Koozali.org: home of the SME Server

[SOLVED] Newbie questions for creating a server-only mail server

Offline Michail Pappas

  • *
  • 351
  • +1/-0
I have started setting up SME 8 in order to replace my FreeBSD box. Details:
* SME is configured in server-only mode
* Only service provided to users will be mail (via POP-3 for local users, via webmail for WAN users). Hence no need for ibays, FTP access, VPNs, squid etc

Apologies in advance for the number of questions:

1) I have disabled the squid service, since I do not need it. Any harm from doing so, especially regarding how spamassassin/clamav/yum updates are fetched?

2) Can I safely disable the smb and nmd services, without any strange side-effects (wondering here whether there might be some internal SME thingie that calls for these services to be always active)?

3) On the same train of thought, can I disable the non-admin/nonwebmail apache virtual server used for ibays etc? If so, how?

4) Possible bug (please let me know in order to open a case in bugtracker). Disabling IMAP from server-manager but having webmail enabled, makes webmail login impossible.

5) Initial configuration for SME was made with an English locale. Can I change it to Greek (for example) and if so, how?

6) config show yum allows for the automatic installation of updates. Does this mean that signal-event post-upgrade will be automatically executed as part of the process?

7) Can I disable the automatic generation of pseudonyms for each user created?

Thanks in advance for all info provided.

EDIT: A couple more:

8) I've got a list of user e-mails. Is there any contrib that would allow importing them as CSV files? Or is there some command to create a user

9) the system has a FQDN of system.some.where. However, I want it to receive and send mails for domain system.an.other.domain. Am I correct in assuming that mail sent to either user@system.some.where or user@system.an.other.domain will reach the same mailbox? Is there some specific setting I should do in order for mails originating from my SME box, are from the system.an.other.domain domain?

10) Finally, there is a fetchmail contrib around. Can it be used to import massively stuff from my existing email account mailboxes via POP-3?
« Last Edit: July 17, 2012, 09:54:19 AM by reqman »

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Re: Newbie questions for creating a server-only mail server
« Reply #1 on: July 13, 2012, 05:05:06 PM »
I would recommend that you restrict access to the unwanted services rather than disabling them.

There is an "AllowHosts" value for services that can be used for example to allow access only from 127.0.0.1 - effectively blocking access to each service at the firewall level.

If you do decide to disable a service, be sure to do so "the SME way" using db settings, and not by uninstalling or editing linux config files directly.


Some specific answers:
1) I don't see the advantage, but I also don't see any obvious problems
2) see 1
3) I'm pretty sure webmail is included in the "non-admin" httpd.conf, so if you disable that you'll disable webmail.
4) webmail login requires imap.  restricting imap access to localhost using 'allowhosts' should be sufficient.
5) perhaps config setprop sysconfig Language el, but you may also need to set it manually in /etc/sysconfig/i18n.  If you do set it manually, execute signal-event post-upgrade; signal-event reboot to make sure the change survives.  If it doesn't there's a db setting somewhere that controls the setting.
6) I don't know; I keep "auto update install" turned off.
7) I've never found an easy way to do this.  If the default pseudonyms cause problems, I recommend creating usernames using a code of some sort, then adding the desired email address as a manual pseudonym.

Adding users manually: Lazy Admin Tools is what I would use.  It hasn't been updated in a while, but works fine as long as you don't try to create pseudonyms that contain "@" (pseudonyms containing "@" were invalid in SME 6, but became allowed in SME 7).

9. Yes, all users receive email addressed to any/all defined domains.

10. Probably.  I use "imapsync" when moving emails to a new server, as it allows me to sync everything, test the new server, then re-sync to get the latest message status (read/reply/deleted) - server downtime is only the time required for the second/final "sync", and not the full amount of time required to transfer the emails.

Welcome to SME.

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #2 on: July 13, 2012, 09:29:19 PM »
Thanks for the valuable input!

I would recommend that you restrict access to the unwanted services rather than disabling them.
The reasoning is that the server will be lighter.

Quote
9. Yes, all users receive email addressed to any/all defined domains.
When sending mail, where does the mail seem to be originating from? That is, from which domain, in case multiple domains have been configured on sme?

Quote
Welcome to SME.
Thanks :)

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Newbie questions for creating a server-only mail server
« Reply #3 on: July 13, 2012, 10:31:36 PM »
When sending mail, where does the mail seem to be originating from?

Define "seem to be originating from"?

The From: header is controlled by the email client program, not by the server. So if user is using Thunderbird, Outlook, etc, it is whatever they configured there. If it is webmail, then I believe there is a dropdown where you can choose which domain (I don't use webmail, so I'm not familiar with that).

If you mean the hostname used in the "EHLO" phase of SMTP, then it will be the primary domain, although you can set it to anything else using a configuration db entry.

If you mean the reverse DNS of the IP address used when connecting to outside mail servers, then that will depend on whatever your ISP has configured in their DNS servers.

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Re: Newbie questions for creating a server-only mail server
« Reply #4 on: July 13, 2012, 11:39:29 PM »
The people using POP3 will be sending "from" the "from" address configured in the email client.

The people using webmail will be sending "from" the primary domain unless they go into the horde options and set a different "from" address.

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #5 on: July 14, 2012, 05:18:41 PM »
:blush: My apologies, I don't know what type was the fog the cluttered my mind when I was writing that question... :)

Offline moo2

  • *
  • 15
  • +0/-0
Re: Newbie questions for creating a server-only mail server
« Reply #6 on: July 15, 2012, 12:13:34 PM »
Hi,

I have a question too, when using sme in server only mode and using it as a mail server which is reachable from the internet too.

As I understand, the SME Firewall is down while using "server only" mode. Is it possible to get more security? For example using fail2ban (block ip addresses after x failed login attempts) to avoid brute force attacks which could try to get the password?

Just to feel saver :)

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Newbie questions for creating a server-only mail server
« Reply #7 on: July 15, 2012, 01:47:10 PM »
in server-only mode you need a firewall between wan and SME
so every policy should be done on it..

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Newbie questions for creating a server-only mail server
« Reply #8 on: July 15, 2012, 08:10:26 PM »
moo2

Quote
....the SME Firewall is down while using "server only" mode. Is it possible to get more security?

If you use a properly & correctly configured firewall then all should be well
The firewall in sme server can be enabled/tweaked as you wish/desire. There have been extensive discussions about this in the forums.
Any time you digress from standard configurations, you take on the onus of responsibility to ensure everything is done correctly & securely.

Quote
For example using fail2ban (block ip addresses after x failed login attempts) to avoid brute force attacks which could try to get the password?

SME server is very robust & security is taken very seriously by the developers and there are many "behind the scenes features" that are protecting you, if you understand & use sme server correctly.

If you wish to use additional layers of security, then perhaps a "better" approach would be to reconfigure your sme server in server & gateway mode, and use the static IP option to create a dmz.
It is covered in the manual and has been discussed various times in the forums, so do a search.

As far as "brute force attacks" go, you are much better off to only use secure login methods that will resist brute force attacks eg for ssh only use Public Private keys & do not allow password only login. This will be a far better security model than allowing password login & then monitoring IP's and banning them.
For server manager access, simply do not enable external access, not even for specific IP's. Configure remote administration to use ssh/Putty to create a secure tunnel to port 443, then login via browser to localhost. That way it is impossible for external users to access server manager without first establishing a secure ssh login, which itself is only accessible to users having the PPKey setup.

For email, use only secure IMAP, configured in server manager.
If users want access to ibays etc, then setup VPN access for them, or use ssh access (WinSCP etc) via PPKey and jail the users to a specified ibay using the remoteuseraccess contrib.
Avoid insecure ftp, just do not allow users to have that sort of access.
...And so on for whatever access you require, generally speaking use secure methods that do not rely upon passwords only, so no amount of password cracking attempts will ever be successful.
And of course, have long & secure passwords for user accounts, a minimum of 7 characters long (the longer the better), using upper & lower case, numerals & special characters, and not "plain english" words or phrases or common items eg birthdays, phone numbers etc.

Another area that will have far more security implications than the core sme server, is installed applications, particularly php contribs/apps. These must be kept up to date with the latest bug fixes etc, to avoid security loopholes etc. There can also occasionally be issues where a security "issue" in one app, utilises a security issue in a component installed on sme server. Neither on it's own would allow a security breach, but when combined a clever hacker can bring down your server. It is indeed rare, but has happened in the past. The moral of the story is to keep your sme server operating system fully updated at all times, and subscribe to mailing lists for any installed apps, and keep them updated as soon as you receive notification that updates & bug fixes are available.

Following these protocols will be a far more effective way to stop hacking than say using fail2ban. I'm not saying not to use it, but just saying make sure you have firstly addressed other more "likely to be vulnerable" aspects of server usage.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Newbie questions for creating a server-only mail server
« Reply #9 on: July 15, 2012, 08:32:32 PM »
reqman

Quote
9) the system has a FQDN of system.some.where. ....... Am I correct in assuming that mail sent to either user@system.some.where or user@system.an.other.domain will reach the same mailbox?

Yes, but you can override/control this behaviour.
Carefully consider usernames and pseudonyms first.
Then you can specify in the pseudonyms panel that mail for a specified user@domain1 goes to a certain user2 and mail for a user@domain2 goes to user2
So you do not create a user account for joe, but create user accounts for joe1 & joe2, then in the pseudonyms panel specify that joe@domain1 goes to joe2 and joe@domain2 goes to joe3
It is detailed in the pseudonym section of the manual, and again in the FAQ at http://wiki.contribs.org/SME_Server:Documentation:FAQ#User_accounts


Quote
10) Finally, there is a fetchmail contrib around. Can it be used to import massively stuff from my existing email account mailboxes via POP-3?

You can also setup an IMAP account in the same email client that has the POP3 account setup.
Then manually drag or move messages from the POP folders to the IMAP folders. It's slower, but the method you use really depends on how many message you have to move.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #10 on: July 17, 2012, 09:53:51 AM »
Thanks again for all your informational responses! This community rocks!

Please close the ticket, I'll gladly change this to "Solved".

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #11 on: July 17, 2012, 10:48:36 AM »
Adding users manually: Lazy Admin Tools is what I would use.  It hasn't been updated in a while, but works fine as long as you don't try to create pseudonyms that contain "@" (pseudonyms containing "@" were invalid in SME 6, but became allowed in SME 7).
Some extra thanks here, this is what I was looking about. Piece of cake using lat-users to create 200 users in notime.

Again, THANK YOU!
« Last Edit: July 17, 2012, 10:58:08 AM by reqman »

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #12 on: July 17, 2012, 12:11:45 PM »
7) I've never found an easy way to do this.  If the default pseudonyms cause problems, I recommend creating usernames using a code of some sort, then adding the desired email address as a manual pseudonym.
As an added bonus of using lat-users, no pseudonyms are created! Just what I was looking for \o/

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: Newbie questions for creating a server-only mail server
« Reply #13 on: July 20, 2012, 12:46:03 PM »
5) perhaps config setprop sysconfig Language el, but you may also need to set it manually in /etc/sysconfig/i18n.  If you do set it manually, execute signal-event post-upgrade; signal-event reboot to make sure the change survives.  If it doesn't there's a db setting somewhere that controls the setting.
Tried only first and config setprop sysconfig Language el_GR followed by signal-event post-upgrade; signal-event reboot. Result: ldap-bootstrap now fails at startup:
Code: [Select]
Jul 20 13:23:29 mail esmith::event[3128]: Running event handler: /etc/e-smith/events/bootstrap-ldap-save/S80ldap-update
Jul 20 13:23:33 mail esmith::event[3128]: IO::Socket::INET: connect: Connection refused at /var/service/ldap/ldif-fix line 400.
Jul 20 13:23:33 mail esmith::event[3128]: S80ldap-update=action|Event|bootstrap-ldap-save|Action|S80ldap-update|Start|1342779809 548745|End|1342779813 554770|Elapsed|4.006025|Status|28416

I modified i18n to change also en_US to el_GR. This time no such error was generated.

Most likely it is nothing to worry about, but (a) thought I should report this anyways and (b) not sure of which other db setting  I should change to make sure that i18n gets properly updated...

It's a bit interesting that this is an ISO-8859-7 environment and not a UTF-8 one. Should I test with a el_GR.utf8 setting as well?
« Last Edit: July 20, 2012, 12:48:12 PM by reqman »

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Newbie questions for creating a server-only mail server
« Reply #14 on: July 20, 2012, 02:29:32 PM »
Most likely it is nothing to worry about, but (a) thought I should report this anyways ...

You should report that, but you should report it via the bug tracker. That's likely a timing problem in relation to the ldap-bootstrap-save event and ldap startup. Perhaps something to do with bug 6231.