Mail filter External

GadoF

28
+0/-0

Dear Community, hope you can shed some info on how I can forward all outbound email traffic to a set of public IPs/subnets which is my email filter external, is this done on the firewall or i can set this on the koozali server via CLI ? at the same time, can i do this also for the inbound email I will only allow a specific set of public IPs/Subnet?

« Last Edit: April 01, 2023, 01:50:46 AM by GadoF »

Logged

mmccarn

2,627
+10/-0

Re: Mail filter External

« Reply #1 on: April 01, 2023, 03:04:18 PM »

From server-manager:

- Configuration -> E-mail -> Change e-mail delivery settings
--> SMTP Server

From terminal (maybe - I'm just reading back what I entered in server-manager...)

First, display the current values in case something goes wrong...

Code: [Select]

config show SMTPSmartHost
config show smtp-auth-proxy

...then set the values you want to use.
* Replace the fields enclosed in <>
* The password is stored in plain text.

Code: [Select]

config set SMTPSmartHost <smtpserver>:<port>
config set smtp-auth-proxy service Debug disabled Passwd <your-relay-account-password> Userid <your-relay-account> status enabled
signal-event email-update

Related settings (if your SME server is in "server-gateway" mode)
- The SME will block all outbound SMTP traffic from LAN clients that is not relayed through the SME itself if you enable the SMTP Proxy (Security -> Proxy status -> SMTP proxy status)

- You can create firewall rules to block incoming traffic
--> incoming smtp traffic can be restricted by setting 'AllowHosts' for qpsmtpd
config setprop qpsmtpd AllowHosts <IP1>,<IP2>,<IPRange/xx>

- Creating rules to block outgoing traffic is trickier - there is a section of the firewall wiki page about this, but the content may be out of date:
https://wiki.koozali.org/Firewall#Block_outgoing_IPs_or_mac_addresses

If your SME is in server-only mode you could configure the SMTP traffic restrictions in the network firewall...

Logged

GadoF

28
+0/-0

Re: Mail filter External

« Reply #2 on: April 01, 2023, 09:17:53 PM »

Thanks for the response, my external mail filter has several IP/Subnet can how can i set this for the outbound email?

Quote from: mmccarn on April 01, 2023, 03:04:18 PM

From server-manager:

- Configuration -> E-mail -> Change e-mail delivery settings
--> SMTP Server

From terminal (maybe - I'm just reading back what I entered in server-manager...)

First, display the current values in case something goes wrong...
Code: [Select]
config show SMTPSmartHost config show smtp-auth-proxy
...then set the values you want to use.
* Replace the fields enclosed in <>
* The password is stored in plain text.
Code: [Select]
config set SMTPSmartHost <smtpserver>:<port> config set smtp-auth-proxy service Debug disabled Passwd <your-relay-account-password> Userid <your-relay-account> status enabled signal-event email-update
Related settings (if your SME server is in "server-gateway" mode)
- The SME will block all outbound SMTP traffic from LAN clients that is not relayed through the SME itself if you enable the SMTP Proxy (Security -> Proxy status -> SMTP proxy status)

- You can create firewall rules to block incoming traffic
--> incoming smtp traffic can be restricted by setting 'AllowHosts' for qpsmtpd
config setprop qpsmtpd AllowHosts <IP1>,<IP2>,<IPRange/xx>

- Creating rules to block outgoing traffic is trickier - there is a section of the firewall wiki page about this, but the content may be out of date:
https://wiki.koozali.org/Firewall#Block_outgoing_IPs_or_mac_addresses

If your SME is in server-only mode you could configure the SMTP traffic restrictions in the network firewall...

Logged

ReetP

3,734
+5/-0

Re: Mail filter External

« Reply #3 on: April 02, 2023, 11:28:45 AM »

Quote from: GadoF on April 01, 2023, 09:17:53 PM

Thanks for the response, my external mail filter has several IP/Subnet can how can i set this for the outbound email?

Currently you can't.

It would probably take a lot of development work to do some sort of round robin.

Pick one IP and go with it.

Logged

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Jean-Philippe Pialasse

2,763
+11/-0
aka Unnilennium

Re: Mail filter External

« Reply #4 on: April 02, 2023, 04:31:09 PM »

there are 2 way of sending emails to an external service.

It all depends on wether you still have your user reading emails on your server or on the external service.

Usually such relaying and filtering service offers you a dns name to use rather than having a list of ip to contact.

for incoming emails as said by mmccarn you can set as many subnet or single ip as you want separated by a coma.

if you do so for incoming emails, your users will have to use the implicite tls service (sqpsmtpd on port 465) to send their mail as a roadwarior might not be on the subnet you declared to be able to use port 25 with explicit TLS submission.

Logged

ReetP

3,734
+5/-0

Re: Mail filter External

« Reply #5 on: April 02, 2023, 05:29:00 PM »

Quote from: Jean-Philippe Pialasse on April 02, 2023, 04:31:09 PM

Usually such relaying and filtering service offers you a dns name to use rather than having a list of ip to contact.

Yes that occurred to me some time later!!

Logged

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation