Topic: Stopping external email receipt for SME 7.4

[mistere]

I have a SME 7.4 system that is using a dyndns domain.  I'm receiving only spam because all legitimate email is retrieved via fetchmail.  I need to shut down the receipt/relay of email for all external users but still allow LAN users to send mail.  I tried this without success:

config setprop smtpd access private
config setprop smtpd AllowHosts 10.1.1.0/24
signal-event email-update
signal-event remoteaccess-update

(I did not reboot figuring that was un-necessary.)
Is this the correct approach?
If not, what do I need to do to stop the direct receipt of email from the WAN?

Thanks,
Mistere (AKA: Eric)

[mistere]

I'm not sure but it appears I may have answered my own question.

The emails have stopped although they kept arriving for as much as an hour after I made the above referenced changes.  I don't know why that would be but nevertheless it appears to have worked.

[doublecaps]

I've been trying to reduce spam on our server so I used this comand to limit connection from our upward mail server (a paid sotre and forward service). Now I need to revert this change because it is causing me some issues with remote users.

How do I "delete" the AllowHost entry in the smtps configuration?
Alternatively, how do I do AllowHost= any  ?

Thanks

[janet]

doublecaps

Please learn about the db command and it's usage.
At a command prompt type
db
and you will see the syntax required.
Also read the Howtos as there are couple of good articles there re db commands.
On sme 7.x you can ignore the /sbin/e-smith part as it's not needed.
Also note that
config xxxx yyyy
is a shortcut for
db configuration xxxx yyyy
(Only applicable for the configuration database in /home/e-smith/db)
All other databases need to be specifically referred to in commands eg
db domains xxx yyy
Apply that to many examples shown in the wiki and forums etc, and you should get a good understanding of how the db command works and how to apply and use it.
Keep in mind that deleting an entry does not necessarily mean no value for that entry exists anymore, as default values will usually apply in the absence of a specific db entry. The template code can be reviewed to see what db settings have default values, where no specific db setting exits.
eg
To delete all AllowHosts entries (and allow default values to apply ie in this case allow all) do
config delprop smtpd AllowHosts
signal-event email-update

[janet]

doublecaps

I've been trying to reduce spam on our server so I used this comand to limit connection from our upward mail server (a paid sotre and forward service).

You would do far better to use sme as designed.
Run your own domain based mail server and receive email directly for your domains (or multiple domains if required).

That way spam and virus filtering etc will work much better using the built in features of sme ie spamasaasin, RBL, clamav, executable content filtering, etc.
These need to be applied to mail received directly from the source sender, and will not be particularly effective on forwarded mail etc for various technical reasons.

With todays relatively cheap & fast broadband connections there is generally no technical reason not to run your own mail server.

[CharlieBrady]

I tried this without success:

config setprop smtpd access private
...
signal-event email-update

If that did not stop SMTP arriving on your WAN connection then you should open a bug reporting, providing full details.

[doublecaps]

Keep in mind that deleting an entry does not necessarily mean no value for that entry exits anymore, as default values will usually apply in the absence of a specific db entry. The template code can be reviewed to see what db settings have default values, where no specific db setting exits.
eg

where do I verify what the default and current  value are.
I deleted the entry with the command you suggested and signaled an update but there is no change. It still only receives from that IP address.

[doublecaps]

I found this in the DB Variables Configuration page http://wiki.contribs.org/DB_Variables_Configuration#smtpd

AllowHosts  --src ..... --jump ACCEPT  Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is enabled and public. 

does 0.0.0.0 mean Any address in this case?

Code: [Select]

config delprop key prop
/etc/e-smith/events/actions/initialize-default-databasesIf I run the initizlize-default-databases, will that reset ALL databases to default? I just need to reset 1 of them.
Any suggestions?

[johnp]

It would be nice to know what this looks like

Code: [Select]

config show smtpd

[cactus]

Code: [Select]

config delprop key prop
/etc/e-smith/events/actions/initialize-default-databasesIf I run the initizlize-default-databases, will that reset ALL databases to default? I just need to reset 1 of them.
Any suggestions?

AFAIK it will not reset at all. It is meant to convert existing data to a new format when needed and to add new default values. I don't existing removed ones will be re-added.

You can however restore a complete database to it's default settings using this (taken from: http://wiki.contribs.org/Adding_Software#Restoring_Default_Yum_Repositories ):

Code: [Select]

cd /home/e-smith/db/
mv database database.po
/etc/e-smith/events/actions/initialize-default-databases


[janet]

cactus

Code: [Select]

cd /home/e-smith/db/
mv database database.po
/etc/e-smith/events/actions/initialize-default-databases


I think that should be followed by

Code: [Select]

signal-event post-upgrade; signal-event reboot

[janet]

doublecaps

does 0.0.0.0 mean Any address in this case?

Yes

Please show us the output of
config show smtpd
and
config show ssmtpd

[doublecaps]

I think I might have solved it. I reentered the comands to delete the entry, send the update and ran a couple of tests.

Code: [Select]

smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled

ssmtpd=service
    Authentication=enabled
    Instances=10
    TCPPort=465
    access=public
    status=enabled

I did notice though that there is another pre-existing issue.
Remote PCs can only send emails to my domain, but can't send to other domains. This is because relaying is blocked.

      Subject:   TEST
      Sent:   8/11/2009 9:31 PM

The following recipient(s) cannot be reached:

      'davide.picone@gmail.com' on 8/11/2009 9:31 PM
            550 Relaying denied (#5.7.1)

I don't want to enable relaying for obvious reasons. So I'm looking for alternatives.

I should be able to address the issue with authentication but I need some clarification before i make the change.
Is it possible to configure authentication for the Public interface only?
Is it possible to enable authentication but not force it?
In other words, check if a client can authenticate, if it can't allow it to connect it anyways. This would allow me to move in the right directions without needed to reconfigure 150 PCs at once.

[janet]

doublecaps

Remote PCs can only send emails to my domain, but can't send to other domains. This is because relaying is blocked.

Usually remote PC's would/should be configured to send via their remote ISP's smtp server, rather than sending via your sme servers smtp server.

If you do wish to send via your sme servers smtp server, then you WILL need to authenticate, because as you say, relaying is not allowed by default.

You enable external authentication in server manager Email panel
ie Allow SSMTP
and configure your email clients appropriately

See also the Email FAQ
to force everyone on LAN to use authentication, this prevents virus infections from being able to send email via your server even if they infect PC's on the LAN

http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network
and here
http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients


Note that Remote unauthenticated access to your smtp server is not permitted.
It's either no access or secure authenticated access.

The simple answer initially is just to reconfigure remote email clients to send via the local ISP's smtp server.

[CharlieBrady]

Note that Remote unauthenticated access to your smtp server is not permitted.
It's either no access or secure authenticated access.

No, remote unauthenticated access to smtp server is the usual way for mail to be delivered. Relay is not permitted unless the client authenticates, and the client should authenticate over  an ssmtp (encrypted) connection, not smtp.