Koozali.org: home of the SME Server

Filter outgoing mail?

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Filter outgoing mail?
« Reply #15 on: October 12, 2007, 02:26:21 PM »
gippsweb

Please let us know if the procedures suggested do in fact stop the spam coming from that PC when you reconnect it (without having cleaned it as yet, of course).
...

Offline gippsweb

  • ****
  • 232
  • +0/-0
    • Wots I.T.?
Re: Filter outgoing mail?
« Reply #16 on: October 14, 2007, 06:07:11 AM »
That looks like it may have worked Ray  :-P The daily report shows 3246 email and 3246 blocked due to non conformance.
It appears we have had a win.
Thank you both Ray an mmcarn for your advice. Now to formatting this customers PC and reinstalling the OS, there is just no cleaning this one.....

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #17 on: September 13, 2008, 02:02:48 AM »
Sorry to resurrect an old post... but the instructions on the link did not work for me with 7.3 and latest updates (as of today).

I had to do the following, it didn't work otherwise:
Code: [Select]
config setprop smtpd Authentication enabled
signal-event email-update

http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.

Can anyone enlighten me on what upcoming trouble I have set myself up for?

p.s. Outlook 2007 sucks hard!



gippsweb

Wrong key, it should have been qpsmtpd. Leave it disabled, so do

config setprop smtpd Authentication disabled
signal-event email-update



Offline gippsweb

  • ****
  • 232
  • +0/-0
    • Wots I.T.?
Re: Filter outgoing mail?
« Reply #18 on: September 13, 2008, 02:19:25 AM »
config setprop qpsmtpd Authentication enabled
signal-event email-update

should be the key to locking down your network internally.
not the one you tried, as that is the same mistake I made just as you have pointed out in your post...

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #19 on: September 13, 2008, 02:23:21 AM »
Ok, but I did the command with qpsmtpd, it didnt work. I even did the post command and rebooted. It wasn't until after I set smtpd enabled that it worked on the local lan.

Is the instruction on the wiki incorrect? Should it say smtpd instead of qpsmtpd?
If not, why did setting the property for smtpd work when qpsmtpd did not?

Thanks for that super quick response!

Offline gippsweb

  • ****
  • 232
  • +0/-0
    • Wots I.T.?
Re: Filter outgoing mail?
« Reply #20 on: September 13, 2008, 02:56:03 AM »
What is it you are attempting to do?
In my case we do a lot of PC repairs and needed to stop unsolicited mail from any internal PC that wasn't authenticated from leaving the network. (It was upsetting my ISP)..

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #21 on: September 13, 2008, 03:00:22 AM »
All I need to do is overcome the stupid Outlook 2007 smtp auth errors inside the lan.

I have roadwarriors that need to have one setting, smtpauth, regardless of whether they are inside the lan or out. Outlook03 and down work fine, Outlook07 fails. The fixes all over the internet, including this board, say turn off smtpauth on the client, but that won't work for me, because I can't expect my clients to go into the mail account properties and turn on and off the smtpauth on their email account whenever they come in and out of the lan.

Thanks.

Offline gippsweb

  • ****
  • 232
  • +0/-0
    • Wots I.T.?
Re: Filter outgoing mail?
« Reply #22 on: September 13, 2008, 03:18:33 AM »
On mine with auth turned on I can use the secure settings both in and outside my lan.
The only issue I have is on the first check when outlook starts it pops up a message about the security certificate not being correct, but that is because its a self signed cert for my use only.
I could get a cert for it but its not really needed in my situation.

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #23 on: September 13, 2008, 03:20:29 AM »
I don't get that. Of course, I am not using ssl for smtp yet, I don't want to do it until the server is in place for a bit and it I have the kinks worked out, then I will get a cert and enable ssl.

Offline gippsweb

  • ****
  • 232
  • +0/-0
    • Wots I.T.?
Re: Filter outgoing mail?
« Reply #24 on: September 13, 2008, 03:26:41 AM »
If you have done a

config setprop qpsmtpd Authentication enabled
signal-event email-update

then all internal mail will have to pass through the sme mail server. ie; someone who has a home account with there own provider setup behind the sme box on a pc or laptop will not be able to sent mail out of the internal network.

If this is not what you want then leave it disabled.

Road warriors will only be able to connect using ports 465 and 995 with SSL and should be able to do the same internally. If you have set them up using standard type mail settings using ports 25 and 110 they won't be able to connect when on the road..

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Filter outgoing mail?
« Reply #25 on: September 13, 2008, 03:37:16 AM »
jptechnical

From
http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network.

It says implementing those changes will then cause your system to follow the setting of config::qpsmtpd::Authentication

which is the part that says (in this thread) re a db setting
config setprop qpsmtpd Authentication enabled
signal-event email-update

Are you sure you followed the instructions carefully & accurately ?
Please check what you did again.

Have you also disabled smtp relay for unauthenticated local users ?
See
http://wiki.contribs.org/Email#How_do_I_disable_SMTP_relay_for_unauthenticated_LAN_clients

The whole idea of forcing smtp authentication for local (or external users) is to have secure access to your email system. You need to disable local smtp relay for unauthenticated users ie so users can only use the authenticated connection method.

I suggest/guess that you have not setup your user authentication correctly in the email clients.

From a system where this has been setup & is working:
config show qpsmtpd

qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
    RHSBL=disabled
    RequireResolvableFromHost=no
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
    access=public
    qplogsumm=disabled
    status=enabled

config show smtpd
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=disabled
    access=public
    status=enabled
    tnef2mime=enabled

Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #26 on: September 13, 2008, 04:17:25 AM »
I broke the forum  :shock:

I only want to add smtpauth inside the lan, I don't want to disable unauth relay (have a couple old coper/printers that scan to email and do not do smtpauth).

That said, the only difference in your config and my own is the addition of smtpd auth enabled. And it presently works. If I disable smtpd auth, it stops working (outlook 2007 throws up authentication error). I don't think it makes me an open relay, I redirected my port25 to this box, and then setup a remote client to send through it, it got relay denied without smtpauth, but then relayed fine with smtpauth back on in the client. *** edit, I redirected the port again and ran the abuse.net relay test, all pass, no relay ***

Since it is now doing exactly what I want it to do, why didn't the instructions to turn on smtp auth work? And, what harm will there be in having smtpd auth enabled in addition to qpsmtpd auth enabled? (Looking at your config and mine, the only difference was smtpd auth enabled and public instead of private)
« Last Edit: September 13, 2008, 04:19:42 AM by jptechnical »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Filter outgoing mail?
« Reply #27 on: September 13, 2008, 04:40:29 AM »
jptechnical

Quote
If I disable smtpd auth, it stops working (outlook 2007 throws up authentication error)

As I understand it, all incoming & outgoing mail transactions are handled by qpsmtpd, so I'm not sure why you need to play around with smtpd settings. It suggests something is wrong elsewhere. What does the error message from Outlook exactly say ?

Have you setup your email client correctly to authenticate ?
ie
Configure your email clients to use smtps with authentication:
- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server


Did you enable secure smtp in server manager Email panel ?


Quote
I only want to add smtpauth inside the lan, I don't want to disable unauth relay

OK that's fair enough, it just means both methods will work locally.

Here is the output from another system which does not have smtp authentication enabled.
Note there is no Authentication entry under the qpsmtpd key

config show qpsmtpd

qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    Instances=5
    LogLevel=8
    MaxScannerSize=55000000
    RBLList=zen.spamhaus.org:whois.rfc-ignorant.org
    RHSBL=disabled
    RequireResolvableFromHost=yes
    SBLList=dsn.rfc-ignorant.org
    access=public
    qplogsumm=disabled
    status=enabled


config show smtpd

smtpd=service
    Authentication=disabled
    Instances=10
    InstancesPerIP=2
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    disclaimer=disabled
    status=enabled
    tnef2mime=enabled


You really should disable that smtpd entry ie do
config setprop smtpd Authentication disabled
signal-event email-update
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #28 on: September 13, 2008, 07:20:26 AM »
I copied and pasted the commands for making a new dir and copying the template, didn't forget the period at the end... but I am still cutting my teeth on sme, so I was going completely on trust. I didn't follow the next step of disabling relay because I didn't understand what it was doing or whether or not I could un-do it.

Here you go. Now that smtpd auth is disabled, I get this error on outlook 2007 with smtpauth in the account config, but NOT in outlook 2003 with the same settings.

On the outlook07 with smtpauth turned on in the account settings, I get this error:
http://www.google.com/search?q=0x800ccc80 
http://forums.contribs.org/index.php?topic=38580.0   - no followup
http://forums.contribs.org/index.php?topic=39677.0   - this was a patch in january, but the updates were after April... this get missed in the updates... never made it out of test? Besides, smeserver-qpsmtpd-1.2.1-53.el4.sme.noarch.rpm is listed as the patch, but yum info shows this is the version of qpsmtpd (would have saved 15mins of figuring out how to find that package if qpsmtpd had a -v argument! I gotta learn my around this.)
Code: [Select]
Name   : smeserver-qpsmtpd
Arch   : noarch
Version: 1.2.1
Release: 54.el4.sme

This is on 2 new computers, xpsp2 with no AV on it yet, so there is no chance it is AV related.

On outlook03 with the EXACT same config, it goes through with no issue.

The MINUTE I enable auth in smtpd the error goes away in 07 and the email is delivered... exactly as expected.

Perhaps this is a bug? Maybe something needs to be updated since Outlook07. In any case, the instructions for turning on smtpauth in pqsmtpd do not work with Outlook07. Again... I hate Outlook07!

settings with smtpdauth off
Code: [Select]
[root@sme ~]# config setprop smtpd Authentication disabled
[root@sme ~]# signal-event email-update
[root@sme ~]# config show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
    RHSBL=disabled
    RequireResolvableFromHost=no
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
    access=public
    qplogsumm=disabled
    status=enabled
[root@sme ~]# config show smtpd
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled

settings with smtpdauth on
Code: [Select]
[root@sme ~]# config setprop smtpd Authentication enabled
[root@sme ~]# signal-event email-update
[root@sme ~]# config show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
    RHSBL=disabled
    RequireResolvableFromHost=no
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
    access=public
    qplogsumm=disabled
    status=enabled
[root@sme ~]# config show smtpd
smtpd=service
    Authentication=enabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled
[root@sme ~]#

ooh, I like the scrolling text boxes for code, saves so much page!

Offline jptechnical

  • **
  • 68
  • +0/-0
Re: Filter outgoing mail?
« Reply #29 on: September 13, 2008, 07:37:28 AM »
Just for grins, I did it again:

Code: [Select]
[root@sme ~]# mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
[root@sme ~]# cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
[root@sme local]# cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
cp: overwrite `./05auth_cvm_unix_local'? y
[root@sme local]# signal-event email-update
[root@sme local]# config setprop smtpd Authentication disabled
[root@sme local]# signal-event email-update
[root@sme local]# config show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:list.dsbl.org:multihop.dsbl.org:psbl.surriel.com:sbl-xbl.spamhaus.org
    RHSBL=disabled
    RequireResolvableFromHost=no
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org:blackhole.securitysage.com
    access=public
    qplogsumm=disabled
    status=enabled
[root@sme local]# config show smtpd
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled

I verified that this is for both relayed messages and messages for local delivery. Again, same result, even after going through the same steps again.