Received: Header Always Contains 127.0.0.1

[dresdn]

Hi.

I have just a general question that's been driving me up a wall lately. Basically, for some reason, every incoming e-mail message is marked with a Received: header of 127.0.0.1 when using some kind of spam filtering application, (MailScanner and Amavisd-new are the only 2 I've tried so far). In the MailScanner case, I took just a default Scalix install, installed MailScanner, shutdown the Sendmail service, and launched MailScanner (which launches it own sendmail service). In the amavisd-new case, I used the amavisd-milter integration method.

In both cases, all my mail has that header of 127.0.0.1, which looks as if the passing of the mail from the Scalix listener to the filter, and then back to Scalix. Is there a good way that this can be avoided? I'm setting up some whitelisting rules where I want to allow all mail from 127.0.0.1 to be whitelisted across the board, but allowing the rule will allow *everything* to not be scanned, which is a major problem.

One of the main reasons for this is I want to setup a web-based quarantine management system where users can go in and release any quarantined message, hence the whitelist from 127.0.0.1.

I've thought about getting rid of the Scalix listener, but then I can't do SMTP auth, etc., and I think it'll just be more of a pain than it's worth.

Any ideas?

Thanks!

-Mike

[dresdn]

Alright, after doing some more researching with a fresh nights sleep, I found some nice posts which say that I need to make Sendmail the primary listener, and not Scalix, but I lose my SMTP authentication.

This sacrifice is okay to live with, since I actually created a separate port, 2525, for all of our internal users to use to authenticate with (since the majority of ISPs block any traffic on port 25 unless it is to their SMTP servers).

So, according to the posts, I can configure Sendmail to listen on 127.0.0.1 and my External IP, and then just omoff/omon smtpd. My question is, if I do this, will Scalix's omsmtpd still listen on the public port 2525, or will it try to listen on port 25, find a conflict, and then abort everything? Additionally, I can then remove the SMTPFILTER=TRUE line, correct?

Also, what are the *exact* changes I need to make to the sendmail.cf file? I've seen a lot of people ask, but no one has really said, "This is what you need to add/change ..." When I tried making the changes to the sendmail.cf, I just got errors that said:

Remote host said: 550 5.7.1 <mike@domain.com>... Relaying denied

Thanks in advance!

-Mike

[kanderson]

To change the port Scalix's smtp listens on, use the use the LISTEN_PORT= option in smtpd.cfg

If you point your clients at Scalix's SMTP, rather than sendmail, you can force them to use authentication again.

Also, there is a "normal" port for what you're doing. The Submission port, 587 is normally used for this when SMTP on port 25 is being used as you're describing. I believe there's a Tech Doc on how to set up spamassassin & clam. That doc will not completely describe this for you, but it'll be helpful nevertheless.

Kev.

[mito]

This is actually a problem I've had all along and never taken the time to troubleshoot etc. since I didn't really like the ability to loose SMTP authentication. Isn't there any other way to do this than that?

[kanderson]

I don't understand the problem.

Using a submission port allows to to enforce smtp authentication, while still accepting inbound mail from port 25 from the rest of the world.

Kev.

[mito]

I don't understand the problem.

Using a submission port allows to to enforce smtp authentication, while still accepting inbound mail from port 25 from the rest of the world.

I guess it's just a matter of my users etc. This would mean that every computer that is setup to send mail would have to have a specialized setup, which means I'd be getting a lot of phone calls from people having problems with their home PC's not able to check their email etc.

I don't know, I guess it's worth a try on a test system to see how well it works... I just wish there was a way to have it pass on the original data instead of having it be complicated...

Are there any official documents describing how to do all this? All I've ever seen is a step here or there, never a whole "this is what needs to be done". Even if it's not done in a howto type form, just a list of tasks would be great. If it's not there by the time I decide to tackle it I'll put it on the wiki, but I don't know when that will be.

Thanks!

[kanderson]

My advice would be...

Have home users use the webclient. It's fast and it's much more fully featured than a pop/imap solution. In short, it just rocks. You need to allow connections to port 80 for this to work.

For roadwarriors, have them connect via a VPN and use Outlook.

If you're ok with a slight risk, open port 5729 on your firewall. This would also allow home users and roadwarriors to connect with Outlook.

For a detailed doc, I think I already said, check the Knowledgebase, there IS a doc there on setting up Spamassassin. Go to the knowledgebase, and search for spamassassin.

Kev.

[mito]

My advice would be...

Have home users use the webclient. It's fast and it's much more fully featured than a pop/imap solution. In short, it just rocks. You need to allow connections to port 80 for this to work.

For roadwarriors, have them connect via a VPN and use Outlook.

If you're ok with a slight risk, open port 5729 on your firewall. This would also allow home users and roadwarriors to connect with Outlook.

For a detailed doc, I think I already said, check the Knowledgebase, there IS a doc there on setting up Spamassassin. Go to the knowledgebase, and search for spamassassin.

Kev.

Sounds good...

As for the SA doc, I think I started to read it and saw stuff about installing SA and then stopped, as my SA is installed automatically by my MailScanner install. Probably should have finished reading it :)

I'll take a look at it again after all the installation stuff is taken care of etc :)
Thanks again!

[dresdn]

Alright, I think I need to make my question a little clearer because I don't think that the problem is really with Scalix itself, but rather it's with Sendmail communicating to Scalix.

My question is, what exactly do I need to add to my sendmail.mc (or my .cf if you don't know the .mc syntax), in order to get Sendmail to properly relay all incoming mail to Scalix?

Basically, I want sendmail to listen externally, and Scalix to listen internally on some port (ie. the submission port 587 *only*). Let's just pretend that I don't want or need *any* SMTP authentication because all my remote users either a) use SWA or b) use the Outlook Connector.

These are the steps I have executed so far, which causes sendmail to reject all incoming mail (ie. from my Yahoo! account).

1) Modify s/sys/smtpd.cfg by uncommenting SUBMIT=ON and LISTEN=localhost:587
2) Modify /etc/mail/sendmail.cf to have sendmail listen on all interfaces
3) omshut -d0 smtpd
4) restart Sendmail (it's now listening on everything ...)
5) omon smtpd

With this configuration, no matter who/what is sending me mail, the following error is logged:

Code: Select all

sendmail[16078]: l142NAIX016078: ruleset=check_rcpt, arg1=<admin@domain.com>, relay=web55402.mail.re4.yahoo.com [206.190.58.196], reject=550 5.7.1 <admin@domain.com>... Relaying denied


From what I can tell, basically Sendmail is rejecting mail from everything but 127.0.0.1 (hence why MAILTER=TRUE works). I'm not a sendmail guru, but I'm pretty sure this is a sendmail question, but there have been several references made by people saying to "Configure sendmail to be the primary smtp listener" without any instructions.

Thanks!

-Mike

[kanderson]

Run omsendin, and then restart sendmail.

Kev.

[dresdn]

The command didn't do anything because the Scalix lines were already active. Remember, this is from an already working Scalix install.

Code: Select all

]# omsendin
NOTE: /etc/mail/sendmail.cf unchanged.  Scalix lines already active.


Again, I modified the sendmail.cf or the sendmail.mc with just the following patch:

Code: Select all

--- sendmail.mc.orig    2007-02-03 19:21:03.000000000 -0700
+++ sendmail.mc 2007-02-06 22:17:51.000000000 -0700
@@ -109,7 +109,7 @@
 dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
 dnl # address restriction to accept email from the internet or intranet.
 dnl #
-DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
+DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
 dnl #
 dnl # The following causes sendmail to additionally listen to port 587 for
 dnl # mail from MUAs that authenticate. Roaming users who can't reach their


Then I made a new sendmail.cf, restarted sendmail, etc., but it's still not allowing relaying to any domain, and isn't kicking it to Scalix.

Thoughts?

-Mike

[stephan.klein]

Mike, is your problem solved?

I am running the configuration with sendmail as primery mailer succesfull.

What I did:

Ad 1:
Configure Scalix SMTPD to listen on external IP on Port 587. Change webmail-config to connect to Scalix SMTPD, change the SMTP-Port in platform.propertires too to allow mobile client to work.

Ad 2:
Configure sendmail to listen on external IP 25 and localhost 25 and 587 (needed in my configuration to allow clamav to send administrative messages). Clamav and spamassassin are integrated via milter into sendmail.

Ad 3:
Put all my local domains in sendmails local-host-names file to allow fowarding to Scalix.

Restart it all & it should work as expected.

Kind regards
Stephan

[dresdn]

Ad 3:
Put all my local domains in sendmails local-host-names file to allow fowarding to Scalix.

Stephan,

This was *exactly* what I missing!! Adding my domains to this file made Sendmail behave as expected. Looking at this now, this makes complete sense, but, as I've said before on these forums, I am *not* a Sendmail guy, Postfix is where my heart lays ;)

Thanks a ton for pointing this out. I can now to SPF and RBL lookups correctly!!

Regards,
Mike