Topic: Problem with local networks on SME 9

[tomeratch]

Hi there I just got an SME 9 server and was trying to prevent relay from and to  it and found in local networks 0.0.0.0  . when i removed the 0.0.0.0 from the local networks , the server stopped sending mail . the queue got filled but it does not send mail.. so i re added 0.0.0.0 to local networks and the server started working again... Is there a way to make the server work without 0.0.0.0 in local network? any help will be appreciated for i am new to sme ...thanks in advance
also got this error message:

2017/04/14 03:26:01| ERROR: '0.0.0.0/0' needs to be replaced by the term 'all'.
2017/04/14 03:26:01| SECURITY NOTICE: Overriding config setting. Using 'all' instead.
2017/04/14 03:26:01| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '::/0'
2017/04/14 03:26:01| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2017/04/14 03:26:01| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localsrc'
2017/04/14 03:26:01| ERROR: '0.0.0.0/0' needs to be replaced by the term 'all'.
2017/04/14 03:26:01| SECURITY NOTICE: Overriding config setting. Using 'all' instead.
2017/04/14 03:26:01| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '::/0'
2017/04/14 03:26:01| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2017/04/14 03:26:01| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localdst'

[Jean-Philippe Pialasse]

How about what suggests the documentation ?
T
https://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients

[tomeratch]

Thank you Jean the thing is I do want some servers to Relay but not from all ip addresses in the world ..(0.0.0.0) i have my own list of servers in "local networks" and i realy think 0.0.0.0 should not be there but i got the server as is ... and the strange thing is when I remove the 0.0.0.0 from local networks then no mail is sent .
I do appreciate the link and i think it is useful if you want to enable or disable relay from local network but that includes all local network .
also want that error message I posted to go away.
Thank you in advance 

[Jean-Philippe Pialasse]

What makes you think your server is an open relay ?

Where exactly did you find 0.0.0.0? There is no 0.0.0.0 on a default sme server installation in db network. SO this make me ask you what is the history of your sever, what is installed on it. Help us to help you.

what file did you try to alter on what deamon ?

Have you check at the global configuration of the whole SME server instead of focusing on an individual element ?

Your server, with its default configuration, is not an open relay for the world, it is configured to refuse anything coming out of the LAN that is not for its own users  or is not sent by an authenticated user.

For incoming mail, see the smtpd daemon we use: https://wiki.contribs.org/Email#qpsmtpd
it has two configurations :
local : for lan user and localhost
0 : for outside network

Code: [Select]

ll /var/service/qpsmtpd/config/peers/

[tomeratch]

Thank you for your fast reply Jean i used qmHandle to see why i have 14000 mail in queue and found that someone uses the server to send spam to all over ... also got blacklisted by some major RBL.
so I took a closer look how this happen and found that using smtp connection to my server without any credentials he could do so ... I managed to block this by choosing in "server-manager e-mail settings /change email reception settings SMTP authentication allow SSMTP only instead of SMTP and SSMTP.The spammer was stopped but also some of my own servers cannot send mail using the SME server for they only work SMTP and not SSMTP.
Found the 0.0.0.0 /0.0.0.0 in local networks of the server .. so it made sense that anyone can connect to the smtp... I would like to remove this ip entry from local networks but when I do the server refuses to send mail
I know its not a default setitng but someone added this ip range to local networks most likely the person handleing this server before me ...ANy ideas? thank you so much in advance

Networking Parameters
Server Mode   serveronly
Local IP address / subnet mask   10.0.0.15/255.255.0.0
Gateway   10.0.0.1
Additional local networks   0.0.0.0/0.0.0.0 via 10.0.0.1
10.0.0.0/255.255.0.0
82.80.213.0/255.255.255.0 via 10.0.0.1
91.202.169.0/255.255.255.0 via 10.0.0.1
10.10.100.0/255.255.255.0 via 10.0.0.1
10.20.30.0/255.255.255.0 via 10.0.0.1

[Jean-Philippe Pialasse]

what is on the  10.0.0.1 ip ?

The additional network 0.0.0.0/0.0.0.0 should indeed be removed. Why was it added  first ?

some of my previous question remains unanswered, so I will ask  them in a different way :what returns the two following commands from a  terminal (please copy and paste):

Code: [Select]

/sbin/e-smith/audittools/templates

Code: [Select]

/sbin/e-smith/audittools/newrpms

[tomeratch]

10.0.0.1 is our firewall and GateWay,
I do not know why 0.0.0.0 was added the person before me did that and now i want to remove it but once I do the server wont send mail without it.... probably the person before me added it to solve the problem of not sending mail

/sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/17check_basicheaders: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/17check_basicheaders: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/17check_basicheaders: MANUALLY_ADDED, OVERRIDE

and

/sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, smeserver
Loading mirror speeds from cached hostfile
 * base: mirrors.daskal.co.il
 * smeaddons: mirror.canada.pialasse.com
 * smeos: mirror.canada.pialasse.com
 * smeupdates: mirror.canada.pialasse.com
 * updates: mirrors.daskal.co.il
Extra Packages
smeserver-qmHandle.noarch              1.4-6.el6.sme                @smecontribs
smeserver-vacation.noarch              1.1-25.el6.sme               @smecontribs

[Jean-Philippe Pialasse]

ok, your SME seems to not have a lot of alteration from the base.

Additional local networks   
0.0.0.0/0.0.0.0 via 10.0.0.1                         => this is totally insecure. SHOULD BE REMOVED.
82.80.213.0/255.255.255.0 via 10.0.0.1         => this is insecure as you are allowing relay and local access  from the internet to 65534 hosts ! SHOULD BE REMOVED
91.202.169.0/255.255.255.0 via 10.0.0.1       => this is insecure as you are allowing relay and local access from the internet to 65534 hosts ! SHOULD BE REMOVED

10.0.0.0/255.255.0.0                                  => means you consider as local network : 10.0.0.1 to 10.0.255.254
10.10.100.0/255.255.255.0 via 10.0.0.1         => this is another local LAN , and you consider also as LAN for SME : 10.10.100.1 to 10.10.100.255
10.20.30.0/255.255.255.0 via 10.0.0.1           => this is another local LAN , and you consider also as LAN for SME : 10.20.30.1 to 10.20.30.255


do you really need to have 131068 internet IP to be considered and trusted as local(in other words do you control all of them ) ? why would you do that?
You would say that if you already considered the whole world as local this is not anymore a major consideration !

From now, I would remove those 3 networks. This is a major security concern to have them here.
I would then consider who is having problem connecting to you server to send mail, or having problem to access it in anyway they should. And establish either a vpn or give them a login and password to connect to deliver email.

Your problem delivering email is another issue.
How you server is configured to deliver email ?
- are you handling this locally for your users or have you another remote email server?
- for remote emails do you deliver them directly or are you using your FAI smtp server or another one ?

[Stefano]

I'd remove the network and reconfigure the server, both from server-manager or from CLI via

Code: [Select]

signal-event post-upgrade; signal-event reboot


[tomeratch]

Thank you so much ... I do not need any of the ip addresses that are wan Adresses so I do want to remove them I only want to add to local network internal IP adresses such 10.10.100 and so on.
My server is sending mail by itself no other SMTP is used to deliver mail ...
I realy want to remove those addresses but once I remove 0.0.0.0 the server just keeps filling the queue and no mail is sent ... All other addresses can be removed as well and all is fine server still works like a charm.So how can i find why the server cannot send any mail when 0.0.0.0 is removed?
I inherited this server and I love it and learn new things every day the guy before me was doing all sorts of experiments I guess some addresses were added by him to prevent using certificates (it was an sme7.6 a few weeks ago) .
So to solve the problem when I remove the 0.0.0.0 entry what command can i use to see why mail is stacked in queue? I truly appreciate your help .

[Jean-Philippe Pialasse]

as indicated Stefano,

remove the three networks and then  issue :

Code: [Select]

signal-event post-upgrade; signal-event reboot
then check at qmail logs, after rebooting

Code: [Select]

tail -f /var/log/qmail/current|tai64nlocal(ctrl+C to stop watching)

the only reason i see that would stop to deliver remote email (if from what you write I should understand that local mails are well delivered but not remote mails) would be a routing issue with a configuration to give this mails to another server. And this is mostly the log that will say what is going on.

[tomeratch]

Jean and Stefano you guys are the best ... I removed all junk addresses including 0.0.0.0 and ran the 2 commands and Server working like a boss ..I did try reboot before i posted here but problem persisted ... the post upgrade did the Magic .. I am truly thankful to you guys .
I love this Server and you guys do a great job .
Thanks a million
Tom

[Jean-Philippe Pialasse]

Tom,
great to hear!

Jean and Stefano you guys are the best ... I removed all junk addresses including 0.0.0.0 and ran the 2 commands and Server working like a boss ..I did try reboot before i posted here but problem persisted ... the post upgrade did the Magic .. I am truly thankful to you guys .
I love this Server and you guys do a great job .
Thanks a million
Tom

this is the power of having a templated configuration with important configuration in separate database : the server is more robust, and with a few command and not a lot of knowledge, you can get back your server to its initial stable state.