Topic: Incoming smtp port 25 blocked...how to use mail-hop service safely?

[bhamail]

First, a big Thank You for all the great work on SME!

I have SME 7.4 and can send outgoing email via my ISP's mail server just fine. (via "E-mail settings" -> "Address of Internet provider's mail server").

My ISP has blocked incoming port 25.
I'm currently using a mail-hop service from dyndns to send incoming email to my dyndns domain on a non-standard port (ie: 2525). For this to work, I have also setup port forwarding on my SME server from the non-standard port to the standard port on "localhost" (2525->25).

I'm worried about the documentation warnings that doing this port forwarding is bypassing some SME email safety/spam checks.
How can I "safely" allow incoming smtp email via a non-standard port on SME (in conjuction with mail-hop)? Do I need to actually change the SME smtp port (in a template?) or is there some way to make the "email safety/spam checks" apply with the above forwarding?

I've read the various comments about finding a different ISP, and fully agree, but this is not an option in my area.

Thanks,
Dan

[mmccarn]

If the comment in the PortRedirect HowTo is correct, your incoming email will be getting handled as though from a local computer using the  /var/service/qpsmtpd/config/peers/local config file instead of the file normally used for incoming external emails (/var/service/qpsmtpd/config/peers/0)

Running diff -u ... on the two qpsmtpd config files shows the differences:

Code: [Select]

+# 10check_earlytalker disabled for local connections
+# 12count_unrecognized_commands disabled for local connections
...
+# 16require_resolvable_fromhost disabled for local connections
+# check_basicheaders disabled by custom template fragment
+# 20rhsbl disabled for local connections
+# 22dnsbl disabled for local connections

You can find out if these plugins are getting used on your incoming email by examining /var/log/qpsmtpd/current, but to get output from each plugin you must first set the qpsmtpd LogLevel to 8:

Code: [Select]

config setprop qpsmtpd LogLevel 8
signal-event email-updateNow send yourself a test message (or just wait a bit if your mail server is always busy), so there will be some new log data generated, then run

Code: [Select]

grep "check_basicheaders\|rhsbl\|dnsbl\|resolveable_fromhost" current | grep -v logterse | less If you see any output the note on the wiki page is inaccurate, and SME is smart enough to know that the email coming from your ISP relay service *does* come from the external network.

Note: Be sure to set your LogLevel back to 6 when you're done checking:

Code: [Select]

config setprop qpsmtpd LogLevel 6
signal-event email-update
You may want to setup one or more of the methods for tracking your email server statistics outlined in Email_Statistics so you can keep track of your server going forward.

If you find that the howto is correct and that these plugins are not being invoked, you may need to create some custom templates for the 'local' config file; here is an example of how to copy one plugin config from the '0' config file to the 'local' config file: http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.  You can use a similar method to copy the appropriate template fragments for the plugins you want to be active, but you may get odd behavior when attempting to relay email from your LAN clients through your SME server when you're done.

Hope this helps!

[CharlieBrady]

If the comment in the PortRedirect HowTo is correct, your incoming email will be getting handled as though from a local computer using the  /var/service/qpsmtpd/config/peers/local config file instead of the file normally used for incoming external emails (/var/service/qpsmtpd/config/peers/0)

The comment is incorrect. Whoever made that comment didn't verify its correctness by testing first.

The downside of using a mail-hop service is that all your mail will arrive at your server from the mail-hop server not direct from romania, korea, china, etc wherever the spam trojans are sending it. So you will lose one piece of information which helps qpsmtpd/spamassassin to detect spam.

[bhamail]

Thanks for the replies!

The good news is after following the suggested log changes and sending a test email from an external email account, I can see lots of checks for blacklists etc. Excellent. I may post a comment to the comment on PortRedirct that notes the loss of sender location info...but first:

I have sme7admin setup to warn me about the number of "outgoing" emails above a threshold (in my case, very low: 10) in the last 5 minutes.
Every now and then, I get a warning email about a ton of "outgoing" emails (from 100's and even over 1000 now and then). I have not yet been flagged as a spammer, so I'm guessing (and hoping) that these "outgoing" emails are not really being sent, but is there some way I can be sure?

When I get one of these sme7admin warnings, I've tried to quickly review the email logs to determine if tons of outgoing emails were really sent, but I'm not sure where to look and what to look for. Any suggestions?

Thanks again,
Dan

[chris burnat]

but I'm not sure where to look and what to look for. Any suggestions?

Look into qmail/current.  Lets say user joe@joe.com send an email to zena@abc.biz.au
You will see the following log entry for outgoing mail, including results - delivery is successful or not, and response from zena's mail server.  In the example below, joe's mail was delivered and accepted :

2009-02-20 18:17:22.207740500 new msg 10030489
2009-02-20 18:17:22.207746500 info msg 10030489: bytes 3552 from <joe@joe.com> qp 10214 uid 453
2009-02-20 18:17:22.223898500 starting delivery 146: msg 10030489 to remote zena@abc.biz.au
2009-02-20 18:17:22.223904500 status: local 0/10 remote 1/20
2009-02-20 18:17:27.688630500 delivery 146: success: 162.125.34.69_accepted_message./Remote_host_said:_250_ok_1235114247_qp_17065/
2009-02-20 18:17:27.688636500 status: local 0/10 remote 0/20
2009-02-20 18:17:27.688639500 end msg 10030489

[bhamail]

Thanks Chris. I'll keep an eye on that log.

Dan