A firewall will not help because I need traveling users to be able to connect to Imail (authenticated users) so port 25 needs to be open in the firewall for access to Imail.
Our MX records points to our Imgates. Legit mail servers sends mail to those servers. If now a spammer in China configures his Linux server to send mail directly to Imail (mail.netwood.net) he will now bypass our mail gateways and Imail will happily receive and process all that mail because it arrives on port 25. Therefore port 25 needs to be blocked for ALL mail except for trusted IP's (our IMGates) and authenticated users (our traveling users). This is exactly how it works if we spend the time to convert all users to use port 587. My problem with this is that why should we have to pay the money in salaries and time to configure ALL our users email programs when Ipswitch has all the functions already to accomplice this on port 25? They are already doing it on port 587. Why can't there be a checkbox in SMTP security which enables "Enable strict authentication on port 25"? This way we don't have to do ANY changes what so ever to any users for any legit mail that they want to send and receive. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Barker > Sent: Monday, July 11, 2005 8:35 AM > To: [email protected] > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > If you are trying what I think you are trying (correct me if > I'm wrong - All > inbound email is to come from the IMgate machine, which is on > the "permit" > list of IPs), this sounds like a job for a firewall, not for IMail. > > IMail expects to deliver anything bound to a local account without > authentication, on port 25. That is "how email works". If you > are seeing > spam come through IMail by dint of IMail listening on port 25 > vs. IMail > being on your MX record, then your firewall can easily stop > that in it's > tracks. > > Or am I too reading your original post wrong?<g> > > Dan > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Jonas Fornander > Sent: Monday, July 11, 2005 11:05 AM > To: [email protected] > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > I have RTFM. > Please read my post. > It has nothing to with who can send out mail. > > I don't want Imail to receive mail to ANY users if that mail is NOT > sent from a trusted IP or authenticated. > > There is no way of doing this AFAIK unless we switch all users to use > port 587 and block access to port 25 to Imail from the Internet. > > Jonas Fornander - System Administrator > Netwood Communications,LLC - www.netwood.net > Find out why we're better - 310-442-1530 > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne > > Sent: Monday, July 11, 2005 5:50 AM > > To: [email protected] > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > "Imail should only accept mail from trusted IP addresses and > > authenticated users on port 25" > > > > No checkbox necessary. If you have "relay for addresses" (as > > you stated > > you did) then you ALREADY REQUIRE authentication except for the IP > > addresses listed. RTFM. > > > > "Would it work if I change the alternate authentication port 587 to > 25 > > in the registry?" > > > > For what purpose? SMTP AUTH ALREADY WORKS ON PORT 25!!! It > > always has. > > Port 587 is there specifically for those clients that can't connect > on > > port 25 due to their ISP's blocking that port outbound. > > > > Here's the thing, in your original post, you described your setup as > > this: relay for addresses (good), port 587 enabled (good), > > but then you > > thought you needed control access, but you didn't. Just relay for > > addresses and port 587 will get you EXACTLY what you want. > > No one will > > be able to send any mail, no matter what port they use, unless they > > authenticate (port 25 OR port 587), or unless they are in your > trusted > > IP range (port 25 only). > > > > Once again, please RTFM. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Jonas Fornander > > > Sent: Sunday, July 10, 2005 11:28 PM > > > To: [email protected] > > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > > > > > > It would but it doesn't change the fact (for me) that it's a > > > workaround. > > > > > > Why should we have to go through all this work to move every > > > single user to port 587 when all that is needed is a checkbox > > > in Imail that says "Enable strict authentication on port 25). > > > IOW, Imail should only accept mail from trusted IP addresses > > > and authenticated users on port > > > 25 when this checkbox is selected. How hard would it be for > > > Ipswitch to implement this? I bet you can whip this out in an > > > afternoon. You already have all the ingredience. In this > > > scenario we don't have to do a single change to any users and > > > no-one will be able to spew spam directly to Imail. There > > > would also be no need to SPF since those sender would neither > > > authenticate nor send from a trusted IP. > > > > > > Would it work if I change the alternate authentication port > > > 587 to 25 in the registry? What would happen? > > > > > > Jonas Fornander - System Administrator > > > Netwood Communications,LLC - www.netwood.net Find out why > > > we're better - 310-442-1530 > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Eric > > > > Shanbrom > > > > Sent: Sunday, July 10, 2005 3:28 PM > > > > To: [email protected] > > > > Subject: Re: [IMail Forum] Need help with configuring anti-spam > > > > > > > > Since at this time there is only one ACL for the SMTP service > this > > > is > > > > your problem.... my setup would be like this for this scenario: > > > > > > > > > > > > Router with IMGate in the DMZ > > > > IMail server on internal network > > > > IMail relays for internal network and requires auth on port 587 > > > > Outbound mail to gateway (IMGate machine) > > > > > > > > FW Rules: > > > > all external port 25 traffic to DMZ > > > > no external port 25 to internal > > > > Port 587 allowed to IMail > > > > Your users are given port 587 (set to require auth) for > > > their outgong > > > > mail > > > > > > > > I believe this will accomplish what you are wanting > > > > > > > > Eric S > > > > > > > > > > > > > > > > Jonas Fornander wrote: > > > > > > > > >I thought I understood how to configure Imail with port > > > 587 but now > > > > >I'm more confused than ever. I hope someone can un-confuse me. > > > > >This is our setup: > > > > > > > > > >Our MX records points to Imgate > > > > > > > > > >Our hosting, DSL and dialup users has mail.netwood.net as their > > > > > >outgoing server which is Imail. This server is configured > > > to "Relay > > > > >for addresses" and our IP blocks are listed. > > > > > > > > > >Our Imail is running 8.20 and port 587 is enabled and > > > working. If I > > > > >change my own account to use port 587 it works if I enable "My > > > > >outgoing server requires authentication". > > > > > > > > > >So everything is working as it should, sooooo now what? > > > > > > > > > >I thought that I would be able to go to SMTP Security -> > Control > > > > >Access and deny access for all IP addresses EXCEPT for > > our trusted > > > IP > > > > >blocks. Then users on non-trusted IP addresses would be able to > > > send > > > > >out mail using port 587 it they were authenticated. However if > I > > > deny > > > > >access to a non-trusted IP in SMTP Security -> Control > > Access then > > > > >they can't send out mail on port 587 either, even if they > > > > >authenticate. :-( > > > > > > > > > >What am I missing? > > > > > > > > > >How can I make our users - on trusted IP addresses - > > > being able to > > > > >use mail.netwood.net to send out mail and our users - on > > > non-trusted > > > > >IP addresses - to send out mail on port 587 (with > authentication) > > > and > > > > >ALL other mail, sent directly to the Imail server should be > > > rejected? > > > > > > > > > >Jonas Fornander - System Administrator Netwood > > > Communications,LLC - > > > > >www.netwood.net Find out why we're better - 310-442-1530 > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: > http://www.ipswitch.com/support/mailing-lists.html > > > > List Archive: > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > -- > > > > No virus found in this incoming message. > > > > Checked by AVG Anti-Virus. > > > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release > > > > Date: 7/9/2005 > > > > > > > > > > > > > > -- > > > No virus found in this outgoing message. > > > Checked by AVG Anti-Virus. > > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: > > > 7/9/2005 > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > -- > > No virus found in this incoming message. > > Checked by AVG Anti-Virus. > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release > > Date: 7/9/2005 > > > > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: > 7/9/2005 > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.12/46 - Release > Date: 7/11/2005 > > -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.12/46 - Release Date: 7/11/2005 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
