Re: SMTP relay host
Martin Allan Jensen wrote:
Hi all,
The company I work for have approximately nine mail servers, including
Postfix, qmail, sendmail and exim.
They would like to make ONE SMTP relay host server so that all their
customers can use their SMTP server to send mail through.
The customers already get their incoming mail through their mail servers.
I fail to see a way to make this possible without creating an entirely
open relay, or creating a database with usernames and passwords and
use SASL.
Does anybody know if it is possible to make the SMTP host contact the
mail server and verify that the sender email exists on their incoming
mail server? Or is there another setup recommended?
I'll attach my notes RE setting up SMTP access using SASL - the only
thing which pops into mind is that SASL can possibly authenticate
against your own DB - or possibly against IMAP or POP3 for each of the
mail servers in turn.
Sounds like a tough one - maybe time to get all the servers to auth
against LDAP - surely it's an idea to have a central DB of all the users.
Kevin
---++ Overview
We want to enable users to be able to send email via the server from any
location. For this we will enable SMTP AUTH - this will enable the
users to use the server to relay mail providing they provide their
username and password.
Most of the following steps were taken from 'The Book of Postfix' from
No Starch Press.
Postfix can use SASL as an authentication mechanism - and SASL can in
turn use the local accounts to verify credentials.
The basic SASL libraries are installed when Postfix is installed on
Debian Etch - it is necessary to add the libsasl2-modules package to
enble SASL to authenticate using the main methods. Postfix has SASL
support built in by default.
SASL can authenticate as a command line program - but if it is called by
Postfix then SASL will not be able to authenticate against /etc/passwd
because Postfix does not run as root. Therefore we will install
sasl2-bin and this will install the saslauthd daemon which runs as
root. Therefore, Postfix can query the saslauthd daemon which it turn
queries the local account database.
After installing libsasl2-modules and sasl2-bin...
Edited /etc/default/saslauthd and set START=yes.
Then started the daemon with /etc/init.d/sasldauthd restart.
Then followed instructions which came with sasl2-bin in the DEBIAN doc
file. See
# most /usr/share/doc/sasl2-bin/README.Debian
NB - Postfix is installed chrooted by default on Debian Etch - see the
Postfix Debian doc. This means that the following steps need to be taken.
These are the instructions:
If you run a chrooted server such as Postfix and wish to use saslauthd, you
must place the saslauthd socket ("mux") inside the Postfix chroot. You must
also set correct overrides for the run directory inside the chroot, using
dpkg-statoverride. Finally, you must add the postfix user to the sasl
group.
These steps ensure that the Debian subsystems know how you want things
to be
laid out.
To place the saslauthd socket inside the Postfix chroot, edit
/etc/default/saslauthd and set OPTIONS like this (you may omit -c):
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
To set the run directory using dpkg-statoverride, run this command as root:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
The init script will automatically create the run directory with the
permissions you have set using dpkg-statoverride. Please note that you must
also configure Postfix correctly. There are many options related to
SASL. See
the Postfix documentation for how to do this.
Then restarted saslauthd - this seemed to take a while to restart but
eventually gets restarted.
Then tested that authentication is working with
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p password
and
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p badpassword
The first should be ok and the second should fail.
This shows that SASL is authenticating against a backend (which is
currently set to use PAM). This seems to check against the local user
accounts which is what is required.
Now we need to get Postfix to authenticate SMTP connections against SASL
- more specifically against saslauthd.
The following parameters were added to /etc/postfix/main.cf.
# Setting up SMTP authentication.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
The file /etc/postfix/sasl/smtpd.conf needed to be created with the
following contents. This is actually a configuration file for SASL - it
uses small config files specific for the programs using its services.
It also seems to dictate which authentication mechanisms get of
Re: SMTP relay host
Martin Allan Jensen put forth on 9/19/2009 8:06 AM:
> Hi all,
>
> The company I work for have approximately nine mail servers, including
> Postfix, qmail, sendmail and exim.
> They would like to make ONE SMTP relay host server so that all their
> customers can use their SMTP server to send mail through.
> The customers already get their incoming mail through their mail servers.
>
> I fail to see a way to make this possible without creating an entirely
> open relay, or creating a database with usernames and passwords and use
> SASL.
I fail to understand why this is considered anything remotely beyond simple to
moderate difficulty. If I understand you correctly (maybe I don't) all the
communication you're referring to is server to server (MTA<->MTA). There will
be no desktop PCs (MUAs) directly submitting mail to your new "master relay
server", correct? If this is the case, setting up a
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall should do
the trick with little fuss.
The only "difficult" part is that you would have setup a local SASL username
and password for each remote MTA that will connect to relay mail. Even if the
remote MTA count ("your customers") is 250, this is still utterly simple to
accomplish, _assuming_ that the other MTA admins aren't brain dead individuals.
Have each remote MTA connect with the proper SASL username and password in
order to relay mail.
Like I say, if there are no desktop PCs in the mix, this is absolutely simple
to accomplish, and without going through a multitude of databases to pull out
usernames and passwords for thousands of users. But, like I said, maybe I'm
not fully comprehending your post. It was pretty sparse on detail and clarity,
regarding the actual _structure_ (think network diagram) of what you're trying
to do.
--
Stan
Re: SMTP relay host
No matter where they are... do a script that takes users from wherever they are and dump them to a file... later find differences between the last file you dumped and from within just dumped then just do INSERT or UPDATE of those users... it's important not to load databases... so only do this twice or thice a day and avoid writting nothing on the tables queried by relayhost machines. Create a table with two fields user and pass, primary key user, and be generous with mysql cache (set the mysql slave too as said before). Later for smtpd redundancy set two smtpd and create a roundrobin balanced A record with TTL of 120 seconds or so... and set you're customer mail machines to send all mail to this balanced A record by authenticating each server with it's user in you're machines. If you see a customer machine is affecting to you're performance reject it's mails with 4xx till you see what to do. This is for performance. Now for controlling spam : Query several rbl in background and see how they talk to you... if 3 or 4 of not very important or trustable are talking about you probably you're sending some spam and if you don't correct it or check it unless you perhaps end in spamhaus and so... you could too check for rejecting directly spamcop and spamhaus rbl. For those users wich you thing they're sending spam or similar check with spamassassin and amavis they're mail... if mail has more than 7 of spam score either reject, send to another place... bounce or whatever you want but don't send to destionation. If a IP is sending you more than perhaps depends on the number of mails moved by the connecting server to you're machines but... if more than 20% of mail is spam per hour reject them with 4xx saying that server is busy or something... and later check how many bounces have they get because incorrect rcpt or so... and how many mails are sending now from the normal average they send... check if they're sending mailing lists... or whatever and till you don't know exactly what they're doing to allow them to relay through you're server. This are my advises :). 2.0.0 Bye El 19/09/2009, a las 17:56, Egoitz Aurrekoetxea Aurre escribió: No matter where they are... do a script that takes users from wherever they are and dump them to a file... later find differences between the last file you dumped and from within just dumped then just do INSERT or UPDATE of those users... it's important not to load databases... so only do this twice or thice a day and avoid writting nothing on the tables queried by relayhost machines. Create a table with two fields user and pass, primary key user, and be generous with mysql cache (set the mysql slave too as said before). Later for smtpd redundancy set two smtpd and create a roundrobin balanced A record with TTL of 120 seconds or so... and set you're customer mail machines to send all mail to this balanced A record by authenticating each server with it's user in you're machines. If you see a customer machine is affecting to you're performance reject it's mails with 4xx till you see what to do. This is for performance. Now for controlling spam : Query several rbl in background and see how they talk to you... if 3 or 4 of not very important or trustable are talking about you probably you're sending some spam and if you don't correct it or check it unless you perhaps end in spamhaus and so... you could too check for rejecting directly spamcop and spamhaus rbl. For those users wich you thing they're sending spam or similar check with spamassassin and amavis they're mail... if mail has more than 7 of spam score either reject, send to another place... bounce or whatever you want but don't send to destionation. If a IP is sending you more than perhaps depends on the number of mails moved by the connecting server to you're machines but... if more than 20% of mail is spam per hour reject them with 4xx saying that server is busy or something... and later check how many bounces have they get because incorrect rcpt or so... and how many mails are sending now from the normal average they send... check if they're sending mailing lists... or whatever and till you don't know exactly what they're doing to allow them to relay through you're server. This are my advises :). 2.0.0 Bye El 19/09/2009, a las 17:33, Martin Allan Jensen escribió: Egoitz Aurrekoetxea Aurre wrote: Is not valid for doing all you're customers mail machines to connect to a relayhost, because machines connecting to relay host smtpd server are not doing any pop against nothing. Take a list of users in all databases, do a small table in mysql set the primary key properly (refresh table with changes with cron several times per day, 2 or 3) and set a dedicated mysql machine and another one in backup replicating from the master and not be queried. And you shou
Re: SMTP relay host
Egoitz Aurrekoetxea Aurre wrote: Is not valid for doing all you're customers mail machines to connect to a relayhost, because machines connecting to relay host smtpd server are not doing any pop against nothing. Take a list of users in all databases, do a small table in mysql set the primary key properly (refresh table with changes with cron several times per day, 2 or 3) and set a dedicated mysql machine and another one in backup replicating from the master and not be queried. And you should move with this structure the mail without serious problems. I think you're more worried about authentication wich is pretty easy and forgotten about other problems... like spam I said... because if you have so huge number of users you should control what are they doing and here you should be perhaps more skillful. I'm working on a new project for helping Postfix preventing spam and rejecting it quite easy (not just through spamassassin, that is not enough) in some months I'll have it available and opened under BSD license too as Postfix quota reject. I will try to do that. It's just that some users are in MySQL, some in passwd, some in BerkeleyDB, and so on. But I guess it is the only stable solution. Thank you all for your opinions. Have a nice weekend. -- Martin
Re: SMTP relay host
This option : "I was just thinking about another option. I might be able to make a small program that analyzes the logfiles for each server, puts it in a database with a timestamp, and then make it a POP/IMAP before SMTP. That would be secure enough right?" Is not valid for doing all you're customers mail machines to connect to a relayhost, because machines connecting to relay host smtpd server are not doing any pop against nothing. Take a list of users in all databases, do a small table in mysql set the primary key properly (refresh table with changes with cron several times per day, 2 or 3) and set a dedicated mysql machine and another one in backup replicating from the master and not be queried. And you should move with this structure the mail without serious problems. I think you're more worried about authentication wich is pretty easy and forgotten about other problems... like spam I said... because if you have so huge number of users you should control what are they doing and here you should be perhaps more skillful. I'm working on a new project for helping Postfix preventing spam and rejecting it quite easy (not just through spamassassin, that is not enough) in some months I'll have it available and opened under BSD license too as Postfix quota reject. Any help just talk here :) Bye!!! El 19/09/2009, a las 16:49, Paul Beard escribió: On Sep 19, 2009, at 7:30 AM, Martin Allan Jensen wrote: Yes there is - actually there is about six different ones - so making a system that could talk to all those authentication mechanisms would take me years to develop. That's why I am looking for something simpler. Looking up usernames in 6 passwd files or 1 isn't that complex, is it? -- If this was a real .signature it would be more interesting.
Re: SMTP relay host
Martin Allan Jensen wrote: Michael Orlitzky wrote: If your customers have POP3/IMAP accounts, there is already a database of usernames and passwords *somewhere*. Query that. Yes there is - actually there is about six different ones - so making a system that could talk to all those authentication mechanisms would take me years to develop. That's why I am looking for something simpler. -- Martin Judging by the website, BlueOnyx uses MySQL to store its account information. Both Cyrus and Dovecot SASL support querying MySQL databases, so you wouldn't have to write anything. Dovecot, at least (I'm not sure about Cyrus), supports multiple databases queried one after another: http://wiki.dovecot.org/Authentication/MultipleDatabases You would simply create a configuration file for each POP3/IMAP database.
Re: SMTP relay host
On Sep 19, 2009, at 7:30 AM, Martin Allan Jensen wrote: Yes there is - actually there is about six different ones - so making a system that could talk to all those authentication mechanisms would take me years to develop. That's why I am looking for something simpler. Looking up usernames in 6 passwd files or 1 isn't that complex, is it? -- If this was a real .signature it would be more interesting.
Re: SMTP relay host
Hi, Just create sasl account for allowing to relay to those authenticated users. But be very careful on what you're users send though it because if you're custommers start sending mail considered spam in two weeks or less you're outgoingn servers are dead because no server will want to talk to it. I advise you setting some little aggressive antispam policies on it and just to reject mail for unauthenticated users. Set unless two Postfix smtpd machines in round-robin through dns (with a small TTL) and you're done. Just it. Bye :) El 19/09/2009, a las 16:17, Martin Allan Jensen escribió: Ansgar Wiechers wrote: You could put your customers on a private network not accessible by the public (and I mean "VPN" kind of private here rather than RFC 1918 kind of private). However, that's just moving authentication and encryption to a different layer. Why do you want to avoid using SASL anyway? SASL and VPN would mean that all customers would need a separate account for their outgoing mail, and that would be a too big project to go ahead with. As most of their servers is BlueOnyx it is not really possible to make a centralized user / password database. And as the BlueOnyx is a collection of mail, ftp, web, *server they would like to not have a centralized mail platform. I was just thinking about another option. I might be able to make a small program that analyzes the logfiles for each server, puts it in a database with a timestamp, and then make it a POP/IMAP before SMTP. That would be secure enough right? Thank you all for your interest in my problem so far!! -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: SMTP relay host
Michael Orlitzky wrote: If your customers have POP3/IMAP accounts, there is already a database of usernames and passwords *somewhere*. Query that. Yes there is - actually there is about six different ones - so making a system that could talk to all those authentication mechanisms would take me years to develop. That's why I am looking for something simpler. -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: SMTP relay host
Martin Allan Jensen wrote: SASL and VPN would mean that all customers would need a separate account for their outgoing mail, and that would be a too big project to go ahead with. As most of their servers is BlueOnyx it is not really possible to make a centralized user / password database. And as the BlueOnyx is a collection of mail, ftp, web, *server they would like to not have a centralized mail platform. I was just thinking about another option. I might be able to make a small program that analyzes the logfiles for each server, puts it in a database with a timestamp, and then make it a POP/IMAP before SMTP. That would be secure enough right? If your customers have POP3/IMAP accounts, there is already a database of usernames and passwords *somewhere*. Query that.
Re: SMTP relay host
Ansgar Wiechers wrote: You could put your customers on a private network not accessible by the public (and I mean "VPN" kind of private here rather than RFC 1918 kind of private). However, that's just moving authentication and encryption to a different layer. Why do you want to avoid using SASL anyway? SASL and VPN would mean that all customers would need a separate account for their outgoing mail, and that would be a too big project to go ahead with. As most of their servers is BlueOnyx it is not really possible to make a centralized user / password database. And as the BlueOnyx is a collection of mail, ftp, web, *server they would like to not have a centralized mail platform. I was just thinking about another option. I might be able to make a small program that analyzes the logfiles for each server, puts it in a database with a timestamp, and then make it a POP/IMAP before SMTP. That would be secure enough right? Thank you all for your interest in my problem so far!! -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: SMTP relay host
On 2009-09-19 Martin Allan Jensen wrote: > The company I work for have approximately nine mail servers, including > Postfix, qmail, sendmail and exim. > They would like to make ONE SMTP relay host server so that all their > customers can use their SMTP server to send mail through. > The customers already get their incoming mail through their mail > servers. > > I fail to see a way to make this possible without creating an entirely > open relay, or creating a database with usernames and passwords and > use SASL. You could put your customers on a private network not accessible by the public (and I mean "VPN" kind of private here rather than RFC 1918 kind of private). However, that's just moving authentication and encryption to a different layer. Why do you want to avoid using SASL anyway? > Does anybody know if it is possible to make the SMTP host contact the > mail server and verify that the sender email exists on their incoming > mail server? Or is there another setup recommended? I'm not sure if I understand you correctly here. Do you mean something like Callback Verification [1]? You could do that, but how's that going to protect your MTA from being abused as an open relay in your scenario? Any unauthenticated host is not trustworthy and can tell you whatever they want. > I tried google a lot, but I can't seem to find anything that points me > in the right direction - someone else surely must have run into this > scenario before? I'd doubt it. Just use SASL and get it over with. [1] http://en.wikipedia.org/wiki/Callback_verification Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: SMTP relay host
Martin Allan Jensen wrote: Hi all, The company I work for have approximately nine mail servers, including Postfix, qmail, sendmail and exim. They would like to make ONE SMTP relay host server so that all their customers can use their SMTP server to send mail through. The customers already get their incoming mail through their mail servers. I fail to see a way to make this possible without creating an entirely open relay, or creating a database with usernames and passwords and use SASL. Does anybody know if it is possible to make the SMTP host contact the mail server and verify that the sender email exists on their incoming mail server? Or is there another setup recommended? I tried google a lot, but I can't seem to find anything that points me in the right direction - someone else surely must have run into this scenario before? Looking forward to hear from you, a link, or even some rough notes would be nice. Thank you very much... -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com Q. Why nine email servers? Can you not make a case to rationalise to one email server with a hot/warm/cold spare, and use an http://workaround.org/ispmail type setup or Zimbra. Regards Justin
Re: SMTP relay host
Sahil Tandon wrote: You must setup SASL and only let authenticated users relay through this new server. Forget about contacting the other mail servers to verify that the sender email exists; that is in no way a form of authentication. http://www.postfix.org/SASL_README.html You are probably right - the company just don't have a centralized authentication mechanism, so SASL would be a huge project to implement. Unless of course somebody knows of a way to make SASL connect to their incoming mailserver with the credentials the user provided, and authorize the user from that? Anyway thank you for the link, and your opinion. -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: SMTP relay host
On Sat, 19 Sep 2009, Martin Allan Jensen wrote: > The company I work for have approximately nine mail servers, including > Postfix, qmail, sendmail and exim. They would like to make ONE SMTP > relay host server so that all their customers can use their SMTP > server to send mail through. The customers already get their incoming > mail through their mail servers. > > I fail to see a way to make this possible without creating an entirely > open relay, or creating a database with usernames and passwords and > use SASL. Does anybody know if it is possible to make the SMTP host > contact the mail server and verify that the sender email exists on > their incoming mail server? Or is there another setup recommended? You must setup SASL and only let authenticated users relay through this new server. Forget about contacting the other mail servers to verify that the sender email exists; that is in no way a form of authentication. > Looking forward to hear from you, a link, or even some rough notes > would be nice. http://www.postfix.org/SASL_README.html -- Sahil Tandon
Re: SMTP relay host
Sven Hoexter wrote: Does that mean that those customers run their mailserver on dynamic IP addresses? Otherwise I'd use the IP address/domain of the customers as the criteria. Sven Hi Sven, Yes, I'm sorry, forgot to give that information. They might be running dynamic IP adresses/domains, so that is not a possibility. Thank you for your reply. -- Martin __ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: SMTP relay host
On Sat, Sep 19, 2009 at 03:06:29PM +0200, Martin Allan Jensen wrote: Hi, > They would like to make ONE SMTP relay host server so that all their > customers can use their SMTP server to send mail through. > The customers already get their incoming mail through their mail servers. > > I fail to see a way to make this possible without creating an entirely > open relay, or creating a database with usernames and passwords and use > SASL. Does that mean that those customers run their mailserver on dynamic IP addresses? Otherwise I'd use the IP address/domain of the customers as the criteria. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - 03:45: No sleep]
