Re: [courier-users] Outgoing only mail server
On 4/1/2013 10:44 PM, Mark Constable wrote: Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. On 02.04.13 15:41, Bowie Bailey wrote: If you set AUTH_REQUIRED in all of the esmtpd-* config files, then even if the port is available, no one will be able to send any mail through it without authenticating. On 4/2/2013 3:51 PM, Matus UHLAR - fantomas wrote: just do NOT set it in esmtpd file, because you would not receive any mail from outside :-) On 02.04.13 16:07, Bowie Bailey wrote: That WAS the intended effect in this case... Sorry, I'm still having thefeeling that you can do this on your main server and simply switch outgoing IP, instead of requiring your users to change their SMTP/submission server -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
Thanks to all for suggestions. A few things I learnt, don't rely on old config files between upgrades, I didn't know about SOURCE_ADDRESS and it does work on an older Debian 6 (stable) version 0.65.0, and it should have been obvious but outgoing connections to other mailservers does not rely on an open port 25. Oh, and SSL is/was only needed for older Outlook clients (I've never used windows so I wouldn't know). So I have this working on a small 128Mb VPS (currently using 40Mb ram) where I only have port 22 for SSH and port 587 visible and TLS is enforced so clients have to use port 587/TLS with authentication. Cool. These are the only packages installed (Ubuntu 13.04 in this case)... courier-authdaemon 0.63.0-6 courier-authlib 0.63.0-6 courier-authlib-mysql 0.63.0-6 courier-authlib-userdb 0.63.0-6 courier-base0.68.2-1ubuntu1 courier-mta 0.68.2-1ubuntu1 courier-ssl 0.68.2-1ubuntu1 and in the end these were the 2 main settings I had to change from default, other than provide the right SSL certificate... /etc/courier/esmtpd ESMTP_TLS_REQUIRED=1 ESMTPDSTART=NO The only other little bit of a trick was using a SSH tunnel back to MySQL on our main mailserver to avoid blowing the ram on this small VPS. Most of the instructions for how to do this I got from this page... http://linuxaria.com/howto/permanent-ssh-tunnels-with-autossh where the critical settings in /etc/courier/authmysqlrc are... MYSQL_PORT 3306 MYSQL_SERVER127.0.0.1 #MYSQL_SOCKET/var/run/mysqld/mysqld.sock The main reason for doing the above was a) I did not want t expose port 3306 on our main server and b) I couldn't be bothered setting up a VPN for just this case when a simple SSH tunnel is all I need. -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 04/03/13 17:43, Matus UHLAR - fantomas wrote: Sorry, I'm still having the feeling that you can do this on your main server and simply switch outgoing IP, instead of requiring your users to change their SMTP/submission server I my case, now that I am aware of SOURCE_ADDRESS, that is exactly what I will do in the future and when Debian updates to wheezy and I can use less than ancient packages I'll re-investigate setting up courier vhosts. For the purpose of this small/cheap VPS based alternate mail server, I still want to keep it around in case... whatever, it may be handy to have another outgoing mailserver (for $20/yr!) and I am happy that with reduced ports and services that it won't be a maintenance burden and hopefully just work when it's actually needed. I'm glad I didn't have to deal with firewall rules or MySQL replication and only needed to twiddle one config file and install autossh as an additional package. -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 2/04/2013 14:08, Sam Varshavchik wrote: Mark Constable writes: On 04/02/13 09:17, Sam Varshavchik wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. It's a VPS, as in a virtual private server, not a VPN although I should have considered that option. Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. I just don't want any mail from the outside world coming back into this server via port 25 and would rather not have port 25 even showing up in a port scan so potential spammers don't even try. Ideally, on this server, I just want to expose ports 22 and 587 and that's all. The port 587 authentication is done via a ssh tunnel back to the main servers MySQL database so even port 3306 is not exposed (either end). I don't think you need to have your clients change their outgoing mail server. Change your backup mailserver's primary hostname/domainname to some dummy, internal label, like 'backup.local'. So, by default, the backup mail server won't accept any mail for any real domain. Attempting to deliver any mail to it, for any domain, would, by default, get rejected as a relaying attempt. You don't need to change the addresses or the ports it's listening on, by default. Let it be open. Courier's pretty good at ignoring someone banging on its ports. Just the other day I watched as someone tried to tried password cracking, via authenticated SMTP, with Courier ending up dropping most connection altogether, since they quickly exceeded the default setting of four connections from the same IP address. Anyway, just list your primary mail server's IP address in your backup server's smtpaccess, with RELAYCLIENT set, so your primary is able to connect to your backup server, and relay/smarthost all outgoing mail. When you want to do that, put your backup server into your primary's esmtproutes: : backup.domain.com And Courier will then start sending out all outgoing mail through your backup server. Your clients can still connect and authenticate to your primary, which will forward all of its mail through the backup. You can have varying levels of security configured. The default would be good enough for most simple situations. Short of someone hijacking your IP address, the backup MX will only accept mail from your primary, because only its IP address has RELAYCLIENT set. You could even go the full hog, and set up the SECURITY STARTTLS Courier-only extension, with a private certificate authority, and require the primary and the backup server exchange privately-signed certificates, before they'll agree to swap mail. That's going to be pretty much as nailed down as it could possibly get – but in all cases you'll want RELAYCLIENT set only for your primary's IPs. There's also the option of playing with iptables, which can do all of this as well either instead of the above, or in addition to for extra tightening of the system. Set your firewall rules like this and you'll achieve the same effects as what's been discussed so far: allow all inbound traffic on loopback (-i lo -j ACCEPT); accept connections to port 22 and any email input ports from end users (ie port 587) on all interfaces (-p tcp --dport 22, etc.); allow all SMTP traffic from your primary host (-i inside interface -p tcp -s primary MX ip --dport 25); allow inbound replies to outbound traffic (-i outside interface -m state --state=ESTABLISHED,RELATED); and drop the rest via the INPUT chain policy (:INPUT DROP) Either then put :OUTPUT ACCEPT as the policy for the OUTPUT chain, or (be careful here so that you don't lock yourself out of the system): allow all outbound traffic on loopback (-o lo -j ACCEPT); allow traffic for existing connections (-m state --state=ESTABLISHED,RELATED); allow all traffic out heading TO port 25, 465 and/or 587 as appropriate (-p tcp --dport 25, etc.); allow SSH traffic out (-p tcp --sport 22); allow SMTP traffic to primary host (-o inside interface -p tcp -d primary MX ip --dport 25); and drop the rest via the OUTPUT chain policy (:OUTPUT DROP). Typically, I will set my firewall(s) to only allow the traffic I need to come in to the system, only install packages via apt-get from the Debian sources and use :OUTPUT ACCEPT as I trust myself to not let my servers become bad netizens without my involvement, and I usually treat traffic coming in to a firewall system from the LAN in the same way until I notice bad behaviour from a device on the LAN (-i inside
Re: [courier-users] Outgoing only mail server
I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted On 04/02/13 02:24, Matus UHLAR - fantomas wrote: What do you mean by outgoing mail? On 02.04.13 12:20, Mark Constable wrote: Mail in to this server via ports 587/465 and out to the rest of the world. I gave two possible explanations, did you accept either? :-) I assume you require SMTP authentication on your server (it's even better than allowing connections only from your network, and needed when your clients can connect from outside), so only authenticated clients can send mail via this server. The allowed ports only depend on your clients' mail configuration, if they only send mail using 587/submission, you don't need other ports open. I guesss what I don't understand is that this server will send mail to other mailservers from it's port 25 (I presume) so it needs to be open. No, your server will connect from random ports to other mailservers' SMTP. However: you don't need to have extra server, you can change outgoing IP on your mailserver by specifying SOURCE_ADDRESS= in ${ETC}/courier, if you get into problems. This means nobody has to change configuration of its client. blink Really! I was unaware of this setting so maybe my Debian stable version 0.65.0 does not have this setting. My configs do not have it although they are probably up to 5 years old now. Would you or Sam mind confirming when SOURCE_ADDRESS became available? /etc/courier/courierd afaik. While Sam mentioned new configuration file for outgoing mail in 0.68, Debian version (0.65) apparently does not support that yet. You need to change SOURCE_ADDRESS= there and restart courier process (courier restart should do that, no need to restart listeners) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 4/1/2013 10:44 PM, Mark Constable wrote: On 04/02/13 09:17, Sam Varshavchik wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. If you set AUTH_REQUIRED in all of the esmtpd-* config files, then even if the port is available, no one will be able to send any mail through it without authenticating. I just don't want any mail from the outside world coming back into this server via port 25 and would rather not have port 25 even showing up in a port scan so potential spammers don't even try. Ideally, on this server, I just want to expose ports 22 and 587 and that's all. The port 587 authentication is done via a ssh tunnel back to the main servers MySQL database so even port 3306 is not exposed (either end). I would block this with a firewall rule if you want to make sure the ports are not exposed to the outside. -- Bowie -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 4/1/2013 10:44 PM, Mark Constable wrote: Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. On 02.04.13 15:41, Bowie Bailey wrote: If you set AUTH_REQUIRED in all of the esmtpd-* config files, then even if the port is available, no one will be able to send any mail through it without authenticating. just do NOT set it in esmtpd file, because you would not receive any mail from outside :-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 4/2/2013 3:51 PM, Matus UHLAR - fantomas wrote: On 4/1/2013 10:44 PM, Mark Constable wrote: Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. On 02.04.13 15:41, Bowie Bailey wrote: If you set AUTH_REQUIRED in all of the esmtpd-* config files, then even if the port is available, no one will be able to send any mail through it without authenticating. just do NOT set it in esmtpd file, because you would not receive any mail from outside :-) That WAS the intended effect in this case... -- Bowie -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
Bowie Bailey writes: On 4/1/2013 10:44 PM, Mark Constable wrote: On 04/02/13 09:17, Sam Varshavchik wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. If you set AUTH_REQUIRED in all of the esmtpd-* config files, then even if the port is available, no one will be able to send any mail through it without authenticating. For the purposes of this discussion, this won't be sufficient unless you'll also enforce mandatory encryption, with full certificate verification, in any one of several ways this can be done with Courier. You don't want to do password-based authentication in the clear over the wide Internet. But, CRAM-MD5 would actually be ok, in this instance, if you want to bother with the hassle of setting it up. pgp4lSrFhuRdU.pgp Description: PGP signature -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 02.04.13 00:39, Mark Constable wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. What config settings could I safely tweak to turn off port 25 and still allow outgoing mail to be delivered? 25/tcp open smtp 465/tcp open smtps 587/tcp open submission What do you mean by outgoing mail? If your clients send mail through your mail server, then it's incoming mail for that server, even if it's outgoing for your organization. The allowed ports only depend on your clients' mail configuration, if they only send mail using 587/submission, you don't need other ports open. Outlook up to 2007 (and Outlook Express until 6 I think) can only use SSL protocol which requires 465/ssl to be open (and this is the only/main reason why this port is being used in the world). I advise you deny port 25, unless you have clients that can't change ports. However: you don't need to have extra server, you can change outgoing IP on your mailserver by specifying SOURCE_ADDRESS= in ${ETC}/courier, if you get into problems. This means nobody has to change configuration of its client. Note that you MUST clear your problem and mail queue before you change your IP, otherwise you will only get your new IP banned. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
Mark Constable writes: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. What config settings could I safely tweak to turn off port 25 and still allow outgoing mail to be delivered? 25/tcp open smtp 465/tcp open smtps 587/tcp open submission All you have to do is basically not start the esmtp listeners. Depending on what startup scripts you're using, it should be a matter of setting ESMTPDSTART=NO (in esmtpd and esmtpd-msa) and ESMTPDSSLSTART=NO in (esmtpd- ssl). But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. What you should do is bind your esmtp listeners to the server's IP on your VPN. Just set the ADDRESS in your config file to your backup server's IP address that's reachable via the VPN, so it's only going to accept mail over SMTP over the VPN, and won't listen on the public IP addresses. pgpnVlAe1ce1H.pgp Description: PGP signature -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 04/02/13 02:24, Matus UHLAR - fantomas wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted What do you mean by outgoing mail? Mail in to this server via ports 587/465 and out to the rest of the world. The allowed ports only depend on your clients' mail configuration, if they only send mail using 587/submission, you don't need other ports open. I guesss what I don't understand is that this server will send mail to other mailservers from it's port 25 (I presume) so it needs to be open. I just don't want any offsite incoming mail (not from our clients) coming back through this server, ie; not used as a 2nd MX. Outlook up to 2007 (and Outlook Express until 6 I think) can only use SSL protocol which requires 465/ssl to be open (and this is the only/main reason why this port is being used in the world). Thanks for that, it's never been clear to me why there are 2 ports. However: you don't need to have extra server, you can change outgoing IP on your mailserver by specifying SOURCE_ADDRESS= in ${ETC}/courier, if you get into problems. This means nobody has to change configuration of its client. blink Really! I was unaware of this setting so maybe my Debian stable version 0.65.0 does not have this setting. My configs do not have it although they are probably up to 5 years old now. Would you or Sam mind confirming when SOURCE_ADDRESS became available? Note that you MUST clear your problem and mail queue before you change your IP, otherwise you will only get your new IP banned. Yep, done that. Just one client with a compromised password. -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
Mark Constable writes: On 04/02/13 02:24, Matus UHLAR - fantomas wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted What do you mean by outgoing mail? Mail in to this server via ports 587/465 and out to the rest of the world. The allowed ports only depend on your clients' mail configuration, if they only send mail using 587/submission, you don't need other ports open. I guesss what I don't understand is that this server will send mail to other mailservers from it's port 25 (I presume) so it needs to be open. I just don't want any offsite incoming mail (not from our clients) coming back through this server, ie; not used as a 2nd MX. Have this server listen only on its internal port that's reachable only via your VPN. However: you don't need to have extra server, you can change outgoing IP on your mailserver by specifying SOURCE_ADDRESS= in ${ETC}/courier, if you get into problems. This means nobody has to change configuration of its client. blink Really! I was unaware of this setting so maybe my Debian stable version 0.65.0 does not have this setting. My configs do not have it although they are probably up to 5 years old now. Would you or Sam mind confirming when SOURCE_ADDRESS became available? The logs on that one go pretty far back. Looks like it predates the source being imported into its current subversion repository. In fact, it's so old, it's been superceded by other settings, as noted. But, yes, if you can assign an additional IP address to your server, you can have all outgoing mail use it. In 0.68, SOURCE_ADDRESS has been superceded by the ipout configuration file, which is settable, and it takes effect without having to restart Courier. Changing SOURCE_ADDRESS in courierd requires a server restart, to take effect, so that's even better. pgpyJQyBvxV8S.pgp Description: PGP signature -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
On 04/02/13 09:17, Sam Varshavchik wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. It's a VPS, as in a virtual private server, not a VPN although I should have considered that option. Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. I just don't want any mail from the outside world coming back into this server via port 25 and would rather not have port 25 even showing up in a port scan so potential spammers don't even try. Ideally, on this server, I just want to expose ports 22 and 587 and that's all. The port 587 authentication is done via a ssh tunnel back to the main servers MySQL database so even port 3306 is not exposed (either end). -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Outgoing only mail server
Mark Constable writes: On 04/02/13 09:17, Sam Varshavchik wrote: I set up one small VPS as an alternate outgoing mail server for those times when our main mailservers gets blacklisted and do not want it to handle incoming mail or act as a 2nd MX. But how are you getting mail to your backup outgoing server? Probably by SMTP from your main servers, so you can't really shut down smtp. It's a VPS, as in a virtual private server, not a VPN although I should have considered that option. Main mailserver gets blocked, clients who have issues are advised to change their outgoing mailserver setting to alternate server, they otherwise send normally (ie, authenticated via ports 465/587) and this server relays these messages to the rest of the world from a different source address. I just don't want any mail from the outside world coming back into this server via port 25 and would rather not have port 25 even showing up in a port scan so potential spammers don't even try. Ideally, on this server, I just want to expose ports 22 and 587 and that's all. The port 587 authentication is done via a ssh tunnel back to the main servers MySQL database so even port 3306 is not exposed (either end). I don't think you need to have your clients change their outgoing mail server. Change your backup mailserver's primary hostname/domainname to some dummy, internal label, like 'backup.local'. So, by default, the backup mail server won't accept any mail for any real domain. Attempting to deliver any mail to it, for any domain, would, by default, get rejected as a relaying attempt. You don't need to change the addresses or the ports it's listening on, by default. Let it be open. Courier's pretty good at ignoring someone banging on its ports. Just the other day I watched as someone tried to tried password cracking, via authenticated SMTP, with Courier ending up dropping most connection altogether, since they quickly exceeded the default setting of four connections from the same IP address. Anyway, just list your primary mail server's IP address in your backup server's smtpaccess, with RELAYCLIENT set, so your primary is able to connect to your backup server, and relay/smarthost all outgoing mail. When you want to do that, put your backup server into your primary's esmtproutes: : backup.domain.com And Courier will then start sending out all outgoing mail through your backup server. Your clients can still connect and authenticate to your primary, which will forward all of its mail through the backup. You can have varying levels of security configured. The default would be good enough for most simple situations. Short of someone hijacking your IP address, the backup MX will only accept mail from your primary, because only its IP address has RELAYCLIENT set. You could even go the full hog, and set up the SECURITY STARTTLS Courier- only extension, with a private certificate authority, and require the primary and the backup server exchange privately-signed certificates, before they'll agree to swap mail. That's going to be pretty much as nailed down as it could possibly get – but in all cases you'll want RELAYCLIENT set only for your primary's IPs. pgpX6Y05wK41Z.pgp Description: PGP signature -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users