I want to say thanks to John, Michael, and, yes, even Darrell May for their help on this problem. The solution -- as John and Michael and a few others suspected -- was in the IP address range the PIX was doling out to VPN 'guests'. We have it resolved now and the esmith server is going to be a great tool for us. I like the security of the box, I just needed laptop 'road warriors' to be able to send email without a lot of configuration worries.
On a personal note, I was not offended by Darrell's answer. I would like to sometime in the near future start a 'FreeForAll' mailing list somewhere that IT people can use to post questions to regardless of subject matter -- as long as they relate to IT at all. We all have to 'touch' so many different areas -- hardware, software, programming, databases, networking, etc, that we need each other to find direction. Having said that, Darrell was correct in his response and I will refrain from posting off topic in the future. Thanks, Chris G. -----Original Message----- From: John Powell [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 10:03 PM To: [EMAIL PROTECTED] Subject: Re: [e-smith-devinfo] VPN / Email Question > sounds to me like your E-smith server (which version are you running?) > treats the sender's IP address as an external address and therefore doesn't > allow relaying. I don't know these Cisco devices but maybe you want to try > to add the IP address range that the Cisco assigns for the clients to your > "Local Networks" in the e-smith-manager? > Just an idea. Chris, Michael's answer is dead-on. I know EXACTLY the scenario you describe (I have exactly that combo of gear running here). Yes, the e-smith server sees those addresses as external and blocks relaying. Michael's suggestion is good and should work. This is probably best if you only want the remote folks to email and not have access to anything inside your e-smith box internal network. The downside to this is any box in your DMZ (outside the e-smith box, but inside the PIX) will be able to admin (and possibly hack/crack) your e-smith box as it will be "trusted". This may seem OK, but if someone cracks one of those boxes, now they are in a position to attack your fairly unprotected e-smith box. A variation of the above, that is more selective and secure, is to configure Qmail only (not all services) to treat that network as local and accept relay mail from your DMZ. This requires modifying the qmail control file's templates. Not for the squeemish, but not hard if you are good at Linux (and knowledge worth knowing if you plan on really understanding your e-smith system). Another option is to have your users use PPTP directly to the e-smith box. I can send you the PIX config for that if you want. That is what I do here at my company and it works well. We pretty much require it as my remote users need to get into lots of boxes inside our internal network. Hope that helps, JP --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.342 / Virus Database: 189 - Release Date: 3/14/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.342 / Virus Database: 189 - Release Date: 3/14/2002 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
