Topic: Where might I kickstart the email and SMTP?

[Robert Harlow]

Sirs

Is it something to do with qmail or something? Not entirely certain where to start... ;~/  

Have a test box (v5.6) in server-only mode behind an external hardware firewall (DHCP). Static IP on rural wireless broadband and the DNS for a previously parked up domain now done; the webserver test pages show up when browsing via a separate dialup connection. SME successfully 'dials home'. Though I only found it a moment ago, PINE chucked out a test email to another of my email accounts elsewhere.

What's next!? I'm aiming to use my own SMTP server here... Nothing terribly fancy at all but don't know where to kickstart the thing (and my education for that matter).

best wishes, Robert

[Andrew Hodgson]

Hi,

What you need to do now is to get an mx record created to point to your server:

yourdomain.com. in mx 10 mail.yourdomain.com.
mail.yourdomain.com. in a 123.456.789.123

Where the 123.456.789.123 is your ip address.

Also make sure that all the users have accounts on the server.

This is all I did and it worked fine.

If it is likely your server will be off-line for periods, you may also want to invest in a back up mx provider (www.microtech.co.gg, www.no-ip.com, www.mailkeep.net etc), and then you need to set up the E-smith server to use etrn to retrieve mail from these servers if the system has been off-line (note there is an issue with ETRN and www.mailkeep.net at the moment).

Hope this helps,
Andrew.

[Robert Harlow]

Andrew

Thank you for trying;~/ ...but I don't 'think' I'm any further forward:-(

The domain Registrar was asked to point the DNS and the mail to my Static IP, I believe it was so done. I assume this included the 'mx record' of which you spoke. BTW I can browse to the webserver's pages and I have also sent test emails out (from PINE somehow) to another of my email accounts on a box elsewhere.

In all this bulk of equipment I am the only 'user'.   ...intra security is light but external security is supposed to be as heavy as feasibly possible.


Forgive me but can I get the (primary) email server functionality up first? I will certainly arrange any necessary secondary/backups afterwards:-)

ETRN(?)... that term came up during the setup. The helpnotes inferred that it was not used in a permanent connection - such as the one here (rural wireless broadband 2.4GHz WiFi using 2Mbit/s shared pipe).

I've not installed an email/SMTP server before this one and was looking for the setup stuff to allocate accounts' usernames/passwords - the sort of guff I have always had to wait for from ISPs etc etc.

My other boxes will run the various email accounts. Currently using Forté Agent under W2kPro-SP2. Later this under WINE in SuSE or maybe natively from the SME box, if I can get my head round the learning curve(s) quickly enough;~/

Perceive my initial two main issues to be...
1)   getting the SME stuff safely across the external firewall (Watchguard SoHo) - which ports to manually open up?
2)   what application(s) to start to setup/amend email functionality?

Seem to be wandering about in the dark somewhat. Feel that I should be looking at something called qmail but don't know what will kickstart it off or get me into it. I've found a site that may help me understand what I have to do next...
http://www.pagefault.org/download/RPMS/noarch/
...in fact the contents may turn out to be the very thing I need.

best wishes, Robert

[Bill Talcott]

Robert Harlow wrote:
>
> The domain Registrar was asked to point the DNS and the mail
> to my Static IP, I believe it was so done. I assume this
> included the 'mx record' of which you spoke. BTW I can browse
> to the webserver's pages and I have also sent test emails out
> (from PINE somehow) to another of my email accounts on a box
> elsewhere.

You don't want the registrar to point to your SME for DNS. The SME provides DNS for the LAN only. You need to use a service like ZoneEdit for hosting DNS. You do want the DNS entries (including MX) to point to your SME, so that entering the domain name ends up at the SME.

> Forgive me but can I get the (primary) email server
> functionality up first? I will certainly arrange any
> necessary secondary/backups afterwards:-)

It is by default. Private Server-Gateway mode may disable external access to SMTP though, I'm not sure. I'm not sure about Server Only mode either. But with the pagefault.org addon, you can allow secure, authenticated access from anywhere, so it doesn't really matter.

> ETRN(?)... that term came up during the setup. The helpnotes
> inferred that it was not used in a permanent connection -
> such as the one here (rural wireless broadband 2.4GHz WiFi
> using 2Mbit/s shared pipe).

Correct. ETRN is one of the methods used for collecting mail stored on another server. You're trying to have your own server handle your domain's mail, so this is irrelevant.

> I've not installed an email/SMTP server before this one and
> was looking for the setup stuff to allocate accounts'
> usernames/passwords - the sort of guff I have always had to
> wait for from ISPs etc etc.

Just go into the Server Manager and add users. That's all.

> My other boxes will run the various email accounts. Currently
> using Forté Agent under W2kPro-SP2. Later this under WINE in
> SuSE or maybe natively from the SME box, if I can get my head
> round the learning curve(s) quickly enough;~/

Run the accounts? Do you mean clients? SME uses standard SMTP, POP3, and IMAP. Any email client will work.

> Perceive my initial two main issues to be...
> 1)   getting the SME stuff safely across the external
> firewall (Watchguard SoHo) - which ports to manually open up?

25/465 for regular/secure SMTP, 110/995 for regular/secure POP, 143/993 for regular/secure IMAP.

> 2)   what application(s) to start to setup/amend email
> functionality?

Everything can be configured from Server Manager. There's really nothing to do, other than add users and specify whether or not you want to allow external access to check mail.

[Robert Harlow]

Bill

What a good post - my thanks.

<>
I may very well be using the wrong terms. My previously parked domain is now pointing to my Static IP, itself allocated as my wireless broadband address. A hardware firewall, using a custom session, opens up all the ports you so helpfully identified, only to the (Trusted network's) IP for the SME.

Browsing to the SME's webserver page does work. I'm not up to speed with MX records (or CNames for that matter) but I specified to the Registrar that I expected my SMTP engine (on the SME) to be called and asked for this to be accordingly setup. My assumption has been that he has done this and that my difficulties are currently of my own making.


<>
The addons are now done (I reckon). Believe they are, or will be, of great use. However they weren't quite what I expected. From this and your other advice I think I now getting a better idea of what is amiss.

I have been expecting to find and use something like the control panel(s) I get from the various ISPs to run their ISP POP3 email accounts.

Similarly my (LAN) username was just something I used here to logon to W2kPro-SP2 and, via Samba, to allocated areas on the SME's file library database drive nest (previously it's normal task).

The ISPs' (POP3) usernames and passwords were quite different, I always used strong passwords. My (LAN) username's password is not strong. That darned thing has to be used all the time to reboot/logon to Windows and so it's necessarily a tad lightweight for my sanity. It's now apparent that my (LAN) username etc is now the SME's POP3 username and with it that lightweight (easily remembered) password:-( Yes?

Not particularly happy generating further (LAN) usernames just to resolve the POP3 username's security, it just gets too complicated in day-to-day use. So I am experimenting with the various 'secure' options...  Although I have to say I haven't yet got my own SMTP email engine specifically running with my usual client (Forté Agent) - just with the blindly used PINE stuff;~/ Much to do and learn.

Thank you for strongly pointing out that everything necessary should be possible just using the server-manager interface, that has been very helpful. I hope to crack the case presently and will then return to update this forum thread:-)

best wishes, Robert

[Bill Talcott]

Robert Harlow wrote:
>
> Bill
>
> <> DNS... etc>>
> I may very well be using the wrong terms. My previously
> parked domain is now pointing to my Static IP, itself
> allocated as my wireless broadband address. A hardware
> firewall, using a custom session, opens up all the ports you
> so helpfully identified, only to the (Trusted network's) IP
> for the SME.
>
> Browsing to the SME's webserver page does work. I'm not up to
> speed with MX records (or CNames for that matter) but I
> specified to the Registrar that I expected my SMTP engine (on
> the SME) to be called and asked for
> this to be accordingly setup. My assumption has been that he
> has done this and that my difficulties are currently of my
> own making.

The registrar points your domain to a DNS server(s). This server has the information for converting your domain name into the proper IPs. It sounds like you have this set up properly, with the registrar pointing to your DNS servers, and the DNS servers having the information pointing your domain at your SME. You may want to set up a free account at ZoneEdit.com to play around with DNS. You can enter your domain and mess with the settings, so long as you don't tell the registrar to change to ZoneEdit's DNS servers. Basically you have a few types of DNS entries. An "A" record simply converts a name to an IP. An "MX" record defines the default mail server for the domain.

> <> SMTP though, I'm not sure. I'm not sure about Server Only
> mode either. But with the pagefault.org addon, you can allow
> secure, authenticated access from anywhere, so it doesn't
> really matter.>>
> The addons are now done (I reckon). Believe they are, or will
> be, of great use. However they weren't quite what I expected.
> From this and your other advice I think I now getting a
> better idea of what is amiss.

You cannot access the SMTP server from outside the LAN. There's no authentication built-in, so anybody and everybody would be able to send mail from your server. This is an open relay. Do a Google search on that, and you'll find a bunch of angry people. =) The addons add an authentication layer. You have to login with a valid username and password, then you are granted access to SMTP, even from outside the LAN. They also add SSL email abilities, so that your password isn't sent over the internet in plaintext.

> I have been expecting to find and use something like the
> control panel(s) I get from the various ISPs to run their ISP
> POP3 email accounts.

I'm not quite sure what you mean by this. There is really no "running" to a POP3 account. The mailserver receives the message, and puts it in the user's mailbox. The client connects and downloads the message from the server to the client. If you use IMAP instead, all your mail is stored on the server, and you can access all your folders via Webmail.

> Similarly my (LAN) username was just something I used here to
> logon to W2kPro-SP2 and, via Samba, to allocated areas on the
> SME's file library database drive nest (previously it's
> normal task).
>
> The ISPs' (POP3) usernames and passwords were quite
> different, I always used strong passwords. My (LAN)
> username's password is not strong. That darned thing has to
> be used all the time to reboot/logon to Windows and so it's
> necessarily a tad lightweight for my sanity. It's now
> apparent that my (LAN) username etc is now the SME's POP3
> username and with it that lightweight (easily remembered)
> password:-( Yes?
>
> Not particularly happy generating further (LAN) usernames
> just to resolve the POP3 username's security, it just gets
> too complicated in day-to-day use. So I am experimenting with
> the various 'secure' options...  Although I have to say I
> haven't yet got my own SMTP email engine specifically running
> with my usual client (Forté Agent) - just with the blindly
> used PINE stuff;~/ Much to do and learn.

Don't think of it as LAN and email and etc. accounts. Each user has an SME account. This account includes LAN, email, etc. They're all part of one account. If you're just using the SME for simple file sharing and internet/email stuff, you may be able to make things simpler. You might be able to have all the PCs use one account to logon for network stuff, then also give each user their own account to be used for email. I have a "Machine Account" set up here to allow the shared PCs to access the Samba stuff.

Regarding your strong POP3 password... If you're using standard POP3 as opposed to POP3-over-SSL, your password is being sent across the internet in plaintext. While it's not just going to be a point-and-click operation to steal your password, it's also in no way secure.

[Robert Harlow]

Bill

<>
•   Thank you for the clarification on the DNS setup, I will do those things later when all the echoes associated with this particular project have died down:~/


<< Don't think of it as LAN and email and etc. accounts. Each user has an SME account. This account includes LAN, email, etc. They're all part of one account.>>
•   Got it:~) Have already implemented something like your Machine Account trick to keep the Samba stuff happy.


<>
•   Your point is taken - in spades.


<< You cannot access the SMTP server from outside the LAN. There's no authentication built-in, so anybody and everybody would be able to send mail from your server. This is an open relay. Do a Google search on that, and you'll find a bunch of angry people. =) The addons add an authentication layer. You have to login with a valid username and password, then you are granted access to SMTP, even from outside the LAN. They also add SSL email abilities, so that your password isn't sent over the internet in plaintext.>>
•   It's this area that I haven't yet got right. Simplistically put, anything to do with this area fails (here), seemingly no matter what I try. I've put almost everything I can lay my hands on to 'Public' but I still see packet discards in the hardware firewall's logs. Similarly on the hardware firewall I've opened up all the named ports in question. Almost seems like a darned open door:~| I should be able to do all this stuff within the LAN and not via the internet...


<>
•   Even with all the wonderful looking addons, I still cannot get some of those things to work, though they have all installed correctly (I believe). I think it points to with some issue or setting I have yet to identify and surmount.
•   For instance Darrell May's *servermonitor* can't be persuaded to play ball. Most importantly (for me), all of Damien Curtain's *secure email* stuff doesn't yet hit the G-spot though I've gone through and installed the whole bunch.
•   Whereas Night Spirit's *system monitor* and *user access shell* stuff all play ball nicely. I would have tried the *IMP* stuff but one of the necessary download files (horde) was stuck on their server with a forbidden file access flag. I've emailed but yet to have a response.

                      *   *   *   *   *

Last night the firewall's logs showed a 15second run of 'allowed' packets from an entity in 210.0.178.56 that used a variety of ports including the secure flavours... and I'm wondering just what the hell all that is about:-( It's not as though the damn firewall ever allows MY packets to come in, they always get the discard treatment! So I'm guessing here, but maybe I've been probed? SME mail logs show only a few test emails of mine going to and fro. My assumption is that this is not something I can ignore.

                      *   *   *   *   *

Project not panning out at all well.
Though I'd put my education a lot further up the learning curve.
Successes...
• domain can now have a presence on the internet
• SME webserver page(s) can be browsed to
• SME email SMTP sends - only from server itself (PINE)
• SME user account receives email - can only read it on server (PINE)
• a number of SME addons
Failures...
• any use of SMTP engine from own intranet (Forté or Mozilla)
• any use of SMTP engine from internet (not even insecurely)
• access to SME user account from own intranet (Forté or Mozilla)
• a number of SME addons - particularly the 'secure' kind

                      *   *   *   *   *

My trepidation over the complexities of firewalls proved to be nearly right, though I did think I ought to have been able to get it all working. I earlier though it would be a good idea to have only one firewall resident - the external firewall. However I haven't been successful in converting SME's server-only requirements into the hardware firewall's operations, I think that's only too obvious.

Think it might now be best to purchase additional NICs (to double up the single NICs) and setup both SMEs in the full server-firewall-gateway mode. This will allow SME and the myriad of addons to work natively doing what they do best. The bit about me then not being able to mess things up can be quietly murmured:~/ The hardware firewall has a DMZ setting which, I understand, sets up an open but otherwise isolated path to a designated IP subsisting in the IP range allocated to the Trusted Network. Each SME, as appropriate, can then be setup to run natively in the DMZ.

Given last night's security question mark I'll wipe the test SME's drives.

best wishes, Robert

[Bill Talcott]

I'm not sure about exactly how SME works in server-only mode. A lot of stuff seems to be designed with an internal and external interface in mind. That may be causing some problems but I have no firsthand experience.

I'm not sure whether it requires anything special as far as interfaces go, but it does work via both internal and external interfaces. One quick thing. It does require a CVM RPM from a linked site. Did you follow the link and get that file as well? It's the base authentication package which allows for all of the login stuff.

"...but I still see packet discards in the hardware firewall's logs."
Perhaps the problem is with the firewall then, and not the SME itself?

Sorry I can't offer any really specific help. I do know that a lot of problems come from trying to forward the right stuff from an upline router to the SME. Perhaps try without the firewall in between if you can? Make sure that the SME is working properly, then work on getting the traffic to it...

[Robert Harlow]

<>
•   I was wondering that too. It's settled, will order some more NICs!


<>
•   That would've been the...  cvm-0.11-1.i386.rpm
Yes, it was buried a few layers down and it -was- installed.


<>
•   No way:~|  You missed the paragraph above - about the night's firewall log? Somehow I just don't believe that 210.0.178.56 -really-is- the Hongkong government's schools management test site... Now I understand more how all this runs I am a little astounded at how many *weird* packet requests are stopped by the firewall. Hopefully it's -all- of the nutty or downright nasty site probes:-| No, last night was a good reminder, firewall always stays up. Preferably with fewer open ports than I reluctantly ran last night. I -must- resolve this issue properly...


Will purchase more NICs and testrun SME in its full designed mode and not in this (cutdown) server-only mode. Meanwhile maybe I can get on with planning the upgrade of the [production] server from 5.5 to 5.6.

best wishes, Robert

[Bill Talcott]

Robert Harlow wrote:
>
> <>
> •   No way:~|  You missed the paragraph above - about the
> night's firewall log? Somehow I just don't believe that
> 210.0.178.56 -really-is- the Hongkong government's schools
> management test site... Now I understand more how all this
> runs I am a little astounded at how many *weird* packet
> requests are stopped by the firewall. Hopefully it's -all- of
> the nutty or downright nasty site probes:-| No, last night
> was a good reminder, firewall always stays up. Preferably
> with fewer open ports than I reluctantly ran last night. I
> -must- resolve this issue properly...

I meant in server-gateway mode. I'm not even saying to leave it up like that. I'm just saying to try it without the firewall in between. If it works perfectly without the hardware firewall in place, and nothing works behind the firewall, you've just narrowed down your problem a lot. It's a lot harder to find a culprit when you've got multiple variables... Also, SME does have a firewall built-in. By default, it will not accept any incoming connections except to the running services (HTTP, HTTPS, POP, IMAP, SMTP, etc.) when in server-gateway mode.

If you're not hooking up the external interface to the internet, you may have problems with internet access in server-gateway mode. I can't help you much with this stuff, as ours is a fairly standard cable modem --- external/internal --- LAN setup. http://edocs.mitel.com/6000_SME_Server/smeserveruserguide/English/operationmode.html doesn't say much, other than private S-G basically just shuts off external access to the mail and web servers (like for home use) and server-only seems to be just the LAN half of a server-gateway install, with no protection of its own. And there's still the issue of how well addons handle the different modes too. You're right in that you should be able to access all the stuff from the LAN.

What are you using to route traffic from the internet to the SME?

[Robert Harlow]

<>
•   Not possible. Have only one NIC per box throughout the site.
The test box is particularly twitchy, it just doesn't -do- modern NICs(!?) and I have run out of -old- NICs. Will have to sit tight until the new ones arrive ('overnight' from Komplett but I doubt I've made the pick today).


<>
•   Before it used to be a 3com OfficeLAN ISDN router. As of this month this was swapped out for the rural wireless broadband kit (smartBridges). The client, as they call the router, is an AirBridge SB2100. We've a 2Mbit/s (2.4GHz) wireless pipe that's shared around the rural communities - no limits - no imposed contentions. No ISP in fact. The company running the service are just simply *bandwidth providers* and not an archetypal ISP. Hence my need to have a go at running up my SMTP server;~/ Website stuff isn't a problem, I've been doing that for years.
•   Originally I planned to have just the comprehensive hardware firewall doing the biz - between the last port on the unmanaged switch and the (whatever) router. Later I'll have a good stab at amending that using the new NICs.

                 *   *   *   *   *

A thought. One of the addons talked about the last SME beta and a required dependency etc but insisted that a --nodep switch could be used... Well, maybe something is amiss there and disabling the switch has left me without any appropriate warning(s) and maybe this difficulty. Only a thought, I expect they had it covered when the --nodep assertion was made. I still am betting that -not- using the SME in its conventional/designed mode is probably at the root of the trouble. That and my level of inexpertise:-)

best wishes, Robert

[Robert Harlow]

Another thought...
http://sme.nightspirit.nl/e-smith-imp/horde-2.2.1-1es.noarch.rpm
...plainly says that it's designed for server and gateway SMEs. Nothing about being suited or suitable for a server-only SME...  Just a thought really as its all the 'secure' elements of the email stuff that has been giving me such grief. Food for thought. OTOH maybe I need more practise;~/ (And, yes, I did use the v5.6 alternatives)

best wishes, Robert

[Robert Harlow]

What transpired then...
• a further NIC installed between SME & LAN (unmanaged switch)
• SME5.5 server-only *clean installed* into 5.6 server-gateway
• external firewall (Fireguard SoHo) reconfigured:-
   - to protect LAN & W2kPro-SP2 workstations
   - with a custom service - opens selected TCP ports
      (80, 443, 25, 465, 110, 995, 143, 993)
      through to the SME server-gateway's IP
• SME calls home and it serves some webpages OK
• SME's Lynx calls up GRC/ShieldsUP test - all is OK
• installed various SME addons - including securemail...
   and the darned stuff still won't oblige my Winboxes
   in private SSL modes (ie across the LAN); never
   even gets to the (secure) prompt:-(

Damien Curtain's Secure Email addon:
POP3 IMAP webserver - none of them play ball across the LAN

Darrell May's Server Status addon:
• SME's Lynx can run through this OK - all the server lines are
  reported as being *Running* except FTP & Telnet (agreed)
• can't replicate similar functionality across LAN with Winboxes
  using IE5.5 (128bit encryption) & Mozilla 1.3b (W2kPro-SP2)

Night Spirit's System Monitor addon:
• works across the LAN OK.

SME5.6's own server-manager:
• works across the LAN OK

The external firewall's logs show discarded packets for the secure ports appropriate to the SME's IP. It's maddening. All those TCP ports (listed above) have been opened specifically with a custom-service - appropriately (apparently) through to the SME's IP.

It's late, long day, tomorrow I'll try booting a W2kPro-SP2 box with Knoppix and see what I can kickstart with that. Also have SuSE8.0 on another Winbox so I can give it a go across the LAN with KDE's Konqueror & a Linux iteration of Mozilla too;~/ I'll need a Life soon - should be easier than this:-|

Whatever I've tried never seems to make it across the LAN - particularly anything imbued with *secure* functionality. Haven't even bothered trying to get anything SMTPing out using a dual NIC server-gateway flavour of SME (as opposed to the previous abortive attempts using a single NIC, external firewall, server-only flavour of SME5.5).

Does any of this ring a bell with anyone!?

best wishes, Robert

[Robert Harlow]

Knoppix was really interesting. What a brilliant idea and in such a very workable implementation. However it was no more able to use the email engine on the SME over the LAN than anything I had tried on the Winboxes.

Tried a few more SME addons with similar implementation success but still nothing on the email functionality.

Just cannot get the stuff to work over the LAN - using the given domain name as indicated by the readme notes. So I've now hot-wired it;~/, by instead, plugging in the actual (non-routable) internal numeric IP. Now at least webmail *works* across the LAN! That's all I need it to do. The Winboxes can use (SSL) webmail to get out - using the SMTP engine of the SME, similarly the other way around. I'm not proud, it doesn't have to be by the textbook - just work. Great.

Along the way I have stumbled a good way up the learning curve:-))

best wishes, Robert

[Robert Harlow]

In conclusion: I was on a hiding to nothing. The external firewall configuration of this system has completed stumped all my efforts.

I took the external firewall (Watchguard SoHo) out completely, reconfigured SME appropriately to take up the strain along with the other bits of the LAN. Just about everything suddenly clicked into place and started performing just as things should've done from the outset;~/ Well, I guess the external firewall just *did its job* rather too well.

WebMail started working properly (via the domain name and not hot-wired using the non-routing IP 192.168.xxx.yyy) and it even started kicking out *New Email Rxd* popups, which it hadn't been doing up to now. Forté Agent is now able to work its magic on the POP3 boxes. Surfing around the internet is quicker and lookup latency has speeded up noticeably without the external firewall (presumably not so much stateful packet checking loss). I don't do games per se but checking the wireless broadband's gateway's IP now sees pings at around 0 to 2msec whereas before it was always around 5msec to 10msec.

Still haven't resolved which SME addon has so very recently inappropriately messed up my bootsector, resulting in an unexpected fatal halt in all reboots at *LI *  So far the rescue floppy resolves the issue but I don't want this hanging over me. So, it looks like a complete burn and reload tomorrow:-|

I've now kickstarted the email and settings... as per thread title.

best wishes, Robert