Koozali.org: home of the SME Server

Secure SMTP with authentication

EnglishRob

Secure SMTP with authentication
« on: February 22, 2006, 12:18:38 PM »
Hi folks,

My server is currently running SME Server 6.01 and acting as mail server so I can send and receive e-mails using the webmail when I'm at work.

I'm having a bit of a problem figuring out the SMTP side of things though.  My previous ISP provided me with an SMTP server to use for sending mail.  This worked fine, it would send mail out from the server without any problems.  I've since changed my ISP (to AOL) and although they do provide SMTP, they seem to block any outgoing e-mails that aren't from an aol.com e-mail address.

To get round this problem, I've recently got some basic web hosting with a pop3 e-mail account and smtp.  The problem is, it appears that this SMTP server will only allow me to send connections using SMTP over SSL and I also need to give it a username and password.  This isn't a problem when I'm at home using Thunderbird, but it means that I won't be able to send mail from the webmail side of things.

I was wondering, is there a way of specifying a username and password for the SMTP server?

Rob

Offline christian

  • *
  • 369
  • +0/-0
    • http://www.szpilfogel.com
Secure SMTP with authentication
« Reply #1 on: February 25, 2006, 05:03:05 PM »
Seeing as no one else has yet responded, I'll give it a try. Mind you I fumble through most of my changes so use this as a starting point.

I had the same problem ages ago and switched to having my server use my ISPs smtp server. I am able to set any from address I want from internal clients or webmail. This should also eliminate those annoyng "residential Ip address" bounces.

In server manager -> email set the delegate smtp server to your ISPs smtp server. In my case it was "smtp.broadband.rogers.com"

From here you will also have to log in to your ISPs smtp server, I believe the key is the smtp-auth-proxy.

Here is mine with mods to protect my account:

# /sbin/e-smith/db configuration show smtp-auth-proxy
smtp-auth-proxy=service
Passwd=mypassword
Userid=myoutboundaccount@rogers.com
status=enabled

In case you are not familiar with db, leave off params and it will give you the commands. In this case you should enter the following:

/sbin/e-smith/db configuration setprop smtp-auth-proxy Passwd mypassword Userid myISPsuserId status enabled

be careful, it is case sensitive and also ensure you set your user id as per your ISPs instructions. It should be the same as what you would do for your email client.

Note, I created a special secondary email account just for outbound email from SME as Rogers (my ISP) seems to get confused if two clients login to the same account.

It's probably a good idea to restart the smtp-auth-proxy service via:

/etc/init.d/smtp-auth-proxy restart

Our more learned friends can correct me from here :-)


-Christian
SME since 2003

EnglishRob

Secure SMTP with authentication
« Reply #2 on: February 26, 2006, 07:04:14 PM »
Are you using SME Server 6.01?

I can't seem to find the smtp-auth-proxy file in /etc/init.d

I also tried using the command /sbin/e-smith/db configuration show smtp-auth-proxy but it doesn't come up with anything.

I also have a Debian server which I have tried setting up to relay mail from the SME Server to my e-mail provider, but I just can't seem to find anything relating to this that works.

Rob

Offline christian

  • *
  • 369
  • +0/-0
    • http://www.szpilfogel.com
Secure SMTP with authentication
« Reply #3 on: February 26, 2006, 09:16:03 PM »
nope. I'm on 6.1 (the official Mitel distro) which I think is closer to SME 6.5.

I just did a quick search in the groups and noted that smtp-auth-proxy wasn't in 6.0.1.

While I haven't yet ventured off of the Mitel distros, I suspect an upgrade to 6.5 from 6.0.1 is likely painless as I don't believe the changes are significant to the base. Just check with others. In my case going from 6.0 to 6.1 was completely painless though my server is quite augmented.

Also in another thread they suggested using:
/sbin/e-smith/signal-event email-update

as opposed to my smtp-auth-proxy restart suggestion. I'm sure signal-event is more comprehensive.

I'm off to Holland and the UK tonight so I likely won't be responding for about a week.

-Christian
SME since 2003

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Secure SMTP with authentication
« Reply #4 on: February 27, 2006, 04:42:40 PM »
Quote from: "EnglishRob"

 The problem is, it appears that this SMTP server will only allow me to send connections using SMTP over SSL and I also need to give it a username and password.  This isn't a problem when I'm at home using Thunderbird, but it means that I won't be able to send mail from the webmail side of things.

I was wondering, is there a way of specifying a username and password for the SMTP server?


SME 6.5 and 7.0 (and Mitel's 6.1) use a proxy to provide authentication support for upstream SMTP relaying, because qmail doesn't include that feature. The proxy, however, doesn't support connections over SSL. I'd suggest you use the Bug Tracker, and open a New Feature Request in the "SME Server Future" section.

EnglishRob

Secure SMTP with authentication
« Reply #5 on: February 27, 2006, 04:56:38 PM »
Thanks,

I'll post a feature request.

Rob

Offline Ness

  • ***
  • 108
  • +0/-0
    • http://www.tapiochre.co.uk
Secure SMTP with authentication
« Reply #6 on: March 13, 2006, 06:07:33 PM »
Awakening this older thread...

I also use Mitel's official distro.

Using Outlook, I set the Outlook SMTP settings to be my (SME) server's SMTP engine. Mails to AOL account's eventually bounce after a series of deferrals. qmail/current shows:

2006-03-13 16:41:48.770256500 starting delivery 4551: msg 4218966 to remote mailaccount@aol.com
2006-03-13 16:41:49.076680500 delivery 4551: deferral: Connected_to_205.188.158.121_but_greeting_failed./Remote_host_said:_554-_(RTR:SC)__http://postmaster.info.aol.com/errors/554rtrsc.html/554-_AOL_does_not_accept_e-mail_transactions_from_IP_addresses_which/554-_generate_complaints_or_transmit_unsolicited_bulk_e-mail./554__Connecting_IP:_my.static.ip.address

So, after I contacted PIPEX, (my ISP) they recommended I use their SMTP servers. So I configured my Outlook SMTP settings to point to PIPEX's SMTP engine, with authentication using the correct username and password pair.

AOL emails still fail with an identical error. Doh!

Why does AOL see the email coming from my IP when I thought it should be seen as from my ISP (PIPEX).

There was 'rumour' that I'd need PIPEX toset up Reverse DNS for me, and it seems they did this. I used www.dnsreport.com to lookup my domain and it appears that it is enabled:

PASS
Reverse DNS entries for MX records OK.
The IPs of all of your mail server(s) have reverse DNS (PTR) entries.
The reverse DNS entries are:
MyIPAddressBackwardd.in-addr.arpa MyIPAddressFowards.dsl.pipex.com. [TTL=7200]


Note: Before I moved to PIPEX, I was at BT and had the same/similar problem. It was only overcome when we were able to get BT to contact AOL and they seemed to work it out, but I did nothing here.

Hope anyone can assist?

Chris
Chris Elliott - SME Server user and helper

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Secure SMTP with authentication
« Reply #7 on: March 13, 2006, 06:16:35 PM »
Quote from: "Ness"

So, after I contacted PIPEX, (my ISP) they recommended I use their SMTP servers. So I configured my Outlook SMTP settings to point to PIPEX's SMTP engine, with authentication using the correct username and password pair.

AOL emails still fail with an identical error. Doh!


The SME server has a transparent proxy - it captures any SMTP connection which is directed elsewhere, then processes and delivers the mail itself, using DNS records to determine where to send it. If you want the mail sent via your ISP, you'll need to configure SME server to use your ISP.

Offline Ness

  • ***
  • 108
  • +0/-0
    • http://www.tapiochre.co.uk
Secure SMTP with authentication
« Reply #8 on: March 13, 2006, 06:39:54 PM »
Surely not as easy as that Charlie!?

Just did as you suggested and 'seems' ok so far....

So, do I only have to use the username and password for the PIPEX SMTP server when I am using the client to send mails? I see that if I don;t use the user/password in the SME server settings, (server-manager > Email) mails do get to their destinations, even with no authorisation.

Is there logic that I'm not understanding, Charlie?

Thanks though!

Chris
Chris Elliott - SME Server user and helper

Offline christian

  • *
  • 369
  • +0/-0
    • http://www.szpilfogel.com
Secure SMTP with authentication
« Reply #9 on: March 18, 2006, 05:51:08 PM »
Hi Chris,
Strange that it is working. Is email still getting to AOL with this method? If so perhaps your ISP's SMTP server doesn't need Authentication or perhaps your password is null.

Anyway, the method I indicated at the top of this thread should work for you. Perhaps you already did this and that is why it works? Check the DB field and check.

As Charlie says, by default the server will trap anything going through it on the SMTP port and re-issue it. If you have not set the field "Addesss of Internet provider's mail server" to your IS's smtp address then the SME is sending the email directly (and AOL should bounce). If you have set it and you need Auth, then you will need the smtp-auth-proxy setting as per the beginning of this thread.

By setting it this way, even webmail will work.
SME since 2003

Offline Ness

  • ***
  • 108
  • +0/-0
    • http://www.tapiochre.co.uk
Secure SMTP with authentication
« Reply #10 on: March 18, 2006, 09:18:33 PM »
Thx Christian for your note.

Looks like PIPEX don't need auth as (I suspect) they look at my IP and know I'm one of theirs!

So, yes, AOL mail now getting through, which is a bonus.

Chris
Chris Elliott - SME Server user and helper

firedrake55

Secure SMTP with authentication
« Reply #11 on: March 25, 2006, 03:39:59 AM »
I am setting up SME (6.5) for the first time and having trouble with my outgoing email.  I have my smtpsmarthost set to my ISPs SMTP server and my mail was being returned with the message: Connected to 206.46.232.12 but sender was rejected./Remote host said: 550 5.7.1 Authentication Required.  Once I found this post I set up the smtp-auth-proxy with my user id and password, now my mail is returned with the message: Connected to 127.0.0.1 but sender was rejected./Remote host said: 550 5.7.1 Use fully qualified domain name/.  Any ideas?

firedrake55

Secure SMTP with authentication
« Reply #12 on: March 25, 2006, 08:58:03 AM »
I think i figured out what the problem is, but i dont know how to fix it.  Its my understanding that the smtp-auth-proxy captures the output from qmail and adds the auth info to it before sending it to my ISPs smtp server.  The problem seems to be that my ISP requires the use of the EHLO handshake, but qmail is sending a HELO handshake.  Ive verified this by telneting to localhost 26 (the smtp-auth-proxy) and sending emails with the EHLO and HELO handshakes....only the EHLO ones go through.  So, how do I change qmail's handshake method?

Offline christian

  • *
  • 369
  • +0/-0
    • http://www.szpilfogel.com
Secure SMTP with authentication
« Reply #13 on: March 25, 2006, 11:14:19 PM »
Just to be sure did you set the following?

In server manager -> email set the delegate smtp server to your ISPs smtp server. In my case it was "smtp.broadband.rogers.com"

and restart the service?
SME since 2003

firedrake55

Secure SMTP with authentication
« Reply #14 on: March 26, 2006, 01:31:58 AM »
Yes, I adjusted my server-manager, email settings to point to my ISP.  

These are the exact steps I used:
In server-manager->email, I set my ISPs SMTP server in the delegate server field and saved my settings.
I then logged in as root and set up the smtp-auth-proxy with

./config setprop smtp-auth-proxy Passwd mypassword Userid myuserid status enabled

I've tried both MyUserID and MyUserID@myISPsDomain.net and both seem to work the same way
 
when i type ./config show smtp-auth-proxy I get the following
smtp-auth-proxy=service
Debug=0
Passwd=mypassword
Userid=myuserid
status=enabled

I then restart services using both ./signal-event email-update
and by restarting the mail services in /etc/init.d

I can see that /var/qmail/control/smtproutes contains :localhost 26 just as it should since I am using the auth-proxy now.

So, I believe I have everything setup correctly, but my emails are all returned with the failure notice: Connected to 127.0.0.1 but sender was rejected./Remote host said: 550 5.7.1 Use fully qualified domain name/.

I discovered that if i telnet to localhost 25 and use smtp over telnet to send an email, I get the same result. If I bypass qmail by
telneting to localhost 26 (the smtp-auth-proxy), and use smtp over telnet to send an email, I get the same result if I use the HELO handshake. BUT,
if I use the EHLO handshake, the email is delivered correctly.
This would lead me to beleive that qmail is sending HELO when my ISP will only accept EHLO.

I want to either make qmail send EHLO, or make the smtp-auth-proxy suppress the HELO that qmail sends.

If anyone has any suggestions on how to do this, they are greatly appreciated.