Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: gippsweb on October 10, 2007, 05:33:05 AM
-
Is it possible to filter outgoing mail from SME for non-domain/workgroup pc's?
Scenario: Small pc repair shop plugs pc into network to check for problems. Moments later ISP rings complaining about spam eminating from pc shops ADSL connection.
EDIT: I did a search, but didn't locate anything appropriate.
PS I'm using SME7.2 in gateway mode
-
gippsweb
>...spam eminating from pc shops ADSL connection.
Do you have the smtp proxy enabled on your sme server ?
With the smtp proxy enabled, then the email client must be configured to use your mail server. If not configured, then mail should not be able to get sent, so don't configure the client PC's being repaired to use your mail server.
If you don't have the smtp proxy enabled, then rougue viruses on workstations can create their own software smtp server, or use an external smtp server to send spam etc. So it's better (safer) to enable the sme smtp proxy to protect against this scenario ie the virus won't know what smtp server to use.
-
Damn that was a quick reply Ray.
I should have mentioned that the SMTP proxy is on. (I figured it only worked on incoming mail as it figured anything on the LAN would be "safe")
We don't change any mail settings on clients PC's.
I have mail to unknown users set to reject (no good in this case as the mail is just passing through)
Virus scanning and Spam filtering on(Spam Filtering set fairly aggressively)
POP3 server access is set to private and public as we have a couple of remote users.
-
gippsweb
.... SMTP proxy is on. (I figured it only worked on incoming mail as it figured anything on the LAN would be "safe")
We don't change any mail settings on clients PC's.
The smtp proxy forces local users to send mail via the sme server smtp mail server, to my undertanding it has nothing to do with incoming mail.
So you surmise that the phone call from your ISP, suggests the spam is coming from the recently connected customers PC under test. So how then is the mail getting from the PC to your sme server's mail server if you do not configure the client PC's to use your mail server ?
Did you check the qpsmtpd log files to see where the spam was really coming from ?
If spam email is being sent directly from the PC (not via your sme server), then the smtp proxy must be disabled.
-
Going by the qpsmtpd log, it's the recently connected pc causing the spam.
There has "never" been any need for us to change mail settings on a customers pc to connect to our SME pc.
The smtp proxy must be working as qpsmtpd is passing and logging the mail. SME appears to be virus scanning outgoing mail but not spam filtering.
Spam filtering on incoming mail definately works as it blocks more than 60% of incoming mail.
SMTP proxy is definately enabled. I've even disabled and reenabled it just to be sure.
-
gippsweb
There has "never" been any need for us to change mail settings on a customers pc to connect to our SME pc.
Exactly how is the customers PC configured then to send email to your sme servers mail server ?
Surely you must need to have mail.yourdomain.com as the smtp & POP/IMAP servers setup in their email client, or are you talking about some other eg webmail system ?
-
After re-reading that it doesn't sound right does it :?
The customers pc would be configured to send via there own isp.
Although this bug must to using it's own smtp engine as no email programs are open/running on it.
As SME thinks pc's on the LAN are safe (if thats the right way to look at it) is the machine relaying through it? Or am I just way to tired and looking at it all wrong.
-
gippsweb
Although this bug must to using it's own smtp engine as no email programs are open/running on it.
That's typically what happens, and it can only connect to the outside world if your smtp proxy is disabled.
Are you sure we are referring to the same setting.
What output do these commands show ?
config show SMTPSmartHost
config show smtpd
-
config show SMTPSmartHost shows our ISP's mail server
config show smtpd
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
-
You could enable smtp authentication for internal users: http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.
Or you could block outgoing traffic from unauthorized computers using http://bugs.contribs.org/show_bug.cgi?id=2977
I'd recommend something like this:
Internet
|
Router----DMZ->SME----Work_PCs
|
Client_PCs
Then make a rule on 'Router' that blocks everything except 80 & 443 from every system except the SME... This solution will prevent "sick" client computers from pushing windows viruses onto your office computers...
-
Whats the difference between smtpd and qpsmtpd?
I added smtp authentication for internal users as per the wiki and did a config show smtpd, it still shows Authentication=disabled
I did a config setprop smtpd Authentication enabled
was this correct or should I have left it disabled?
Anyway having followed the wiki for setting authentication didn't stop the spam flowing outwards, I am about to try again since changing the other setting.
-
gippsweb
I would have thought the more important task was to virus scan the errant PC and remove the virus that is sending the mail, before reconnecting to the Internet.
-
You are dead right Ray, and that is what will happen.
The issue is that this pc didn't come in for this and although it only ran for 10 minutes, I got caught unawares. I want to stop this unfortunate event from accidentally happening again. Hence trying to find a way to stop it.
-
gippsweb
Try this
http://forums.contribs.org/index.php?topic=37821.0
You will need to do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update
(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication
Then do
config setprop qpsmtpd Authentication enabled
signal-event email-update
Then
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update
In all your email clients,
change outgoing smtp port to 465 and select SSL and
enable Authentication against the outgoing mail server
-
gippsweb
I did a config setprop smtpd Authentication enabled
was this correct or should I have left it disabled?
Wrong key, it should have been qpsmtpd. Leave it disabled, so do
config setprop smtpd Authentication disabled
signal-event email-update
-
gippsweb
Please let us know if the procedures suggested do in fact stop the spam coming from that PC when you reconnect it (without having cleaned it as yet, of course).
-
That looks like it may have worked Ray :-P The daily report shows 3246 email and 3246 blocked due to non conformance.
It appears we have had a win.
Thank you both Ray an mmcarn for your advice. Now to formatting this customers PC and reinstalling the OS, there is just no cleaning this one.....
-
Sorry to resurrect an old post... but the instructions on the link did not work for me with 7.3 and latest updates (as of today).
I had to do the following, it didn't work otherwise:
config setprop smtpd Authentication enabled
signal-event email-update
http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.
Can anyone enlighten me on what upcoming trouble I have set myself up for?
p.s. Outlook 2007 sucks hard!
gippsweb
Wrong key, it should have been qpsmtpd. Leave it disabled, so do
config setprop smtpd Authentication disabled
signal-event email-update
-
config setprop qpsmtpd Authentication enabled
signal-event email-update
should be the key to locking down your network internally.
not the one you tried, as that is the same mistake I made just as you have pointed out in your post...
-
Ok, but I did the command with qpsmtpd, it didnt work. I even did the post command and rebooted. It wasn't until after I set smtpd enabled that it worked on the local lan.
Is the instruction on the wiki incorrect? Should it say smtpd instead of qpsmtpd?
If not, why did setting the property for smtpd work when qpsmtpd did not?
Thanks for that super quick response!
-
What is it you are attempting to do?
In my case we do a lot of PC repairs and needed to stop unsolicited mail from any internal PC that wasn't authenticated from leaving the network. (It was upsetting my ISP)..
-
All I need to do is overcome the stupid Outlook 2007 smtp auth errors inside the lan.
I have roadwarriors that need to have one setting, smtpauth, regardless of whether they are inside the lan or out. Outlook03 and down work fine, Outlook07 fails. The fixes all over the internet, including this board, say turn off smtpauth on the client, but that won't work for me, because I can't expect my clients to go into the mail account properties and turn on and off the smtpauth on their email account whenever they come in and out of the lan.
Thanks.
-
On mine with auth turned on I can use the secure settings both in and outside my lan.
The only issue I have is on the first check when outlook starts it pops up a message about the security certificate not being correct, but that is because its a self signed cert for my use only.
I could get a cert for it but its not really needed in my situation.
-
I don't get that. Of course, I am not using ssl for smtp yet, I don't want to do it until the server is in place for a bit and it I have the kinks worked out, then I will get a cert and enable ssl.
-
If you have done a
config setprop qpsmtpd Authentication enabled
signal-event email-update
then all internal mail will have to pass through the sme mail server. ie; someone who has a home account with there own provider setup behind the sme box on a pc or laptop will not be able to sent mail out of the internal network.
If this is not what you want then leave it disabled.
Road warriors will only be able to connect using ports 465 and 995 with SSL and should be able to do the same internally. If you have set them up using standard type mail settings using ports 25 and 110 they won't be able to connect when on the road..
-
jptechnical
From
http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.
It says implementing those changes will then cause your system to follow the setting of config::qpsmtpd::Authentication
which is the part that says (in this thread) re a db setting
config setprop qpsmtpd Authentication enabled
signal-event email-update
Are you sure you followed the instructions carefully & accurately ?
Please check what you did again.
Have you also disabled smtp relay for unauthenticated local users ?
See
http://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients
The whole idea of forcing smtp authentication for local (or external users) is to have secure access to your email system. You need to disable local smtp relay for unauthenticated users ie so users can only use the authenticated connection method.
I suggest/guess that you have not setup your user authentication correctly in the email clients.
From a system where this has been setup & is working:
config show qpsmtpd
qpsmtpd=service
Authentication=enabled
Bcc=disabled
BccMode=cc
BccUser=maillog
DNSBL=disabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
RHSBL=disabled
RequireResolvableFromHost=no
SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
access=public
qplogsumm=disabled
status=enabled
config show smtpd
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=disabled
access=public
status=enabled
tnef2mime=enabled
-
I broke the forum :shock:
I only want to add smtpauth inside the lan, I don't want to disable unauth relay (have a couple old coper/printers that scan to email and do not do smtpauth).
That said, the only difference in your config and my own is the addition of smtpd auth enabled. And it presently works. If I disable smtpd auth, it stops working (outlook 2007 throws up authentication error). I don't think it makes me an open relay, I redirected my port25 to this box, and then setup a remote client to send through it, it got relay denied without smtpauth, but then relayed fine with smtpauth back on in the client. *** edit, I redirected the port again and ran the abuse.net relay test, all pass, no relay ***
Since it is now doing exactly what I want it to do, why didn't the instructions to turn on smtp auth work? And, what harm will there be in having smtpd auth enabled in addition to qpsmtpd auth enabled? (Looking at your config and mine, the only difference was smtpd auth enabled and public instead of private)
-
jptechnical
If I disable smtpd auth, it stops working (outlook 2007 throws up authentication error)
As I understand it, all incoming & outgoing mail transactions are handled by qpsmtpd, so I'm not sure why you need to play around with smtpd settings. It suggests something is wrong elsewhere. What does the error message from Outlook exactly say ?
Have you setup your email client correctly to authenticate ?
ie
Configure your email clients to use smtps with authentication:
- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server
Did you enable secure smtp in server manager Email panel ?
I only want to add smtpauth inside the lan, I don't want to disable unauth relay
OK that's fair enough, it just means both methods will work locally.
Here is the output from another system which does not have smtp authentication enabled.
Note there is no Authentication entry under the qpsmtpd key
config show qpsmtpd
qpsmtpd=service
Bcc=disabled
BccMode=cc
BccUser=maillog
DNSBL=enabled
Instances=5
LogLevel=8
MaxScannerSize=55000000
RBLList=zen.spamhaus.org:whois.rfc-ignorant.org
RHSBL=disabled
RequireResolvableFromHost=yes
SBLList=dsn.rfc-ignorant.org
access=public
qplogsumm=disabled
status=enabled
config show smtpd
smtpd=service
Authentication=disabled
Instances=10
InstancesPerIP=2
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
disclaimer=disabled
status=enabled
tnef2mime=enabled
You really should disable that smtpd entry ie do
config setprop smtpd Authentication disabled
signal-event email-update
-
I copied and pasted the commands for making a new dir and copying the template, didn't forget the period at the end... but I am still cutting my teeth on sme, so I was going completely on trust. I didn't follow the next step of disabling relay because I didn't understand what it was doing or whether or not I could un-do it.
Here you go. Now that smtpd auth is disabled, I get this error on outlook 2007 with smtpauth in the account config, but NOT in outlook 2003 with the same settings.
On the outlook07 with smtpauth turned on in the account settings, I get this error:
http://www.google.com/search?q=0x800ccc80
http://forums.contribs.org/index.php?topic=38580.0 - no followup
http://forums.contribs.org/index.php?topic=39677.0 - this was a patch in january, but the updates were after April... this get missed in the updates... never made it out of test? Besides, smeserver-qpsmtpd-1.2.1-53.el4.sme.noarch.rpm is listed as the patch, but yum info shows this is the version of qpsmtpd (would have saved 15mins of figuring out how to find that package if qpsmtpd had a -v argument! I gotta learn my around this.)
Name : smeserver-qpsmtpd
Arch : noarch
Version: 1.2.1
Release: 54.el4.sme
This is on 2 new computers, xpsp2 with no AV on it yet, so there is no chance it is AV related.
On outlook03 with the EXACT same config, it goes through with no issue.
The MINUTE I enable auth in smtpd the error goes away in 07 and the email is delivered... exactly as expected.
Perhaps this is a bug? Maybe something needs to be updated since Outlook07. In any case, the instructions for turning on smtpauth in pqsmtpd do not work with Outlook07. Again... I hate Outlook07!
settings with smtpdauth off
[root@sme ~]# config setprop smtpd Authentication disabled
[root@sme ~]# signal-event email-update
[root@sme ~]# config show qpsmtpd
qpsmtpd=service
Authentication=enabled
Bcc=disabled
BccMode=cc
BccUser=maillog
DNSBL=disabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
RHSBL=disabled
RequireResolvableFromHost=no
SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
access=public
qplogsumm=disabled
status=enabled
[root@sme ~]# config show smtpd
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
settings with smtpdauth on
[root@sme ~]# config setprop smtpd Authentication enabled
[root@sme ~]# signal-event email-update
[root@sme ~]# config show qpsmtpd
qpsmtpd=service
Authentication=enabled
Bcc=disabled
BccMode=cc
BccUser=maillog
DNSBL=disabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
RHSBL=disabled
RequireResolvableFromHost=no
SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
access=public
qplogsumm=disabled
status=enabled
[root@sme ~]# config show smtpd
smtpd=service
Authentication=enabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
[root@sme ~]#
ooh, I like the scrolling text boxes for code, saves so much page!
-
Just for grins, I did it again:
[root@sme ~]# mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
[root@sme ~]# cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
[root@sme local]# cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
cp: overwrite `./05auth_cvm_unix_local'? y
[root@sme local]# signal-event email-update
[root@sme local]# config setprop smtpd Authentication disabled
[root@sme local]# signal-event email-update
[root@sme local]# config show qpsmtpd
qpsmtpd=service
Authentication=enabled
Bcc=disabled
BccMode=cc
BccUser=maillog
DNSBL=disabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
RHSBL=disabled
RequireResolvableFromHost=no
SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
access=public
qplogsumm=disabled
status=enabled
[root@sme local]# config show smtpd
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
I verified that this is for both relayed messages and messages for local delivery. Again, same result, even after going through the same steps again.
-
jptechnical
I don't have Outlook 2007 so I cannot test it.
This bug seems (amongst other things) to suggest setting problems in Outlook 2007
see post 13 & 14 for example
http://bugs.contribs.org/show_bug.cgi?id=2631
If you think the bug still exists despite supposed fixes having been released, then you should either add to the existing bug report or create a new bug (if you think your issue is different).
Bug reports here in the forums will not get the issue fixed, if there is an issue.
-
gippsweb & jptechnical
The only issue I have is on the first check when outlook starts it pops up a message about the security certificate not being correct, but that is because its a self signed cert for my use only.
The self signed certificate should work quite OK. Make sure it is installed in your browser(s) (IE), and also access your mail server using
servername.yourdomain.com
rather than
mail.yourdomain.com
ie to match what is on the self signed certificate
Same thing with accessing https websites
ie use
https://servername.yourdomain.com/webmail
or whatever (this must of course be configured to resolve in external DNS eg you need to set the wildcard for *.domain.com)
-
*** edit Nevermind on that, I will find the howto and instructiosn when I need it and am ready, Don't need to further hijack this thread ***
How can I regenerate a self-signed cert then? The internal domain is mydomain.corp, but the addon-domain for email is mydomain.com. I can change the external domain entry to sme.mydomain.com, but not the internal domaind and workgroup.
-
jptechnical
How can I regenerate a self-signed cert then?
signal-event post-upgrade
signal-event reboot
But why do you need to regenerate it ?
The domain referred in the self signed certificate is the main or primary domain name given to the server when you first set it up using the admin console eg mydomain.com.
The servername is the name you first gave the server when it was initially setup.
You will see these displayed at the top of the server manager screen.
The Windows Domain and workgroup name have nothing to do with it.
-
hi, anyone done this successfully, i did follow it but now my webpage age gone server-manager is gone all i get is "The connection was reset" all i want is to have my LAN email authenticated. :(
help please.. but accesss other site is ok.
-
Yep, have had it successfully filtering our workshop since my original post here.
I don't understand how you could have lost all your http unless you have mistyped one of the instructions.
It works quite well here & regularly stop 10-20k mails from infected PC's
-
thanks, are there copy of how were i can follow clearly have not sleep yet :shock:
-
nefkho
are there copy of how were i can follow clearly have not sleep yet
Please read available information already provided in this thread and in the FAQ.
http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network
http://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients
-
thanks,
i got it working now... :)
gippsweb how do you know the number of drop/block email send by the infected pc'?
thanks,