Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: demonx on June 02, 2007, 05:00:57 PM
-
I recently switched from a proprietary mail server to SME 7.1. I've have several problems since then with the security defaults in SME. Our mail client it thunderbird. I have about 100 users on the server. The server is used for email only and is not configured as a gateway. I have configured pop3 and imap to accept public connections. I didn't find any instructions for doing the same with smtp. Now when my users at remote sites send an email it refuses to let them send to anyone on an external domain. Internal mail works fine. External mail give them an error saying thats not a valid email address. I know the SME developers intended that the secure connection be used, however it is an option with commercial server products. How can I make SME work like the commercial server and stop the requirement for the secure connections? This issue has become serious enough to make me consider switching back to the commercial server software. I seem to remember the secure connections being an option in earlier versions.
-
The SME developers are doing their best to protect people from themselves. Don't forget that smtp conversations are unencrypted, so if you do use smtp-auth from remote sites your usernames and passwords can be snooped by any intervening system, or by anyone who can poison your DNS...
Here are some ideas:
* If your remote sites are using fixed IPs you can probably circumvent the SME firewall rules by adding the apparent IP of each remote site as a local network in server-manager:Security:Local_networks.
* It looks (from examining /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local) as though you can enable smtp auth by:config setprop smtpd Authentication enabled
signal-event email-update
* Your remote sites could be configured to use their own ISPs' SMTP servers for outbound email.
* You could put a SME at each location and create VPN tunnels (oh boy!)
* You could implement pop-before-smtp authentication (again exposing your usernames and passwords to the world...), but you'd have to learn way more about qpsmtpd and SME templates to make this work...
* You could customize /var/service/qpsmtpd/config/relayclients to allow relaying for your remote offices. Slightly better than just adding the remote office IPs to your 'Local Networks", but more difficult as you'll have to create a custom template to make the changes 'stick'.
I'm sure I can think of more ideas if you don't like these or if they don't work.
WARNING: I seem to throw out lots of ideas that don't pan out -- take these as pointers rather then step-by-step instructions...
-
That was just what I needed. If I sounded like I was saying anything bad about the developers I apologize. I've been using SME since version 601 as file/print servers in all 10 of my offices and absolutely love it. I've had windows admins express admiration for my use of open source saying they wish they could do that. This is my first time trying it as a mail server and I appreciate your efforts. I'm aware that passwords are transmitted in plain text but then again they are most mail server. I like having the option and again I thank you for your reply. :D