Putting a firewall between IMGate and Imail which does a port forwarding from 25 to 587 is probably the solution at this time.
Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Barker > Sent: Monday, July 11, 2005 11:53 AM > To: [email protected] > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > That's an interesting configuration. If you have a firewall, > the answer is > simple. Set up IMail for 587 normally. Portmap inbound > (unless from IMgate) > 25 to 587. > > So, I legitimate inbound, honoring the MX record, will hit > IMGate. A spammer > in China will hit IMail on 587, and fail. IMgate can hit > IMail's port 25 > because it's inside the firewall (or routed "correctly" by > the firewall). > > What firewall are you using? We may be able to help you with > the rules. > > Dan > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Jonas Fornander > Sent: Monday, July 11, 2005 2:43 PM > To: [email protected] > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > A firewall will not help because I need traveling users to be able to > connect to Imail (authenticated users) so port 25 needs to be open in > the firewall for access to Imail. > > Our MX records points to our Imgates. Legit mail servers sends mail to > those servers. If now a spammer in China configures his Linux server > to send mail directly to Imail (mail.netwood.net) he will now bypass > our mail gateways and Imail will happily receive and process all that > mail because it arrives on port 25. > > Therefore port 25 needs to be blocked for ALL mail except for trusted > IP's (our IMGates) and authenticated users (our traveling users). > > This is exactly how it works if we spend the time to convert all users > to use port 587. > > My problem with this is that why should we have to pay the money in > salaries and time to configure ALL our users email programs when > Ipswitch has all the functions already to accomplice this on port 25? > They are already doing it on port 587. Why can't there be a checkbox > in SMTP security which enables "Enable strict authentication on port > 25"? This way we don't have to do ANY changes what so ever to any > users for any legit mail that they want to send and receive. > > Jonas Fornander - System Administrator > Netwood Communications,LLC - www.netwood.net > Find out why we're better - 310-442-1530 > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Barker > > Sent: Monday, July 11, 2005 8:35 AM > > To: [email protected] > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > If you are trying what I think you are trying (correct me if > > I'm wrong - All > > inbound email is to come from the IMgate machine, which is on > > the "permit" > > list of IPs), this sounds like a job for a firewall, not for IMail. > > > > IMail expects to deliver anything bound to a local account without > > authentication, on port 25. That is "how email works". If you > > are seeing > > spam come through IMail by dint of IMail listening on port 25 > > vs. IMail > > being on your MX record, then your firewall can easily stop > > that in it's > > tracks. > > > > Or am I too reading your original post wrong?<g> > > > > Dan > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > Jonas Fornander > > Sent: Monday, July 11, 2005 11:05 AM > > To: [email protected] > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > > > > > I have RTFM. > > Please read my post. > > It has nothing to with who can send out mail. > > > > I don't want Imail to receive mail to ANY users if that mail is NOT > > sent from a trusted IP or authenticated. > > > > There is no way of doing this AFAIK unless we switch all users to > use > > port 587 and block access to port 25 to Imail from the Internet. > > > > Jonas Fornander - System Administrator > > Netwood Communications,LLC - www.netwood.net > > Find out why we're better - 310-442-1530 > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dan > Horne > > > Sent: Monday, July 11, 2005 5:50 AM > > > To: [email protected] > > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > > > "Imail should only accept mail from trusted IP addresses and > > > authenticated users on port 25" > > > > > > No checkbox necessary. If you have "relay for addresses" (as > > > you stated > > > you did) then you ALREADY REQUIRE authentication except for the IP > > > addresses listed. RTFM. > > > > > > "Would it work if I change the alternate authentication port 587 > to > > 25 > > > in the registry?" > > > > > > For what purpose? SMTP AUTH ALREADY WORKS ON PORT 25!!! It > > > always has. > > > Port 587 is there specifically for those clients that can't > connect > > on > > > port 25 due to their ISP's blocking that port outbound. > > > > > > Here's the thing, in your original post, you described your setup > as > > > this: relay for addresses (good), port 587 enabled (good), > > > but then you > > > thought you needed control access, but you didn't. Just relay for > > > addresses and port 587 will get you EXACTLY what you want. > > > No one will > > > be able to send any mail, no matter what port they use, unless > they > > > authenticate (port 25 OR port 587), or unless they are in your > > trusted > > > IP range (port 25 only). > > > > > > Once again, please RTFM. > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > > Jonas Fornander > > > > Sent: Sunday, July 10, 2005 11:28 PM > > > > To: [email protected] > > > > Subject: RE: [IMail Forum] Need help with configuring anti-spam > > > > > > > > > > > > It would but it doesn't change the fact (for me) that it's a > > > > workaround. > > > > > > > > Why should we have to go through all this work to move every > > > > single user to port 587 when all that is needed is a checkbox > > > > in Imail that says "Enable strict authentication on port 25). > > > > IOW, Imail should only accept mail from trusted IP addresses > > > > and authenticated users on port > > > > 25 when this checkbox is selected. How hard would it be for > > > > Ipswitch to implement this? I bet you can whip this out in an > > > > afternoon. You already have all the ingredience. In this > > > > scenario we don't have to do a single change to any users and > > > > no-one will be able to spew spam directly to Imail. There > > > > would also be no need to SPF since those sender would neither > > > > authenticate nor send from a trusted IP. > > > > > > > > Would it work if I change the alternate authentication port > > > > 587 to 25 in the registry? What would happen? > > > > > > > > Jonas Fornander - System Administrator > > > > Netwood Communications,LLC - www.netwood.net Find out why > > > > we're better - 310-442-1530 > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Eric > > > > > Shanbrom > > > > > Sent: Sunday, July 10, 2005 3:28 PM > > > > > To: [email protected] > > > > > Subject: Re: [IMail Forum] Need help with configuring > anti-spam > > > > > > > > > > Since at this time there is only one ACL for the SMTP service > > this > > > > is > > > > > your problem.... my setup would be like this for this > scenario: > > > > > > > > > > > > > > > Router with IMGate in the DMZ > > > > > IMail server on internal network > > > > > IMail relays for internal network and requires auth on port > 587 > > > > > Outbound mail to gateway (IMGate machine) > > > > > > > > > > FW Rules: > > > > > all external port 25 traffic to DMZ > > > > > no external port 25 to internal > > > > > Port 587 allowed to IMail > > > > > Your users are given port 587 (set to require auth) for > > > > their outgong > > > > > mail > > > > > > > > > > I believe this will accomplish what you are wanting > > > > > > > > > > Eric S > > > > > > > > > > > > > > > > > > > > Jonas Fornander wrote: > > > > > > > > > > >I thought I understood how to configure Imail with port > > > > 587 but now > > > > > >I'm more confused than ever. I hope someone can un-confuse > me. > > > > > >This is our setup: > > > > > > > > > > > >Our MX records points to Imgate > > > > > > > > > > > >Our hosting, DSL and dialup users has mail.netwood.net as > their > > > > > > > >outgoing server which is Imail. This server is configured > > > > to "Relay > > > > > >for addresses" and our IP blocks are listed. > > > > > > > > > > > >Our Imail is running 8.20 and port 587 is enabled and > > > > working. If I > > > > > >change my own account to use port 587 it works if I enable > "My > > > > > >outgoing server requires authentication". > > > > > > > > > > > >So everything is working as it should, sooooo now what? > > > > > > > > > > > >I thought that I would be able to go to SMTP Security -> > > Control > > > > > >Access and deny access for all IP addresses EXCEPT for > > > our trusted > > > > IP > > > > > >blocks. Then users on non-trusted IP addresses would be able > to > > > > send > > > > > >out mail using port 587 it they were authenticated. However > if > > I > > > > deny > > > > > >access to a non-trusted IP in SMTP Security -> Control > > > Access then > > > > > >they can't send out mail on port 587 either, even if they > > > > > >authenticate. :-( > > > > > > > > > > > >What am I missing? > > > > > > > > > > > >How can I make our users - on trusted IP addresses - > > > > being able to > > > > > >use mail.netwood.net to send out mail and our users - on > > > > non-trusted > > > > > >IP addresses - to send out mail on port 587 (with > > authentication) > > > > and > > > > > >ALL other mail, sent directly to the Imail server should be > > > > rejected? > > > > > > > > > > > >Jonas Fornander - System Administrator Netwood > > > > Communications,LLC - > > > > > >www.netwood.net Find out why we're better - 310-442-1530 > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: > > http://www.ipswitch.com/support/mailing-lists.html > > > > > List Archive: > > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > -- > > > > > No virus found in this incoming message. > > > > > Checked by AVG Anti-Virus. > > > > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release > > > > > Date: 7/9/2005 > > > > > > > > > > > > > > > > > > -- > > > > No virus found in this outgoing message. > > > > Checked by AVG Anti-Virus. > > > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: > > > > 7/9/2005 > > > > > > > > > > > > > > > > To Unsubscribe: > http://www.ipswitch.com/support/mailing-lists.html > > > > List Archive: > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > -- > > > No virus found in this incoming message. > > > Checked by AVG Anti-Virus. > > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release > > > Date: 7/9/2005 > > > > > > > > > > -- > > No virus found in this outgoing message. > > Checked by AVG Anti-Virus. > > Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: > > 7/9/2005 > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > -- > > No virus found in this incoming message. > > Checked by AVG Anti-Virus. > > Version: 7.0.323 / Virus Database: 267.8.12/46 - Release > > Date: 7/11/2005 > > > > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.12/46 - Release Date: > 7/11/2005 > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.12/46 - Release > Date: 7/11/2005 > > -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.12/46 - Release Date: 7/11/2005 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
