Permit WWW to send SMTP Messages

[techsharp]

All,

We have a request to permit WWW to send SMTP messages to our mail server.

Our developers have created an application that will go live soon and it asks for the users email address and sends a copy of the materials to that email address. For the first run through the mail will be sent in real time from the web server.

What needs to be done on the mail server to allow this?

Thank you!

[techsharp]

Looks like I have to do some configuring to the firewall, might not have to do anything on mail server. Will report back if any action on the mail server is needed.

Thanks

[jaime.pinto]

Your WWW server for sure will need an MTA, possibly sendmail (or postfix).

If the WWW and the scalix servers are on the same network (ie DMZ), it's very easy: just add the IP of the WWW to the smtp.cfg on the scalix server to allow relay, and set the scalix server as the smarthost in WWW :/etc/mail/sendmail.mc

You may have WWW as it's own mailserver, ie, completely unrelated to the scalix server. In that case you may need proper DNS entries, as well as open outbound ports 25/465 on the firewall (no inbound email from the internet). In this case, you can also set the MAQUERADE feature to match the domain of the scalix server.

My recommendation is to use the smarthost option, and don't change anything in the firewall.

Even if the WWW is in a completely different network you can still use either of the options above, but that is not very common.

[techsharp]

Jaime -

Sorry just getting back to you as the devlopers are now in testing. After firewall configurations were made internal emails were sent fine, but not external.

WWW is in the same network as the mail server and I just made the changes you have said and will now have the developers try again. Will report back with results.

Thank you!

[techsharp]

Update:

After making the changes- it is still denying messages to external users.

here is what is in the maillog:

Code: Select all

Nov  1 14:04:08 mars sendmail[9003]: lA1I489d009003: ruleset=check_rcpt, arg1=<Davi@email.com>, relay=www.mailserver.net [xx2.x0.x.xx], reject=550 5.7.1 <Davi@email.com>... Relaying denied. Proper authentication required.
Nov  1 14:04:08 mars sendmail[9003]: lA1I489d009003: from=<email@xxx.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=www..net [xx2.x0.x.xx]

The application is not using sendmail to send the message to the mail server. The web application is making a direct SMTP connection to the mail server.

Here is the smptd.conf file where I put in WWW

Code: Select all

RELAY accept 127.0.0.1
RELAY accept .blueslate.net
RELAY accept WWW (I put the ip instead of WWW)
RELAY Log_Reject ALL


Any other ideas of how to get it working?

Thanks

--------
Update: We created a user on the domain that would be the address to send out the emails and it seems to be authenticating fine. Is there still a way to do it w/ out creating a user on the domain?

[adhodgson]

Hi,

I have a load of web apps at our site delivering direct to Scalix, with the relevant IP address of the server in smtpd.cfg. Did you restart omsmtpd after making the change

Over recent times I am thinking that it is a good idea to install some MTA on the web server, I find that some of the web applications are very poorly written in respect to SMTP comunication, and thus will break when talking to Scalix. The other problem is if the mail server is down, those messages will not get delivered if your app doesn't queue them up (I have a web app that does this in a database, but most just go on as if nothing happened). Therefor, I install Sendmail or Microsoft IIS Smtp server and lock them down, so that the webapps speak to a local SMTP server, which speaks to Scalix. In the future, I may just let the MTAs on the web servers talk to the main mail relay, to lessen the amount of hops.

Andrew.

[a.schild]

Hi,
Over recent times I am thinking that it is a good idea to install some MTA on the web server, I

We too have a MTA (postfix) installed on each webserver for years.
It gives less troubles and it's more reliable.

André

[jaime.pinto]

After making the changes- it is still denying messages to external users.

If your www apps are talking directly with the host in which the scalix server is installed, for extenal users it just means that scalix is not even part of the equation. In fact you can even completely remove/disable scalix. That is an obscure part of the whole mechanics of how SMPT/Scalix works that most people don't realize. Scalix does not send emails, sendmail does!

You always, forever and ever need to put all your RELAY entries in /etc/mail/access regardless, because that is what sendmail uses. By the same token, you always, forever and ever need to put all your recognizable email domains in /etc/mail/local-host-names because that is also what sendmail uses.

As soon as a *client* sends an SMTP inquire to the scalix server (port 25/465), and that scalix determines it's not an "internal" scalix user or domain, it passes the ball to sendmail.

Please revise both /etc/mail/access and /etc/mail/local-host-names. Don't forget to type *make* inside /etc/mail after any changes and reload sendmail services.

[adhodgson]

[b]You always, forever and ever need to put all your RELAY entries in /etc/mail/access regardless[/b], because that is what sendmail uses. By the same token, [b]you always, forever and ever need to put all your recognizable email domains in /etc/mail/local-host-names[/b] because that is also what sendmail uses.

I do the later, but have never touched /etc/mail/access. The way I thought it worked was that SMTPD accepts the message, and if it is for a user not on the Scalix server (i.e, the user has relay privileges in smtpd.cfg), it goes through the Scalix router and out to Sendmail. Sendmail only receives messages on localhost,, so touching the access file won't do anything. SMTPD does use Sendmail for various checks - i.e, recipient checks if the userr is not found in the directory, because the error you get out from SMTPD is the Sendmail error message.

I have found the best way of ensuring everything works is to put all the relevant domains into /etc/mail/local-host-names, then add the domains to smtpd.cfg in the form:

accept relay .domain.com

Then put the subnets that need to relay in the same format. I have found that if the domains are missing from this file, you can sometimes get weird resultss with recipient verification.

Hope this helps - I am happy to be wrong on this, because there isn't much documentation on the internals, and this of course doesn't cover using AV/AS, where Sendmail plays a bigger part.

Andrew.

[a.schild]

I have found the best way of ensuring everything works is to put all the relevant domains into /etc/mail/local-host-names, then add the domains to smtpd.cfg in the form:

This one is somewhat dangerous, because it does the following:

If the reverse lookup of the senders IP resolves into one of the allowed domain names, it will be able to relay via your server.

Of course dialup users usually can't modify the reverse lookup, but there are spammer who can...


http://bugzilla.scalix.com/show_bug.cgi?id=14840


André

[adhodgson]

[quote="a.schild"][quote="adhodgson"]
I have found the best way of ensuring everything works is to put all the relevant domains into /etc/mail/local-host-names, then add the domains to smtpd.cfg in the form:
[/quote]

This one is somewhat dangerous, because it does the following:

If the reverse lookup of the senders IP resolves into one of the allowed domain names, it will be able to relay via your server.

I realise this. However, I have found that without this one in the smtpd.cfg, I get a 550 Denied due to spam list if the user doesn't exist in Scalix,, even if there is a relevant Sendmail user for them. This is possibly because Scalix doesn't want to pass the message to Sendmail if the user doesn't have relay privileges, but that means that if the user isn't found, the relevant MTA will generate a DSN with that strange error message, which causes calls to support. Our Scalix SMTP server is not open to the Internet, primarily for this reason.

Andrew.

[jaime.pinto]

This one is somewhat dangerous, because it does the following:
If the reverse lookup of the senders IP resolves into one of the allowed domain names, it will be able to relay via your server.

Why is this a bug? And why is this dangerous? That's exactly how it should be.

Of course dialup users usually can't modify the reverse lookup, but there are spammer who can...

The business of relaying is entirely and *exclusively* dependent on the relaying server and it's relationship with the authoritative DNS servers. The client has absolutely no say on this mechanics, or whichever domain it claims to be from. All the relaying server cares about is the legitimate IP the client comes from (spammer or not). Spammers can not change this previous mechanics on the relaying server unless they hack into your system as a privileged user. This is an issue completely different and unrelated to scalix or sendmail. Lets not get confused.

As a side note, on the bug description it's cited "we have no control over the reverse lookups for external IP ranges." So, why is this a bug? Why should you have any control over the reverse lookups for external IP ranges? Furthermore, why would one include a domain on the relay list if one doesn't want to relay that domain or doesn't trust whoever comes from that domain. Bottom line, this "bug" is bogus!

[techsharp]

You always, forever and ever need to put all your RELAY entries in /etc/mail/access regardless, because that is what sendmail uses. By the same token, you always, forever and ever need to put all your recognizable email domains in /etc/mail/local-host-names because that is also what sendmail uses.

As soon as a *client* sends an SMTP inquire to the scalix server (port 25/465), and that scalix determines it's not an "internal" scalix user or domain, it passes the ball to sendmail.

Please revise both /etc/mail/access and /etc/mail/local-host-names. Don't forget to type *make* inside /etc/mail after any changes and reload sendmail services.

I revised both files and did a make and restarted sendmail. I will have them test it to see if it works. I will let you know - thanks a lot for your help - great information.

[techsharp]

I still got authentication failed when trying to send the mail, however probably some config stuff I still need to change around.

As of now it authenticates as a user so we are fine with that, if it becomes a problem later we can try to figure it out.

Thanks again!

[a.schild]

As a side note, on the bug description it's cited "we have no control over the reverse lookups for external IP ranges." So, why is this a bug? Why should you have any control over the reverse lookups for external IP ranges? Furthermore, why would one include a domain on the relay list if one doesn't want to relay that domain or doesn't trust whoever comes from that domain. Bottom line, this "bug" is bogus!

According to this thread I "insist" that this can be missused by spammers.

viewtopic.php?t=6277&highlight=14840

Andre