Mail Gateway

[pcrock]

Not really 100% a scalix question, but sort of

I'm trying (possibly in vain) to set a mail gateway up in front of the scalix box (probably postfix)

I've got a couple of issues I'm struggling with. When a new mail comes in to the gateway I'd need it to check the address against the ldap server on my scalix box to confirm it exists, if not bounce it. I can't believe that is that hard, but I cannot for the life of me find any webpages or howto's on how to do this.

I'd also like to be able to do smtp auth on this box to allow a small amount of external users to use this box to send through (via mobile devices) as I'm trying to keep the scalix box as far away from the dirty dirty internet as possible. Again this would need to authenticate against the ldap on scalix and I can't for the life of me see how.

Has anyone done this, or similar to this and if you have do you have a nice little manual on how you did it!

Ta

Phill

[jmason1182]

First off, good luck.

It took an arm and a leg to get LDAP authentication for sendmail to work.... but most was on the ldap side of course.

Anyway, put this in your sendmail.mc file, then use either m4 or make in /etc/mail to rebuild your sendmail.cf file.

dnl #
dnl # LDAP SUPPORT! OUR ACCOUNTS ARE NOW IN LDAP!
define(confLDAP_DEFAULT_SPEC,`-h ldaphost.mydomain.local -b dc=mydomain,dc=local')dnl
dnl #
dnl #

And yes, that define statement is on 1 line. be sure you replace your ldap hostname in there.
THEN.... you will have to ensure an ldap connection is possible to your ldap server.
THEN.... you rebuild your sendmail.mc on that server, and restart sendmail.
I'm assuming you have already got POSIX account info (UID's etc. ) in LDAP. otherwise you will have to update the schema to include those for all users.

Again, good luck.

[jmason1182]

Oh yeah... one more note.... as I recall we STILL had to add a user account on each system using LDAP auth for sendmail into /etc/passwd. Otherwise sendmail didn't recognize the ACCOUNT..... it would use LDAP for the AUTH... but not for the ACCOUNT.

BUT when we (using windows server 2003 w/ AD) added services for unix (free from Micr0$0ft) we enabled the windows server for NIS, did some basic mapping on the server, and now we don't use ldap for authentication at all. We only use ldap for contact directory etc. Out servers authenticate via NIS, including AUTH, ACCOUNT, PASSWORD, and SESSION.... it is beautiful. Anyway, you may have to add a local account for the ldap auth.

[Beaujolais]

Has anyone done this, or similar to this and if you have do you have a nice little manual on how you did it!

Check these two articles:
http://www.scalix.com/wiki/index.php?ti ... te_Postfix
http://www.scalix.com/wiki/index.php?ti ... le_domains

[hariskhan]

Hello folks,

To my regret I have experienced that both guides mentioned above are TOTALLY INCOMPLETE for a postfix install from scratch.

To my despair, I have been trying to get scalix+postfix working for the past 10 days without success.

1) Its missing alot of *_maps keywords that have to be setup for scalix+postfix to work

2) My second issue with this setup is that scalix asks for smtp auth from (local) postfix when postfix sends mail to it

3) saslauth fails. I get a naming violation (64) from scalix (ldap). I checked user/pass with imap, pop3, they work, but saslauthd is unable to. I need a guide to complete working saslauthd for scalix.


I also have some questions;

From this ( http://www.scalix.com/wiki/index.php?ti ... te_Postfix ) url I have an install minus amavis and clamav.

1) I have 5 IPs set on my box, for eg;

lo has 127.0.0.1
eh0 has 10.1.1.1
eth1 has 203.154.24.32
eth1:0 has 203.154.24.33
eth1:1 has 203.154.24.34
eth1:2 has 203.154.24.35
eth1:1 has 203.154.24.36

a) On which interfaces should postfix listen? I mean to say, what should be in mynetworks?
b) On which interfaces should scalix listen?

2) Is there a scalix+postfix guide if postfix is installation is done from scratch?

Looking at this ( http://www.postfix.org/STANDARD_CONFIGU ... l#firewall ) url, what else do we need to do to setup scalix+postfix?

3) How can we disable scalix's smtp auth for postfix, so postfix can send mail without any restrictions?

3) In case scalix's smtp auth for postfix is not removable, what user/pass do I need to setup in postfix so it can successfully delivery mail to scalix?

4) Is scalix's community edition similar to its enterprise edition in features, functionalities, configuration, other aspects? I downloaded it to my home test server to try to find out a possible solution as soon as I can.

Please be descriptive or detailed where possible.

I have been working in the dark for the past 10 days and need to get this complete within the next 3 days.

[hariskhan]

Has anyone done this, or similar to this and if you have do you have a nice little manual on how you did it!

Check these two articles:
http://www.scalix.com/wiki/index.php?ti ... te_Postfix
http://www.scalix.com/wiki/index.php?ti ... le_domains

What's frustrating about the above articles is that scalix+postfix does NOT work as they so conveniently point that it does.

For example;

In my /var/opt/scalix/xx/s/sys/smtpd.cfg I have;

#SUBMIT=ON
#LMTP=ON

and at the end of the file I have

LISTEN=FQDN:10025

What makes no sense is, when I restart scalix's smtpd its still listening on port 25 rather than the port I TOLD it to listen on. What the heck is going on?


tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 21702/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 21702/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 21702/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 21702/omsmtpd SMTP
tcp 0 0 10.x.xxx.xx:25 0.0.0.0:* LISTEN 21702/omsmtpd SMTP

None of the above two tutorials tells that LMTP=ON has to be uncommented for scalix's smtpd to actually listen on FQDN:10025

[hariskhan]

We need a complete! setup tutorial for scalix + postfix, which assumes postfix is not yet installed. Install and configure postfix from SCRATCH to the last! bit

At least test it on RH EL or Debian or FreeBSD and be sure that its working before post a tutorial

http://www.scalix.com/wiki/index.php?title=HowTos/Complete_Postfix

This tutorial fails to mention one has to make transport_maps and many more maps in postfix's config to get it working

[hariskhan]

I don't understand why scalix people don't have a reliable document/tutorial on scalix/postfix out for the latest version of their commercial software

I don't understand why scalix recommends sendmail. Its buggy and the security holes make your system an inviting target to attacks


Need help! guys

Please post a reliable install and configure script for scalix + postfix which assumes postfix is not installed and not configured. In other words a complete postfix configuration guide from start to the end.

[Beaujolais]

For example;

In my /var/opt/scalix/xx/s/sys/smtpd.cfg I have;

#SUBMIT=ON
#LMTP=ON

and at the end of the file I have

LISTEN=FQDN:10025

What makes no sense is, when I restart scalix's smtpd its still listening on port 25 rather than the port I TOLD it to listen on. What the heck is going on?

Both of the articles are complete, but both under certain assumtions:
The first article "I'll go through these examples for RedHat/Fedora, and I've tested everything on Debian as well. If you use SuSE, well, I'm sorry."

The second article: "This setup has been tested on openSUSE 10.2 running Scalix 11.1"

So if you have another setup some tweaks may be required.
Furthermore you need to read it carefully, for example you've seem to missed this part "...while replacing $FQDN with your server's fully qualified domain name."
LMTP does not have to be uncommented. You also should make sure that nothing else is already listening on 10025 (because on SUSE for example 10025 is taken by content filter.)

Suggest you read it more carefully and redo all steps.

[hariskhan]

I did read it carefully and many times. My OS is Red Hat Enterprise Linux ES release 4 (Nahant Update 3).

Furthermore you need to read it carefully, for example you've seem to missed this part "...while replacing $FQDN with your server's fully qualified domain name."

I did change FQDN with the fully qualified domain name of my server, just didn't show it here. Did you expect me to reveal it?

LMTP does not have to be uncommented. You also should make sure that nothing else is already listening on 10025 (because on SUSE for example 10025 is taken by content filter.)

No content filter installed yet. I hope to get scalix+potfix up and running smoothly before I do that.

I tried 3 things.

First, I did as the tutorial said, I didn't uncomment SUBMIT or LMTP and just put LISTEN=FQDN:10025 at the end of /var/opt/xx/s/sys/smtpd.cfg. (NOTE: I did replace FQDN with the value -> host2.fusionradioservers.net) and restarted omsmtpd. It didn't not! listen on that port on restart. Infact nothing is listening on that ip:port. netstat -nplt confirms it.

The result is the following;

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 15014/omslapd
tcp 0 0 xxx.xxx.xx.xxx:5733 0.0.0.0:* LISTEN 2285/postmaster
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 22474/master
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 28355/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 28355/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 28355/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 28355/omsmtpd SMTP
tcp 0 0 xx.x.xxx.xx:25 0.0.0.0:* LISTEN 28355/omsmtpd SMTP
tcp 0 0 xxx.xxx.xx.xxx:25 0.0.0.0:* LISTEN 22474/master

When I send mail in, I get;

This is the error I get;

Jul 16 01:11:55 host2 postfix/smtp[28586]: connect to host2.fusionradioservers.net[208.101.27.254]: Connection refused (port 10025)
Jul 16 01:11:56 host2 postfix/smtp[28586]: B0196200165: to=<testaccount@fusionchicago.net>, relay=none, delay=1, status=deferred (connect to host2.fusionradioservers.net[208.101.27.254]: Connection refused)

Secondly, I tried the same setup with SUBMIT uncommented. Result? omsmtpd was listening on host2.fusionradioservers.net:10025. But it was omsmtpd SUBMIT, not omsmtpd SMTP. Result? When mail comes in, I get the following error;

Jul 15 15:41:51 host2 postfix/qmgr[22478]: 9E677200165: from=<hariskhan@gmail.com>, size=2123, nrcpt=1 (queue active)
Jul 15 15:41:51 host2 postfix/smtp[22741]: 9E677200165: to=<testaccount@fusionchicago.net>, relay=host2.fusionradioservers.net[208.101.27.254], delay=1, status=bounced (host host2.fusionradioservers.net[208.101.27.254] said: 530 Authentication required (in reply to MAIL FROM command))
Jul 15 15:41:51 host2 postfix/cleanup[22738]: 5D3AD20016F: message-id=<20070715204151.5D3AD20016F@host2.fusionradioservers.net>
Jul 15 15:41:51 host2 postfix/qmgr[22478]: 5D3AD20016F: from=<>, size=4099, nrcpt=1 (queue active)
Jul 15 15:41:51 host2 postfix/qmgr[22478]: 9E677200165: removed
Jul 15 15:41:51 host2 postfix/smtp[22741]: 5D3AD20016F: to=<hariskhan@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.133.114], delay=0, status=sent (250 2.0.0 OK 1184532111 d38si31664447and)
Jul 15 15:41:51 host2 postfix/qmgr[22478]: 5D3AD20016F: removed

which means I have 2 basic issues.

1) omsmtpd doesn't listen on the ip:port (as I configured it), but listens on port 25 on all IPs of the box (I have 5 IPs on this box)

2) saslauth fails against scalix's ldap. I get a naming error (64)

Is there any log for omsmtpd I can debug omsmtpd's actions from?

I have searched the internet for the last 10 days and haven't found a clue to these issues. I could have finished this within 2 hours if omsmtpd would function as it was configured to and saslauth worked against ldap.


My current /var/opt/scalix/xx/s/sys/smtpd.cfg;
=========================================

###############################################################################
# SMTP Relay Configuration
# ########################
#
# For details please see Scalix Overview - Security
#
###############################################################################

###############################################################################
# Relay Configuration
# ###################
#
# EXTENSIONS These extensions will be advertised by the EHLO reply
# DOMAIN_NAME Local host FQDN
# LOCAL_NAMES Local aliases of DOMAIN_NAME
# MAX_HOP_COUNT If the number of Received: header lines in a message sent to
# the relay exceed this number then the message will be
# rejected by the relay. The default value is zero and any
# non-positive value is interpreted as infinity. The default
# value means that no loop detection is done by the relay,
# any loop detection will only be done by sendmail.
# GREETING This is the text after the 220 on the connection
# greeting line some tokens can be used:
# %F - FQDN, %P - protocol, %N program name,
# %V - version, %D date
# LISTEN Comma separated host:port to listen to eg.
# LISTEN=mail.example.com:25,10.100.100.1:smtp
#
###############################################################################


EXTENSIONS=AUTH,DSN,8BITMIME

# Uncomment the following lines to enable the Submission and LMTP listeners
#SUBMIT=ON
#LMTP=ON


###############################################################################
# Catch-all recipients
# ####################
#
# Catch-all recipients are for catching email sent to unknown users, instead
# of non-delivering the email. More than one CATCH line can be used.
#
# CATCH PATTERN RECIPIENT
#
# PATTERN can be:
# user* - any unknown address starting with user
# @domain.com - any unknown address in domain.com
# user*@domain.com - any unknown user starting with user in domain.com
# RECIPIENT
# this is the recipient email address to redirect the email to. It can
# be local or remote, but is subject to any relay rules if remote.
#
# Authentication and Anti-Spamming Measures
# #########################################
#
# Each line is of the form:
# EVENT ACTION PATTERN PATTERN...
# When an event happens the SMTP Relay checks for a matching event/pattern
# sequentially in this file. When it finds the first match, it takes the
# action specified.
#
# ######
# EVENTS
# ######
#
# AUTH_SUCCESS An attempt is made to submit a
# successfully authenticated message.
#
# AUTH_MISMATCH An attempt is made to submit a
# successfully authenticated message but
# the originator name does not match
# the authenticated name.
#
# ANONYMOUS An attempt is made to submit a message
# sent without authentication or after
# failed authentication.
#
# SUBMIT An attempt is made to submit a message from
# the host specified in pattern
#
# RELAY An attempt is made to relay a message through the SMTP Relay
#
# ORIGINATOR An attempt is made to submit a message from a user whose
# email address matches pattern
#
# RECIPIENT An attempt is made to submit a message to a user whose
# email address matches pattern
#
# #######
# ACTIONS
# #######
#
# Accept The message is unconditionally accepted and processed
# normally.
#
# Defer The message is deferred with a 400 code
#
# Discard The message is accepted but then discarded
#
# Header The message is accepted, but an extra header is inserted.
#
# Reject The message is rejected with a 500 code
#
# If Log_ added to the start of an action, then the action is also recorded
# in the SMTP Relay log file.
#
# ########
# PATTERNS
# ########
#
# Hostname Patterns
# - an IP address, eg 123.234.132.231
# - an IP subnet and mask, eg 123.234.200.0/255.255.240.0
# - a hostname, eg bert.loc.co.uk
# - the end of a domain, eg .spammer.net
# - the start of a domain, 123.234.
# - the keyword ALL matches all hosts
# - the keyword LOCAL matches all hosts that do not contain a .
#
# Email Patterns - used by ORIGINATOR and RECIPIENT
# - *@*.spam.net
#
# DNSBL Patterns - These can be used by the SUBMIT EVENT to use DNS black
# list systems (See http://en.wikipedia.org/wiki/DNSBL )
# - DNSBL,host,reply eg DNSBL,bl.spamcop.net,ALL
#
###############################################################################

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .hosts2.fusionradioservers.net
RELAY accept .fusionchicago.net
RELAY accept .purepulsemedia.com
RELAY accept .fusionradiochicago.com
RELAY accept .fusionfmchicago.com
ANONYMOUS accept .fusionradioservers.net .hosts2.fusionradioservers.net
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587

# Reject all anonymous connections
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
#LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix
LISTEN=host2.fusionradioservers.net:10025

===================================================================

With the above configuration, scalix's smtpd does not listen on host2.fusionradioservers.net:10025 . I can't figure out why. I don't know if omsmtpd keeps logs.

Thirdly, I tried with LMTP on with host2.fusionradioservers.net:10025 at the end of the file said omsmtpd config file. It started an omsmtpd LMTP process but I could see why it was not working.

Now I am running it with submit on, so it'll at least listen on host2.fusionradioservers.net:10025.


One more question that I have is, I tried running omsmtpd on 127.0.0.1:10025 rather than host2.fusionradioservers.net:10025, but it wouldn't start. For this I changed the config line in master.cf so it wouldn't conflict. My tests show it wouldn't start on an IP:port which wasn't assigned to a real NIC. I wanted to run scalix's smtpd on localhost and postfix on the WAN ports, so scalix's smtpd would be shielded from the internet and postfix would be infront on WAN to work as mail gateway, accepting/rejecting mail, filtering it, scanning it for spam, viruses. All my efforts on this have to far proved in vain.

Both of the articles are complete, but both under certain assumtions:
The first article "I'll go through these examples for RedHat/Fedora, and I've tested everything on Debian as well. If you use SuSE, well, I'm sorry."

The second article: "This setup has been tested on openSUSE 10.2 running Scalix 11.1"

So if you have another setup some tweaks may be required.

Suggest you read it more carefully and redo all steps.

For e.g. with the above setup, we need relay_recipient_maps in postfix. I couldn't find it mentioned in the tutorial?

[Beaujolais]

You have to add LISTEN=host2.fusionradioservers.net:10025 to the SMTP section (the first section) and then restart scalix.
Add it just before EXTENSIONS=AUTH,DSN,8BITMIME

You've added it to LMTP section, that's why it is not working.

[hariskhan]

Please clarify on;

Add id just before EXTENSIONS=AUTH,DSN,8BITMIME

[Beaujolais]

Add id just before line

EXTENSIONS=AUTH,DSN,8BITMIME

...that's somewhere around line 30.

[hariskhan]

What I don't understand is what is meant by 'id'.

What does it signify?

What are its possible values?

Do I just have to write the word 'id' there? I have a feeling that is not the case

[Beaujolais]

Opss, that was a typo, I've fixed it. Id -> it

The point is, you've added LISTEN to the wrong section of the config file, add it to the top, not bottom of the file.