Hi,
I'm new to scalix and had some problem in setting up my smtp.cfg. The problem is
the server sometimes reject emails with the information:
The /etc/log/maillog gave me error:
return to sender: User unknown
Here is my smtp.cfg. My intial purpose was to bring up the smtp authentication stuff,
so that only authenticated person can send out email. Can anyone help me about it?
My server is Redhat EL4, and I installed scalix commertial version 10.0.1. Thanks.
LISTEN_PORT=10025
LISTEN=myhost.myserver.com:25, myhost.myserver.com:10025,localhost:25,localhost:10025
EXTENSIONS=AUTH,DSN,8BITMIME
RELAY accept 127.0.0.1
RELAY accept .mail
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*
AUTH_MISMATCH Reject LOCAL
AUTH_MISMATCH Header mydomail.com
AUTH_MISMATCH Reject ALL
ANONYMOUS Header myhost.mydomain.com
ANONYMOUS Reject .mydomain.com
ANONYMOUS Accept ALL
AUTH_SUCCESS Accept ALL
Thanks so much!
A question about smtp authentication?
Moderators: ScalixSupport, admin
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
Here is my smtp.cfg. My intial purpose was to bring up the smtp authentication stuff, so that only authenticated person can send out email. Can anyone help me about it?
The default rules achieve what you are after without modification. I suggest making your smtpd.cfg look like:
Code: Select all
RELAY accept 127.0.0.1
RELAY accept .mydomain.com
RELAY Log_Reject ALL
# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*LISTEN=myhost.myserver.com:25, myhost.myserver.com:10025,localhost:25,localhost:10025
You don't want localhost listening on port 25. Port 25 on localhost is by default for sendmail. smtpd hands messages destined for external internet addresses to sendmail for it to deliver.
Regards,
Don
EDIT: You'll have to restart smtpd after making these changes.
omoff -wd 0 smtpd
omon smtpd
-
tchen
- Posts: 12
- Joined: Mon May 15, 2006 6:39 pm
Thanks so much Don,
I got rid of that listening to localhost:25 from my smtp.cfg.
A related concern is about the send mail, is this output of netstat -ntlp |grep 25
looks right to you?
tcp 0 0 66.7.252.59:10025 0.0.0.0:* LISTEN 6344/omsmtpd
tcp 0 0 66.7.252.59:25 0.0.0.0:* LISTEN 6344/omsmtpd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5762/sendmail: acce
The reason why I tried to modify the default smtp.cfg is that I didn't find anywhere else
to setup the smtp authentication stuff. It should be very normal setup. I just want user
to check their authentication box in their outlook to send out email. How should I do that?
Using the default allows relay no matter I get authentication or not.
I might have some very stupid understanding on some basic concept, totally new to this but I have to setup our company's email server reliablly. Thanks again!
The default rules achieve what you are after without modification. I suggest making your smtpd.cfg look like:
Regards,
Don
I got rid of that listening to localhost:25 from my smtp.cfg.
A related concern is about the send mail, is this output of netstat -ntlp |grep 25
looks right to you?
tcp 0 0 66.7.252.59:10025 0.0.0.0:* LISTEN 6344/omsmtpd
tcp 0 0 66.7.252.59:25 0.0.0.0:* LISTEN 6344/omsmtpd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5762/sendmail: acce
The reason why I tried to modify the default smtp.cfg is that I didn't find anywhere else
to setup the smtp authentication stuff. It should be very normal setup. I just want user
to check their authentication box in their outlook to send out email. How should I do that?
Using the default allows relay no matter I get authentication or not.
I might have some very stupid understanding on some basic concept, totally new to this but I have to setup our company's email server reliablly. Thanks again!
The default rules achieve what you are after without modification. I suggest making your smtpd.cfg look like:
Code: Select all
RELAY accept 127.0.0.1
RELAY accept .mydomain.com
RELAY Log_Reject ALL
# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*Regards,
Don
-
ctw
Tchen,
Did you ever solve your authenticated relay problem? If so can you tell me how?
Scalix Support, this really is a major issue. One of the primary reasons for authenticated smtp access is so that you can restrict relaying to your authenticated user community. If you only use domain or address filters, your remote and mobile users cannot reliably relay their mail. I'm currently playing with the freeware version. This is the only major issue standing between me and an order.
Thanks!
Charlie Watt
Racemi
Did you ever solve your authenticated relay problem? If so can you tell me how?
Scalix Support, this really is a major issue. One of the primary reasons for authenticated smtp access is so that you can restrict relaying to your authenticated user community. If you only use domain or address filters, your remote and mobile users cannot reliably relay their mail. I'm currently playing with the freeware version. This is the only major issue standing between me and an order.
Thanks!
Charlie Watt
Racemi
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
-
ctw
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
-
ctw
Dave, Thanks for the quick response. If I understand things correctly, the "allow relaying for authenticated users" is implicit because there is no way to specify the authentication state in the RELAY rules. This also makes unauthenticated relaying implicit. What I need to set up is pretty simple:
allow local delivery to all
allow relaying to authenticated users
reject all other attempts to relay
This cleanly shuts down any attempt by spammers to relay through our system while allowing my users to freely roam. Any way to achieve this?
Thanks!
Charlie
allow local delivery to all
allow relaying to authenticated users
reject all other attempts to relay
This cleanly shuts down any attempt by spammers to relay through our system while allowing my users to freely roam. Any way to achieve this?
Thanks!
Charlie
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
Code: Select all
RELAY accept 127.0.0.1
RELAY accept .mydomain.com
RELAY Log_Reject ALL
# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*The above default rules provide this already.
The line RELAY accept 127.0.0.1 allows relaying from the localhost address.
The line RELAY accept .mydomain.com will allow relaying from any host in the .mydomain.com domain. It also allows messages to be passed to sendmail (for further processing if required ) if the recipient address is in the .mydomain.com domain.
Everything else is prevented from being relayed.
A relay attempt is one where there is no matching address in the Scalix SYSTEM directory and the above rules have not been matched.
As mentioned before, if the user has authenticated, they can relay.
The RECIPIENT rules all defeat common techniques for "piggy-backing" external addresses on local ones.
Cheers
Dave
-
ctw
Yes, that's my understanding, and that's the problem. Because the rules are based purely upon subnet and domain information, this will not work for two types of users: 1) remote users from home; 2) mobile users.
A remote user working from home via their DSL line and local service provider may have a variable IP address. Their address might even change subnets day to day. I can't use their IP address to enable relaying because it would be an administrative nightmare. A reverse domain lookup isn't much help either as it will show up as their service provider's domain, not our corporate domain. I don't want to enable forwarding for everyone in the remote service provider's domain, as it would enable all the spammers as well. The problem gets even worse when you have mobile remote users who log in via wireless access where ever they are, say Starbucks or their hotel. Now their apparent domain will change on me as well.
I can handle this easily with our existing email system by authenticating all my users and only permitting authenticated users to relay. The Scalix rules do not appear to support this as their is no way to specify the user's authentication state to the RELAY rules. As it appears to stand now, the only way I can have a remote user reliably relay email is by exclusively using the webmail interface, which is not an attractive solution. Hopefully I am wrong and have just misinterpretted the rules.
Charlie
A remote user working from home via their DSL line and local service provider may have a variable IP address. Their address might even change subnets day to day. I can't use their IP address to enable relaying because it would be an administrative nightmare. A reverse domain lookup isn't much help either as it will show up as their service provider's domain, not our corporate domain. I don't want to enable forwarding for everyone in the remote service provider's domain, as it would enable all the spammers as well. The problem gets even worse when you have mobile remote users who log in via wireless access where ever they are, say Starbucks or their hotel. Now their apparent domain will change on me as well.
I can handle this easily with our existing email system by authenticating all my users and only permitting authenticated users to relay. The Scalix rules do not appear to support this as their is no way to specify the user's authentication state to the RELAY rules. As it appears to stand now, the only way I can have a remote user reliably relay email is by exclusively using the webmail interface, which is not an attractive solution. Hopefully I am wrong and have just misinterpretted the rules.
Charlie
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
What clients are you going to be using ?
If you are using IMAP/POP3 clients, you connect to the SMTP Relay and authenticate. Then you can relay.
If you are using SWA, you are submitting from the Scalix server, that's inside your domain. You can relay also.
If you are using Outlook with Scalix Connect, you do not use SMTP so you do not have a problem there.
Nobody else will be able to relay.
Is there something fundamental that I've missed ?
Cheers
Dave
If you are using IMAP/POP3 clients, you connect to the SMTP Relay and authenticate. Then you can relay.
If you are using SWA, you are submitting from the Scalix server, that's inside your domain. You can relay also.
If you are using Outlook with Scalix Connect, you do not use SMTP so you do not have a problem there.
Nobody else will be able to relay.
Is there something fundamental that I've missed ?
Cheers
Dave
-
sgalahad
Hi - I'm having a similar problem.
I have authenication turned on ( I think). However, users are getting emails that appear like they have been sent by me, even thought I have not.
my smtp.cfg is:
RELAY accept 127.0.0.1
RELAY accept .123.com
RELAY accept 69.x.x.x
RELAY accept .xyz.com
RELAY accept .abc.com
RELAY accept 64.x.x.x
RELAY Log_Reject ALL
# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*
The email header looks like this:
Return-Path: <sg@123.com>
Received: from 123.com (wsip-68-14-237-131.ph.ph.cox.net
68.14.237.131)
by mail.123.com (Scalix SMTP Relay 10.0.0.175)
via ESMTP; Fri, 23 Jun 2006 16:46:50 -0400 (EDT)
Date: Fri, 23 Jun 2006 13:38:48 -0700
From: "sg" <sg@123.com>
To: "Sales" <sales@123.com>
Message-ID: <2447.15541151095610.mail.123.com@MHS>
Subject: Delivery reports about your e-mail
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_AA18CDAA.DCD0F9A0"
I have authenication turned on ( I think). However, users are getting emails that appear like they have been sent by me, even thought I have not.
my smtp.cfg is:
RELAY accept 127.0.0.1
RELAY accept .123.com
RELAY accept 69.x.x.x
RELAY accept .xyz.com
RELAY accept .abc.com
RELAY accept 64.x.x.x
RELAY Log_Reject ALL
# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*
The email header looks like this:
Return-Path: <sg@123.com>
Received: from 123.com (wsip-68-14-237-131.ph.ph.cox.net
68.14.237.131)
by mail.123.com (Scalix SMTP Relay 10.0.0.175)
via ESMTP; Fri, 23 Jun 2006 16:46:50 -0400 (EDT)
Date: Fri, 23 Jun 2006 13:38:48 -0700
From: "sg" <sg@123.com>
To: "Sales" <sales@123.com>
Message-ID: <2447.15541151095610.mail.123.com@MHS>
Subject: Delivery reports about your e-mail
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_AA18CDAA.DCD0F9A0"
-
vlaurenz
- Posts: 123
- Joined: Wed May 31, 2006 3:41 pm
I understand that support feels this config prevents relaying from outside a customer's domain(s), however, the standard config will allow anyone who knows how to spoof email internally very easily. In order to prevent non-authenticated users from relaying from within the domain, I believe the following lines would need to be added at the beginning of smtpd.conf:
I have not made this change yet, as I was hoping for some confirmation from some of you fine folks first.
What do you think?
edit: I think that this could possibly break webmail. Will it?
Code: Select all
AUTH_MISMATCH Log_Reject ALL
ANONYMOUS Log_Reject ALLI have not made this change yet, as I was hoping for some confirmation from some of you fine folks first.
What do you think?
edit: I think that this could possibly break webmail. Will it?
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
We're actually both half right :-)
We've made the assumption that people inside the domain are to be trusted. In some organisations, that's OK. In others, maybe not.
Those lines are not required to prevent the relaying.
The ANONYMOUS line will reject any connection that has not authenticated. The gotcha that people fall for is thinking that this will solve the problem but they forget that the SMTP Relay is also there for incominig SMTP connections from outside and if only authenticated connections are accepted, the rest of the internet will have to authenticate with the SMTP Relay.
AUTH_MISMATCH isn't required in this case. It's really only there if someone correctly authenticates, i.e. uses a valid username and password, but the MAIL FROM doesn't match with any of the known internet addresss for that user.
The solution is to remove the RELAY accept lines for your internal domains so that nobody inside your domain can send a message to an external address via the SMTP Relay. Note that this is only INCOMING connections so outgoing ones will not be affected.
There are a couple of caveats to all of this....
Cheers
Dave
We've made the assumption that people inside the domain are to be trusted. In some organisations, that's OK. In others, maybe not.
AUTH_MISMATCH Log_Reject ALL
ANONYMOUS Log_Reject ALL
Those lines are not required to prevent the relaying.
The ANONYMOUS line will reject any connection that has not authenticated. The gotcha that people fall for is thinking that this will solve the problem but they forget that the SMTP Relay is also there for incominig SMTP connections from outside and if only authenticated connections are accepted, the rest of the internet will have to authenticate with the SMTP Relay.
AUTH_MISMATCH isn't required in this case. It's really only there if someone correctly authenticates, i.e. uses a valid username and password, but the MAIL FROM doesn't match with any of the known internet addresss for that user.
The solution is to remove the RELAY accept lines for your internal domains so that nobody inside your domain can send a message to an external address via the SMTP Relay. Note that this is only INCOMING connections so outgoing ones will not be affected.
There are a couple of caveats to all of this....
- SWA doesn't authenticate with the SMTP Relay. This means you MUST have a RELAY accept line for the IP address ( or hostname if you have reverse DNS configured correctly - please say yes ) of the SWA server even if it happens to be the same as the Scalix server.
- If you have other non-Scalix mail recipients with the same domain name, all bets are off. You must then have the RELAY accept line for that domain otherwise no mail will get through to those users as a relay attempt is defined by the SMTP Relay as any address that does not match with an entry in the SYSTEM address book.
Cheers
Dave
-
roopesh
- Posts: 18
- Joined: Fri Jun 16, 2006 10:59 am
Was there ever a resolution on this issue? I want to be able to let Authenticated users relay email, and reject everyone else's email.
There was also a question about what clients are being used (POP3/IMAP) and then a comment to use the SMTP relay. What does that mean? Was it to say to use an ISP's SMTP Relay instead of Scalix's SMTP Relay?
I have an IMAP client on my mobile phone, and can download my email to my phone without a problem. However, I can't send email out, even when I try to authenticate. I'm guessing it's related to the issue mentioned above.
There was also a question about what clients are being used (POP3/IMAP) and then a comment to use the SMTP relay. What does that mean? Was it to say to use an ISP's SMTP Relay instead of Scalix's SMTP Relay?
I have an IMAP client on my mobile phone, and can download my email to my phone without a problem. However, I can't send email out, even when I try to authenticate. I'm guessing it's related to the issue mentioned above.
Who is online
Users browsing this forum: No registered users and 11 guests