Topic: Removing Email Function - Best Practice

[grattman]

Hey all,

I am looking to all of you for advice on what the best way to disable/turnoff/remove the email function from SME 7.4 would be. We are a school and the SAU we are under now handles email for all schools. I have kept email going and forwarding for four months, and I believe it is finally time to pull the plug.

Anxiously awaiting an answer,
Grattman

[arne]

I don't think you can turn of or disable or remove the mail server as it is a neccessary part of the complete system.

What I actually use to do myself in such situation, where I want a service that has to be there "invisible" and unaccessable from the outside, is to "lock it in" via the firewall. But firewall hacks can be "hot stuff" on the SME forum.

Question to administrators/moderators: Could this be an ok way to do it, if there could be found a "mailserver firewall lock-off method" for the mail ports that is OK and according to the documentation. Could/should it be other or bether ways to do it ?

(I have done it like this myself, for some years, but I don't know if it is considered to be a "best practice".)

.. Dont know if this were the wrong answer and if someone else will send the right one ..

.. By the way .. I have checked the DB config variables for the qmail, and technically, it looks like it can be turned off .. but I would not expect this to be a vice thing to do .. ??

[arne]

I think the question is a bit tricky as there is no best practise, for this.

But I think what can be done is to let the mail server run like before and only block the port 25 traffic from the LAN/WAN and into the server via a firewall modification. I tried different ways to find a soultion that would be as "standard sme server" as possible.

DB commands did not work for this purpose, so I made a template fragment for blocking of this traffic:

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/32BlockMail

And then inside this new template fragment file I edit it like this:

iptables -A INPUT -p tcp --dport 25 -j DROP

signal-event remoteaccess-update

/etc/init.d/masq restart

If things should not work like expected it should be just to delete the custom template, and then restart the firewall.

I have only tested at SME 8.0 B4, but hopefully it works the same way.

If moderators/developers disagre, please leave a few words.

Please be adviced that this soulution is not fully tested. Please also leave a few words if it is tested and if it works OK.

By the way, the Horde web mail should still be working like normal, but the mail server should not be able to receive mail from LAN/WAN.

[janet]

grattman

If you disable the mail functionality of sme server, then you will not receive system messages that are emailed to you.

You could set acess to mail services to private using existing db commands
To see current settings do
config show qmail
config show qpsmtpd

Then do something like
config setprop qpsmtpd access private
signal-event email-update
(Please check/confirm the above as I'm away from any sme server to check)
Just changing qpsmtpd should be enough to stop external use of the mail system
Also disable webmail in server manager
See the db command Howtos for further info

To disable the mail system set status to disabled, but that will stop system email messages also, which is not a good idea personally.

Note to Arne, the db commands do change firewall rules, so it is more consistent to use db commands where a command already exists rather than creating specific firewall rule custom templates to do the same thing.

[CharlieBrady]

I have kept email going and forwarding for four months, and I believe it is finally time to pull the plug.

Why, what problems is it causing?

[arne]

mary -> I agree with you that the db command will be more consistent, but I could not make it work on a server-only installation. That's the reason that I tried the template fragment method, as an alternative method, for the server-only installation.

[janet]

arne

I could not make it (the db command) work on a server-only installation. That's the reason that I tried the template fragment method...

If that's truly the case (on an unmodified sme server) then you should report a bug.
Mail system db commands should still work in server only mode as the mail system is fully functional in that mode.

[arne]

I have to admit that I tested on a 8 b4 and not on SME 7.4

.. and what I thought when the db/private statement did not work were something like: Aha, "private" is somthing that will work for a gateway and make the server "private accessable" from lan and not from wan/internet. This were my conclusion, and I might well be wrong. Yes, the server was unmodified, except for that I "innstalled" and took away some "firewall template fragments" in the customized directory.

If I was wrong about the "private mode" I will try to look into it. (And test a bit more on a fresh 7.4.)

.. Hmm .. the documentation allmost repeats those things that were my belief (Or maybe not ??):
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Open_Ports_in_Private_Server.2FGateway_Mode

[janet]

arne

.....If I was wrong about the "private mode"......

In your last post you referred to server only mode.
Now I see you are referring to Private server mode.
Private server and server only modes are quite different things, so please be careful with your statements.

Of course in private server mode ALL ports and services are closed to incoming Internet access, which will of course impair mail system functionality.

By the way, as soon as you add or modify (custom) templates you do have a "modified" system, which by definition is no longer "unmodified", so again please be careful with your statements.