Koozali.org: home of the SME Server

Exchange server behind SME 9.1

Offline bosco555

  • *****
  • 152
  • +0/-0
Exchange server behind SME 9.1
« on: January 22, 2016, 12:04:59 PM »
Hi All,

I have this setup Router > SME > Exchange 2010. 

On the router, ports 110 and 25 are re-directed to the sme server.

I have setup sme as a smarthost in exchange, created a user which will authenticate to send email out (send connector).  However, external mail gets the error: Remote host said: 552 spam score exceeded threshold (#5.6.1).
Spam filtering is custom tag 4 reject 10.
qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

Also tried to set smtp proxy to enabled/disabled, and it makes no difference..

Sending email out through the sme server works fine..Sorry guys, I have been at this the whole day and searched, but I'm stuck..

thanks to all




Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #1 on: January 22, 2016, 12:25:35 PM »
IIUC, mail sent form exchange via SME is rejected because of SPAM score?

if so, you'd see why in  SME's log (qpsmtpd and sqpsmtpd ones, I guess)

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #2 on: January 22, 2016, 12:26:09 PM »
BTW, any other related info, included logs excerpts will help us to help you

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #3 on: January 22, 2016, 12:41:25 PM »
/var/log/qpsmtpd/current:
@4000000056a208c6277b0c4c 22619 Accepted connection 0/40 from 202.89.166.159 / 2                 02-89-166-159.static.dsl.amnet.net.au
@4000000056a208c6277b6a0c 22619 Connection from 202-89-166-159.static.dsl.amnet.                 net.au [202.89.166.159]
@4000000056a208c62783ab54 22619 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aN                 ULL:!MD5:!RC4
@4000000056a208c627918634 22619 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aN                 ULL:!MD5:!RC4
@4000000056a208c627d545f4 22619 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aN                 ULL:!MD5:!RC4
@4000000056a208c72800f974 22619 check_earlytalker plugin (connect): remote host                  said nothing spontaneous, proceeding
@4000000056a208c7281fc82c 22619 220 ccanda1.ccanda.com.au ESMTP
@4000000056a208c729e27efc 22619 dispatching HELO compulogics.com.au
@4000000056a208c729ebf4dc 22619 250 ccanda.com.au Hi 202-89-166-159.static.dsl.a                 mnet.net.au [202.89.166.159]; I am so happy to meet you.
@4000000056a208c72ba62be4 22619 dispatching MAIL FROM:<gianni@compulogics.com.au                 >
@4000000056a208c72ba7878c 22619 full from_parameter: FROM:<gianni@compulogics.co                 m.au>
@4000000056a208c72c1919c4 22619 getting mail from <gianni@compulogics.com.au>
@4000000056a208c72c195074 22619 250 <gianni@compulogics.com.au>, sender OK - how                  exciting to get mail from you!
@4000000056a208c72ddebe94 22619 dispatching RCPT TO:<administrator@ccanda.com.au                 >
@4000000056a208c8022677ec 22619 dnsbl plugin (rcpt): Whitelisthelo not found
@4000000056a208c80226e164 22619 dnsbl plugin (rcpt): Whitelistsender not found
@4000000056a208c802c7bd14 22619 250 <administrator@ccanda.com.au>, recipient ok
@4000000056a208c8046c4d24 22619 dispatching DATA
@4000000056a208c8046de74c 22619 354 go ahead
@4000000056a208c806b3995c 22619 spooling message to disk
@4000000056a208ca00261fc4 22619 spamassassin plugin (data_post): check_spam: Yes                 , hits=100.0, required=5.0, tests=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,TVD_RCVD_I                 P,USER_IN_BLACKLIST
@4000000056a208ca0029a234 22619 logging::logterse plugin (deny): ` 202.89.166.15                 9       202-89-166-159.static.dsl.amnet.net.au  compulogics.com.au      <gianni@                 compulogics.com.au>     <administrator@ccanda.com.au>   spamassassin    901    s                 pam score exceeded threshold (#5.6.1)   Yes, hits=100.0 required=5.0_
@4000000056a208ca002a80dc 22619 552 spam score exceeded threshold (#5.6.1)
@4000000056a208ca01d58544 22619 dispatching QUIT
@4000000056a208ca01d6aa3c 22619 221 ccanda.com.au closing connection. Have a won                 derful day.
@4000000056a208ca01d6cd64 22619 click, disconnecting
@4000000056a208ca2788fab4 2304 cleaning up after 22619

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #4 on: January 22, 2016, 12:43:43 PM »
sqpsmtpd:

@4000000056a17ec73b60b0f4 2132 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a17ec73b806a0c 2132 Listening on 0.0.0.0:465
@4000000056a17ec73b82081c 2132 Running as user qpsmtpd, group qpsmtpd
@4000000056a17ec73b820c04 2132 Initializing spool_dir
@4000000056a17ec73b86cec4 2132 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a17ec73b87d094 2132 size_threshold set to 0
@4000000056a18061230bbbac 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a18061247be5ac 2216 Listening on 0.0.0.0:465
@4000000056a18061247be994 2216 Running as user qpsmtpd, group qpsmtpd
@4000000056a18061247be994 2216 Initializing spool_dir
@4000000056a18061247be994 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a18061247bed7c 2216 size_threshold set to 0
@4000000056a182131a02979c 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a182131a029b84 2216 Initializing spool_dir
@4000000056a182131a029b84 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a182131a029f6c 2216 size_threshold set to 0
@4000000056a183652b6761ac 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a183652b676594 2216 Initializing spool_dir
@4000000056a183652b676594 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a183652b67697c 2216 size_threshold set to 0
@4000000056a207a72c53fbfc 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a207a72c6d19ac 2216 Initializing spool_dir
@4000000056a207a72c6d1d94 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a207a72c6d1d94 2216 size_threshold set to 0
@4000000056a2087f16a8319c 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a2087f16a83584 2216 Initializing spool_dir
@4000000056a2087f16a83584 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a2087f16a8396c 2216 size_threshold set to 0
@4000000056a2089518a570cc 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a2089518a574b4 2216 Initializing spool_dir
@4000000056a2089518a574b4 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a2089518a574b4 2216 size_threshold set to 0
@4000000056a2097226ab77ac 2216 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@4000000056a2097226ab7b94 2216 Initializing spool_dir
@4000000056a2097226ab7b94 2216 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
@4000000056a2097226ab7b94 2216 size_threshold set to 0

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #5 on: January 22, 2016, 01:00:20 PM »
Quote

@4000000056a208ca00261fc4 22619 spamassassin plugin (data_post): check_spam: Yes                 , hits=100.0, required=5.0, tests=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,TVD_RCVD_I                 P,USER_IN_BLACKLIST
@4000000056a208ca0029a234 22619 logging::logterse plugin (deny): ` 202.89.166.15                 9       202-89-166-159.static.dsl.amnet.net.au  compulogics.com.au      <gianni@                 compulogics.com.au>     <administrator@ccanda.com.au>   spamassassin    901    s                 pam score exceeded threshold (#5.6.1)   Yes, hits=100.0 required=5.0_

if the info in this lines are relevant to your case (ip, domain, mail address), you have the answer

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #6 on: January 22, 2016, 01:05:18 PM »
Yeah, but how can that be? That's my own domain and I'm definitely not blacklisted..I have even white-listed my whole domain on the server in question...
That's what got me stumped...

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #7 on: January 22, 2016, 05:12:53 PM »
are you using smeserver-wbl contrib?

if so, check with
Code: [Select]
db wbl show


Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #8 on: January 22, 2016, 09:11:56 PM »
I have setup sme as a smarthost in exchange, created a user which will authenticate to send email out (send connector).

I don't see any authentication happening in the log snippets you showed.Maybe that's because it is using port 25, not port 465. You want to see encryption (either port 25 and starttls, or port 465) and then authentication. I think you need to keep tweaking exchange.

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #9 on: January 23, 2016, 01:25:09 AM »
Hi all, no this is a straight clean install of sme. I have created the same users that are on exchange and created just another user that will authenticate. This last user is on both sme and the exchange box.

I will go to the client on monday and check on exchange as well, will report back. Once this is working I'd like to do a write up so that others can benefit. The setup is a viable and cost-effective way of curbing spam on exchange based systems.
Thanks to all will let you know on monday!

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #10 on: January 24, 2016, 02:40:20 AM »
bosco555

Quote
I have created the same users that are on exchange and created just another user that will authenticate. This last user is on both sme and the exchange box.

Quoting from one of the threads below:
Q)   We created accounts for each user on the SME box and then set their email to forward to the exchange server.
A)    You don't even need to do that with SME 7.1

Maybe these old posts are useful reading.
Gordon rowell did some clever coding to "integrate" SME & Exchange where you use the Delegate Mail server function

http://forums.contribs.org/index.php/topic,28488.msg118443.html#msg118443
http://forums.contribs.org/index.php/topic,35532.msg155693.html#msg155693
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #11 on: January 24, 2016, 02:59:54 AM »
Hi Janet,

Thanks for the reply..I read those posts and they didn't help much. I created another user for the simple reason that this user won't have an account on any PCs on the LAN so as to avoid exposure to the www. From experience, most of the spam is actually self-inflicted by users visiting unsavory websites.

Will go there tomorrow.. I have been trying to do all this remotely after hours in order to minimize downtime for the users, but it's better being there in person. Will report back and as mentioned I'd like to do a small write-up for everyone's benefit (once this is working, that is)..
Thanks again
gb

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #12 on: January 24, 2016, 03:49:30 AM »
bosco555

Did you Delegate the Mail server role in sme server, to the Exchange server ?
Did you enter the sme server as the outgoing smtp mail server, in Exchange ?
From Gordons comments you should not have to enter the users in sme server.

My point is that maybe you have not configured sme & Exchange appropriately, to use sme as a mail gateway, spam & virus filter in front of an  Exchange server.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #13 on: January 24, 2016, 05:03:32 AM »
Hi Janet,

All that was done, sme to forward email to exchange, ports 110 and 25 redirected to sme. In exchange, the send connector needs to be configured to send email through a smart host (sme) and authentication needs to be used there. This part works perfectly.

I think the issue is with the receive connector and possibly existing anti-spam measure on exchange possibly?? I'll have to check. I know for a fact that my domain is not blacklisted in any way, so I should be able to send email to the client's domain with no issues..Tomorrow is the day of reckoning...the gunfight at the OK corral...

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Exchange server behind SME 9.1
« Reply #14 on: January 24, 2016, 10:43:16 AM »
please, give us as much details about your setup, including IP addresses and hostnames, thank you

Offline p-jones

  • *
  • 594
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #15 on: January 24, 2016, 08:05:53 PM »

Following these instructions http://wiki.contribs.org/Email#Deliver_ALL_email_to_a_single_internal_or_external_mail_server I achieved what you are trying to do very easily.

Prevented an enormous amount of SPAM and rubbish from reaching the exchange server. Certainly did not need to re-create each user in SME.

HTH
Peter

 
...

Offline bosco555

  • *****
  • 152
  • +0/-0
Re: Exchange server behind SME 9.1
« Reply #16 on: January 24, 2016, 11:30:58 PM »
Certamente Stefano!! Will do ASAP!!