Koozali.org: home of the SME Server

Contribs.org Forums => Koozali SME Server 10.x => Topic started by: GadoF on April 01, 2023, 01:48:39 AM

Title: Mail filter External
Post by: GadoF on April 01, 2023, 01:48:39 AM

Dear Community, hope you can shed some info on how I can forward all outbound email traffic to a set of public IPs/subnets which is my email filter external, is this done on the firewall or i can set this on the koozali server via CLI ? at the same time, can i do this also for the inbound email I will only allow a specific set of public IPs/Subnet?

Title: Re: Mail filter External
Post by: mmccarn on April 01, 2023, 03:04:18 PM

From server-manager:

- Configuration -> E-mail -> Change e-mail delivery settings
--> SMTP Server

From terminal (maybe - I'm just reading back what I entered in server-manager...)

First, display the current values in case something goes wrong...

Code: [Select]

config show SMTPSmartHost
config show smtp-auth-proxy

...then set the values you want to use. 
* Replace the fields enclosed in <>
* The password is stored in plain text.

Code: [Select]

config set SMTPSmartHost <smtpserver>:<port>
config set smtp-auth-proxy service Debug disabled Passwd <your-relay-account-password> Userid <your-relay-account> status enabled
signal-event email-update

Related settings (if your SME server is in "server-gateway" mode)
- The SME will block all outbound SMTP traffic from LAN clients that is not relayed through the SME itself if you enable the SMTP Proxy (Security -> Proxy status ->  SMTP proxy status)

- You can create firewall rules to block incoming traffic
--> incoming smtp traffic can be restricted by setting 'AllowHosts' for qpsmtpd
  config setprop qpsmtpd AllowHosts <IP1>,<IP2>,<IPRange/xx>

- Creating rules to block outgoing traffic is trickier - there is a section of the firewall wiki page about this, but the content may be out of date:
https://wiki.koozali.org/Firewall#Block_outgoing_IPs_or_mac_addresses

If your SME is in server-only mode you could configure the SMTP traffic restrictions in the network firewall...

Title: Re: Mail filter External
Post by: GadoF on April 01, 2023, 09:17:53 PM

Thanks for the response,  my external mail filter has several IP/Subnet can how can i set this for the outbound email?

Quote from: mmccarn on April 01, 2023, 03:04:18 PM

From server-manager:

- Configuration -> E-mail -> Change e-mail delivery settings
--> SMTP Server

From terminal (maybe - I'm just reading back what I entered in server-manager...)

First, display the current values in case something goes wrong...

Code: [Select]

config show SMTPSmartHost
config show smtp-auth-proxy

...then set the values you want to use. 
* Replace the fields enclosed in <>
* The password is stored in plain text.

Code: [Select]

config set SMTPSmartHost <smtpserver>:<port>
config set smtp-auth-proxy service Debug disabled Passwd <your-relay-account-password> Userid <your-relay-account> status enabled
signal-event email-update

Related settings (if your SME server is in "server-gateway" mode)
- The SME will block all outbound SMTP traffic from LAN clients that is not relayed through the SME itself if you enable the SMTP Proxy (Security -> Proxy status ->  SMTP proxy status)

- You can create firewall rules to block incoming traffic
--> incoming smtp traffic can be restricted by setting 'AllowHosts' for qpsmtpd
  config setprop qpsmtpd AllowHosts <IP1>,<IP2>,<IPRange/xx>

- Creating rules to block outgoing traffic is trickier - there is a section of the firewall wiki page about this, but the content may be out of date:
https://wiki.koozali.org/Firewall#Block_outgoing_IPs_or_mac_addresses

If your SME is in server-only mode you could configure the SMTP traffic restrictions in the network firewall...

Title: Re: Mail filter External
Post by: ReetP on April 02, 2023, 11:28:45 AM

Quote from: GadoF on April 01, 2023, 09:17:53 PM

Thanks for the response,  my external mail filter has several IP/Subnet can how can i set this for the outbound email?

Currently you can't.

It would probably take a lot of development work to do some sort of round robin.

Pick one IP and go with it.

Title: Re: Mail filter External
Post by: Jean-Philippe Pialasse on April 02, 2023, 04:31:09 PM

there are 2 way of sending emails to an external service.

It all depends on wether you still have your user reading emails on your server or on the external service. 

Usually such relaying and filtering service offers you a dns name to use rather than having a list of ip to contact.

for incoming emails as said by mmccarn you can set as many subnet or single ip as you want separated by a coma.

if you do so for incoming emails, your users will have to use the implicite tls service (sqpsmtpd on port 465) to send their mail as a roadwarior might not be on the subnet you declared to be able  to use port 25 with explicit TLS submission. 

Title: Re: Mail filter External
Post by: ReetP on April 02, 2023, 05:29:00 PM

Quote from: Jean-Philippe Pialasse on April 02, 2023, 04:31:09 PM

Usually such relaying and filtering service offers you a dns name to use rather than having a list of ip to contact.

Yes that occurred to me some time later!!