Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: JoshuaR on July 26, 2008, 01:55:54 PM
-
Hi,
Currently I have my server set up in Private server and gateway mode to keep it pretty well locked down, however, I'd like to set up the server to provide email services. Is there a simple way to enable this? I assume it'd have to do something like forwarding external ports...but I'm really not 100% sure how to go about this.
As always, any help is appreciated. :)
-
yes you are correct you need to port forward 110 and 25 to the SME server and 443 if you want to use web mail as well
port 110 is pop3
port 25 is smtp
port 443 is https
as to telling you how to do it on your modem each modem router is different
-
Thanks for the reply.
as to telling you how to do it on your modem each modem router is different
My modem is in bridge mode, not acting as a router...so don't think this would apply?
-
so sme is doing the PPPOE then if that is true just switch to server and gate way mode and setup the email in the server-manager or just setup the email setting in server-manager are you using one or 2 nics if SME is doing the PPPOE there is not need to worry about port forwarding just follow the manual in the wiki to setup email in sme
-
Well, yeah, I could change it to server and gateway mode...but the idea was that I wanted to keep the server locked down on services except email...I don't really want to open it up to server and gateway mode... :sad:
-
JoshuaR
Private server and gateway mode closes ALL external services, so you cannot run a email server in that mode.
The easiest way is to just enable server and gateway mode, and if you really must, disable an unwanted services.
Mind you, sme is very safe in server & gateway mode, so don't worry about opening a few ports.
You can see what's enabled with
config show
or config show |more
-
I also does only open one and one port as required, but I does it differently. I use a virtual Smothwall firewall/gateway installation in front of a virtual SME server running on Centos 5.3 / Vmware server. In this way I generally also restrict server functions to approved source ip's.
I havent tested this for a while, but I would guess it will also work to set up the server in private server and gateway mode, and from that as a rather restrictive basic configuration setup open up one and one port, as required.
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual:Section4
See note about: Creating firewall pinholes for your application
Please correct me anyone if I should be wrong on this assumption.
-
that would be to much of a pain doing it that way you would also have to start up services as well to go along with it you are better off setting the SME server in to server and gateway mode i have been using SME since version 6 in that mode for email and such and i have never been hacked not once as the admin password i use are Japanese names with numbers before after it i have even left SSH open to the outside world and never been hacked so don't worry SME is very secure but use good passwords is always a good idea
-
No, I think it will work the other way. You just apply one single command line, and then everything will be maintained automatically, start up of service, firewall etc. It should be easy to try and test out if this is the case or not.
-
you are better off setting the SME server in to server and gateway mode
I'll keep that as an option, but I'd rather it as a last resort...
No, I think it will work the other way. You just apply one single command line, and then everything will be maintained automatically, start up of service, firewall etc.
What command would that be? :?:
If anyone could point me in the direction of where/what I should be looking at, then I can probably figure out the rest... :|
-
JoshuaR
If anyone could point me in the direction of where/what I should be looking at...
You have already been told a perfectly good answer, but you choose to ignore it.
Private server and gateway mode closes ALL external services, so you cannot run a email server in that mode.
The easiest way is to just enable server and gateway mode, and if you really must, disable any unwanted services that are running (which will close associated ports).
Mind you, sme is very safe in server & gateway mode, so you don't need to worry about opening a few ports.
You can see what's enabled with
config show
or config show |more
If you see what is enabled (that you don't wish to be enabled), then it should be easy to disable those services using a db command
eg
to disable web server
config setprop httpd-e-smith status disabled
reboot
Mind you this will disable server manager too.
Instead for the web server (so that server manager stillworks locally) you could use
config setprop httpd-e-smith access private
signal-event post-upgrade
reboot
and so on
If you are going to ask for advice, please be prepared to accept it.
This method will give the same end result, but with less work ie you don't need to work out which and how many services you need to enable & allow public access in order to get email running etc.
-
You have already been told a perfectly good answer, but you choose to ignore it.
...easy now... all I meant was did anyone have any ideas where I should be looking at to do this without putting SME in server and gateway mode.
And as I said, I am willing to accept this solution, but as a last resort--I'd like to find another way.
The easiest way is to just enable server and gateway mode, and if you really must, disable any unwanted services that are running (
The only reason I don't want to do it like this is that it seems like it would be better to close everything and only open the services that I want, rather than running all services and figuring out which to disable.
If you are going to ask for advice, please be prepared to accept it.
naturally, when I ask for advice, what I want is advice. I really do appreciate people taking the time to answer, but please don't post like I'm being a jerk for not taking what you say...if there is no easy way to do what I am trying, then I guess I'll have to take some time and figure out a way--I simply thought that someone else might have known an easy way.
And, as always, I do appreciate your replies, your time, and your advice ;)
-
JoshuaR
..but please don't post like I'm being a jerk for not taking what you say...
I never said you were a jerk, that's your conclusion. I did say you don't seem to be taking the advice you asked for (because you seem to disagree with it), as you keep asking the same question despite being given an answer.
...if there is no easy way to do what I am trying...
You have been told an easy way, and I believe the easiest way.
There are numerous services to enable to get the email server running and ensure that appropriate ports are open for external access, when starting with a private server gateway configuration.
There are less services to disable and less ports to open if you start with a default server gateway configuration.
Keep in mind that the server manager panel allows you to enable or disable functionality, and appropriate ports are automatically opened in the firewall only if they are required. So in gateway server mode, by default not all ports are open anyway, they only get opened if you enable the functionality.
So if the function (ie service) is not enabled, then additional ports will also not be opened.
The ports that are open, will ultimately depend on what you enable, either using a server gateway or a private server gateway configuration.
I believe you will have less work to do starting with a server gateway config.
By using the command mentioned earlier you can see which services are enabled or disabled, and then issue appropriate db commands to disable those you don't want running and don't want to be publicly accessible (and in the process automatically close any associated ports).
-
to explain the easy way and not going in to to much detail server only mode means it is a file and printer server only when you change it over to server and gateway it does the whole lot
the way SME works you could not do it with a command line it is the way the templates system works
and it you want to make sure it is locked down edit the masq and lock out the ports you don't want or make up you own iptables fire wall script the deny the ports you don't want open and add the script to the /etc/rc.d/rc.local file that is like the autoexec.bat file in windows
the way you want to do it maybe possiable but i would not know how to do it and as i said the way SME works if it was possiable there would be way to much work
you are using smothwall why not just forward only the ports needed to SME say just 110 25 and 443 if you want imap
if i was you i would not bother set it up in server and gateway mode SME is very secure just remember to use strong passwords and you will be fine over the many years i have used SME i have never been hacked once or any of my clients as well so here is nothing to be worried about
-
The SME server is actually buildt to give the perfect answer to JoshaR ask for, using it's automated functions.
You can decide exactely which services and functions that shall be available to internet using a few shell based functions that is a part of the sme server.
When I tested these things I used the standard gateway server as the starting point, and then I closed down external axcess as required.
What I have not tested is to use the private gateway server as the starting point and then to open up for services as required. I guess it will work to.
I sent the link describing how to to this via shell based sme configuration tools once more:
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual:Section4
See note about: Creating firewall pinholes for your application
Someone claimed above that this method only will work for the firewall. This is incorrect. It will take care about all problems related to the service and it is a past of the sme server automated configuration tools, even thoug it is text based.
To apply a new firewall via /etc/rc.d/rc.local is generally a bad idea. Reason for this is that the sme server automated firewall configuration tool will try to override the firewall you try to apply yourself. If one chose this method, it will be a lot of things to take into consideration.
JosuaR actually only ask for something that can be taken care about via standard sme server text based configuration tools.
Question: Is the link I supplied really the right one or did I find the info about how to set the text based parameters somewhere else .. ?
(At least I am 100 % sure I have been using a text based sme configuration tool tool that can make individual services available for internet or lan.)
Here is something more as well about how to setting DB's:
http://wiki.contribs.org/SME_Server:Documentation:FAQ#DB_Settings
The point is that these commands will not only work on new services, but I think you can also use them to set up individual settings for each of the services that is build into the sme server. Takes a while to learn tu use.
As mentioned of mary above:
config show
or config show |more
This will show the configuration status, and from there it should be possible to apply changes on the different parameters. I have not tried this, (with the private gateway as the starting point) but I would guess it should work to start with a private gateway, and than just open for external access for a few services.
-
the rc.local will work becuase it is the last thing that is started the SME masq is started before the rc.local file but it was just an idea to try
but you are correct he wants to do it the sme way
i have used the rc.local for iptables black hole settings
-
See note about: Creating firewall pinholes for your application
I'm at work so I haven't had a chance to look at that in depth...but from a cursory glance it seems to be what I'm looking for. :smile:
I'll have a look into it and post back later on how it goes.
Thanks for the responses everyone. :-D
-
JoshuaR
You do not need to manually poke holes in the firewall by playing with masq.
Issuing the correct commands to enable mail services for public access, will also open the firewall ports required.
Here is an example of one command you will likely need to run (coming from private server gateway mode)
config setprop qpsmtpd access public
signal-event post-upgrade
reboot
You need to check what else will need changing with
config show |more
-
sorry mary
i am a bit old school with linux back with the old ipchains then iptables i started of with redhat 4 i think it was so some times i forget about the DB commands that SME server has and do it the old way so i love the CLI only use a GUI for say games on linux and writing up documents