Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: mistere on May 04, 2009, 04:21:30 PM
-
I have a SME 7.4 system that is using a dyndns domain. I'm receiving only spam because all legitimate email is retrieved via fetchmail. I need to shut down the receipt/relay of email for all external users but still allow LAN users to send mail. I tried this without success:
config setprop smtpd access private
config setprop smtpd AllowHosts 10.1.1.0/24
signal-event email-update
signal-event remoteaccess-update
(I did not reboot figuring that was un-necessary.)
Is this the correct approach?
If not, what do I need to do to stop the direct receipt of email from the WAN?
Thanks,
Mistere (AKA: Eric)
-
I'm not sure but it appears I may have answered my own question.
The emails have stopped although they kept arriving for as much as an hour after I made the above referenced changes. I don't know why that would be but nevertheless it appears to have worked.
-
I've been trying to reduce spam on our server so I used this comand to limit connection from our upward mail server (a paid sotre and forward service). Now I need to revert this change because it is causing me some issues with remote users.
How do I "delete" the AllowHost entry in the smtps configuration?
Alternatively, how do I do AllowHost= any ?
Thanks
-
doublecaps
Please learn about the db command and it's usage.
At a command prompt type
db
and you will see the syntax required.
Also read the Howtos as there are couple of good articles there re db commands.
On sme 7.x you can ignore the /sbin/e-smith part as it's not needed.
Also note that
config xxxx yyyy
is a shortcut for
db configuration xxxx yyyy
(Only applicable for the configuration database in /home/e-smith/db)
All other databases need to be specifically referred to in commands eg
db domains xxx yyy
Apply that to many examples shown in the wiki and forums etc, and you should get a good understanding of how the db command works and how to apply and use it.
Keep in mind that deleting an entry does not necessarily mean no value for that entry exists anymore, as default values will usually apply in the absence of a specific db entry. The template code can be reviewed to see what db settings have default values, where no specific db setting exits.
eg
To delete all AllowHosts entries (and allow default values to apply ie in this case allow all) do
config delprop smtpd AllowHosts
signal-event email-update
-
doublecaps
I've been trying to reduce spam on our server so I used this comand to limit connection from our upward mail server (a paid sotre and forward service).
You would do far better to use sme as designed.
Run your own domain based mail server and receive email directly for your domains (or multiple domains if required).
That way spam and virus filtering etc will work much better using the built in features of sme ie spamasaasin, RBL, clamav, executable content filtering, etc.
These need to be applied to mail received directly from the source sender, and will not be particularly effective on forwarded mail etc for various technical reasons.
With todays relatively cheap & fast broadband connections there is generally no technical reason not to run your own mail server.
-
I tried this without success:
config setprop smtpd access private
...
signal-event email-update
If that did not stop SMTP arriving on your WAN connection then you should open a bug reporting, providing full details.
-
Keep in mind that deleting an entry does not necessarily mean no value for that entry exits anymore, as default values will usually apply in the absence of a specific db entry. The template code can be reviewed to see what db settings have default values, where no specific db setting exits.
eg
where do I verify what the default and current value are.
I deleted the entry with the command you suggested and signaled an update but there is no change. It still only receives from that IP address.
-
I found this in the DB Variables Configuration page http://wiki.contribs.org/DB_Variables_Configuration#smtpd (http://wiki.contribs.org/DB_Variables_Configuration#smtpd)
AllowHosts --src ..... --jump ACCEPT Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is enabled and public.
does 0.0.0.0 mean Any address in this case?
config delprop key prop
/etc/e-smith/events/actions/initialize-default-databasesIf I run the initizlize-default-databases, will that reset ALL databases to default? I just need to reset 1 of them.
Any suggestions?
-
It would be nice to know what this looks like
config show smtpd
-
config delprop key prop
/etc/e-smith/events/actions/initialize-default-databasesIf I run the initizlize-default-databases, will that reset ALL databases to default? I just need to reset 1 of them.
Any suggestions?
AFAIK it will not reset at all. It is meant to convert existing data to a new format when needed and to add new default values. I don't existing removed ones will be re-added.
You can however restore a complete database to it's default settings using this (taken from: http://wiki.contribs.org/Adding_Software#Restoring_Default_Yum_Repositories ):
cd /home/e-smith/db/
mv database database.po
/etc/e-smith/events/actions/initialize-default-databases
-
cactus
cd /home/e-smith/db/
mv database database.po
/etc/e-smith/events/actions/initialize-default-databases
I think that should be followed by
signal-event post-upgrade; signal-event reboot
-
doublecaps
does 0.0.0.0 mean Any address in this case?
Yes
Please show us the output of
config show smtpd
and
config show ssmtpd
-
I think I might have solved it. I reentered the comands to delete the entry, send the update and ran a couple of tests.
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
ssmtpd=service
Authentication=enabled
Instances=10
TCPPort=465
access=public
status=enabled
I did notice though that there is another pre-existing issue.
Remote PCs can only send emails to my domain, but can't send to other domains. This is because relaying is blocked.
Subject: TEST
Sent: 8/11/2009 9:31 PM
The following recipient(s) cannot be reached:
'davide.picone@gmail.com' on 8/11/2009 9:31 PM
550 Relaying denied (#5.7.1)
I don't want to enable relaying for obvious reasons. So I'm looking for alternatives.
I should be able to address the issue with authentication but I need some clarification before i make the change.
Is it possible to configure authentication for the Public interface only?
Is it possible to enable authentication but not force it?
In other words, check if a client can authenticate, if it can't allow it to connect it anyways. This would allow me to move in the right directions without needed to reconfigure 150 PCs at once.
-
doublecaps
Remote PCs can only send emails to my domain, but can't send to other domains. This is because relaying is blocked.
Usually remote PC's would/should be configured to send via their remote ISP's smtp server, rather than sending via your sme servers smtp server.
If you do wish to send via your sme servers smtp server, then you WILL need to authenticate, because as you say, relaying is not allowed by default.
You enable external authentication in server manager Email panel
ie Allow SSMTP
and configure your email clients appropriately
See also the Email FAQ
to force everyone on LAN to use authentication, this prevents virus infections from being able to send email via your server even if they infect PC's on the LAN
http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network
and here
http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients
Note that Remote unauthenticated access to your smtp server is not permitted.
It's either no access or secure authenticated access.
The simple answer initially is just to reconfigure remote email clients to send via the local ISP's smtp server.
-
Note that Remote unauthenticated access to your smtp server is not permitted.
It's either no access or secure authenticated access.
No, remote unauthenticated access to smtp server is the usual way for mail to be delivered. Relay is not permitted unless the client authenticates, and the client should authenticate over an ssmtp (encrypted) connection, not smtp.
-
Charlie
Thank you for the "correction".
I should have more accurately said:
Note that Remote unauthenticated relay via your smtp server is not permitted.
It's either no access or secure (ssmtp) authenticated access.
-
If you noticed the configuration I noted in the previous post,Authentication for ssmtp is enabled while for smtp it's disabled.
Can I assume you use smtp and ssmtp independently ?
If I change one of the remote PCs to use ssmtp, would it work without changing any other config?
-
doublecaps
Can I assume you use smtp and ssmtp independently ?
Yes
If I change one of the remote PCs to use ssmtp, would it work without changing any other config?
Yes, it should do as long as ssmtp is enabled in server manager as previously advised.
ie the email client settings are (depending on your email client)
Outgoing Mail Server
tick the box for My Server Requires Authentication
Note - Do not tick the box for Logon using secure password authentication
Also you will need to change the ports
ie for IMAP
Outgoing Mail (SMTP) port 465
Also tick the box for This server requires a secure connection (SSL)
Incoming mail (IMAP) port 993
Also tick the box for This server requires a secure connection (SSL)
Note that you will only by able to relay messages via your sme server if you do use ssmtp (ie send messages to other domains via your smtp server).
-
SSMTPS is already enabled, so I changed my client and I'm able to connect, send, receive. However I'm still not able to relay to other domains.
ssmtpd=service
Authentication=enabled
Instances=10
TCPPort=465
access=public
status=enabled
smtpd=service
Authentication=disabled
Instances=40
InstancesPerIP=5
MaximumDateOffset=0
PatternsScan=enabled
Proxy=enabled
TCPPort=25
TCPProxyPort=25
VirusScan=enabled
access=public
status=enabled
tnef2mime=enabled
Your message did not reach some or all of the intended recipients.
Subject: TEST
Sent: 8/11/2009 9:31 PM
The following recipient(s) cannot be reached:
'davide.picone@gmail.com' on 8/11/2009 9:31 PM
550 Relaying denied (#5.7.1)
Any suggestions?
-
doublecaps
Try logging in to the sme webmail, from the same remote location and send to the same recipient
What is the outcome ?
What is the hostname for smtp server in the remote email client ?
-
Mary,
I tried what you suggested. Webmail can relay without problems while outlook client can't relay.
Any suggestions?
-
doublecaps
So it's not a problem with the server sending mail.
What are the settings in your remote email clients for Outgoing and Incoming mail servers ?
-
doublecaps
Is your remote email client really configured to authenticate, and is using the correct ports and correct servers ?
Please check all settings in this post
http://forums.contribs.org/index.php/topic,43999.msg214781.html#msg214781
-
Yes I believe it's configured correctly, but just to review:
OUtlook 2007
Outgoing connection:
My Server Requires Authentication - Checked
Log in to incoming mail server before sending mail - Checked
Require Secure Password Aythentication (SPA): NOT CHECKED
Advanced:
POP3 Port: 995
This Server requires an encrypted connection (SSL) - Checked
Outgoing server (SMTP): 465
Use the following type of encryption: SSL
-
Is this the only account setup up in Outlook?
-
There are multiple accounts setup in Outlook but I always use the defauly one.
-
doublecaps
You did not answer:
What are the settings in your remote email clients for Outgoing and Incoming mail servers ?
ie for the default account at least, which I assume is the one people are using to send from.
-
Thanks Mary, for sure it's hard to find the problem when you get half answers to your questions.
Have you tried another email client like Thunderbird with a single account(sme only)? I don't think your sme server is the one giving the 550 error, but I could be wrong.
-
I'm not sure what other information you need, the only thing I didn't include are user/password and server address.
This is what I posted earlier
Yes I believe it's configured correctly, but just to review:
OUtlook 2007
Outgoing connection:
My Server Requires Authentication - Checked
Log in to incoming mail server before sending mail - Checked
Require Secure Password Aythentication (SPA): NOT CHECKED
Advanced:
POP3 Port: 995
This Server requires an encrypted connection (SSL) - Checked
Outgoing server (SMTP): 465
Use the following type of encryption: SSL
I haven't tried with another client. I'll have to download one and try it over the weekend.
I checked the header for the relay message, but it was empty. The from field has no address simply "System Administrator"
Which server log would containg the activity were trying to diagnose (qpsmtp, qmail) ?
-
doublecaps
....and server address
Well that's what I am asking for, ie for both incoming and outgoing servers.
Which server log would contain the activity we're trying to diagnose (qpsmtp, qmail) ?
I'd expect sqpsmtp, if you are truly connecting via ssmtp, but I suspect that may not be the case, so look at qpsmtp too. qmail is also involved in the mail processing chain.
-
the server address is set to mail.wendcopr.com both incoming and outgoing
-
I tried it with Thunderbird and it worked OK.
I was able to relay to other domains.
So I'm back to square one. It appears it's configured correctly but I can't relay using Outlook 2007. Any other suggestions?
-
I tried it with Thunderbird and it worked OK.
I was able to relay to other domains.
So I'm back to square one. It appears it's configured correctly but I can't relay using Outlook 2007. Any other suggestions?
-
I tried it with Thunderbird and it worked OK.
I was able to relay to other domains.
So I'm back to square one. It appears it's configured correctly but I can't relay using Outlook 2007. Any other suggestions?
-
I tried it with Thunderbird and it worked OK.
I was able to relay to other domains.
So I'm back to square one. It appears it's configured correctly but I can't relay using Outlook 2007. Any other suggestions?
Use Thunderbird. Don't use Outlook 2007.
-
Is your Outlook default your sme server? I think it's not and that is the problem. JMHO
-
doublecaps
It appears it's configured correctly but I can't relay using Outlook 2007. Any other suggestions?
It seems to be NOT configured correctly, as it's not working.
I suggest you experiment with different settings as you may be misinterpreting something or in fact have something inappropriately set.
Try setting up a totally new account in Outlook.
-
doublecaps
Any other suggestions?
I have an older version of Outlook which works OK, but the newer version may be different.
Maybe you have something wrong and we'll only detect it if you provide us with ALL settings rather than saying you have it set correctly (which it seems not to be).
In Outlook, Tools, Accounts,
select the default account and click Properties.
Then click on each tabbed page, and review the settings.
Tell us what every setting is set to on every tab page.
-
How about I just post the images.
(http://lh3.ggpht.com/_4bzxnqYhmcE/SqfH8LrnBMI/AAAAAAAABCk/VtWdNvHyc14/s800/Outlook2.jpg)
(http://lh6.ggpht.com/_4bzxnqYhmcE/SqfH8mJMZFI/AAAAAAAABCo/pcuDK-kVeh8/s800/Outlook1.jpg)
(http://lh5.ggpht.com/_4bzxnqYhmcE/SqfH89jiROI/AAAAAAAABCs/K2KthU6uZ8A/s800/Outlook3.jpg)
(http://lh6.ggpht.com/_4bzxnqYhmcE/SqfH9H26sTI/AAAAAAAABCw/8XfgFZRCuA4/s800/Outlook4.jpg)
-
You have checked "Requires Authentication" but appear not to have provided a username/password.
-
doublecaps
I agree with Charlie, in addition you need to (typically) put a check next to
Use same settings as my incoming mail server
-
If you check use same settings as my incoming mail server it will provide the user name and password (if the password is saved) as is provided for the POP/Imap server.