a way that is is not intended to be used. I therefore no longer try to use a single SMTP-server as open relay even though it should be restricted to certain IPs only but only as SMTP-server on local LAN.

My question is now:
If I set up a SME on a LAN any person (also non-sme users on the LAN) can send emails through the SME. Is there any way to scan these mails for SPAM and have the SPAM removed? Basically the same service as the ISP should have provided.
 - If it is possible is it then only for users created on the SME server or also for other people just using the local SMTP-server?

As I understand it this is not possible with SME. but since most ISPs can do it there must be some software that can handle SPAM filtering on outgoing emails. If not SME do you know any other software?

BR. Anders

P.S.
It is not an option to shift ISP

[Tillebeck]

It seems that this one can do the trick:
http://www.barracudanetworks.com/ns/products/spam_overview.php

Maybe it is better to use the SME server to what it was intended to and use another product for the rest.

BR. Anders