[qmailtoaster] QMT 3+ years newer, migration .. need links
Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/ domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain Thanks ... /Everett - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: QMT 3+ years newer, migration .. need links
On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain Thanks ... /Everett http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-backupqtp-restore -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: 2 NIC
I don't think so. I don't think you should have the same name twice in your hosts file. I'm not sure off hand which address linux would return in this case. (How would it know when to return which one?) What makes this work is that one resolver (your local resolver) is used when connected to the LAN which returns the LAN address corresponding to the name, and a different resolver (internet authoritative dns) is used when connected to the WAN. A firewall such as IPCop can be used as a local resolver to provide the local addresses (recommended method). This can also be implemented in a single bind host using the split horizon feature, but that's a bit tricky. -- -Eric 'shubes' On 05/21/2012 10:07 AM, Cecil Yother, Jr. wrote: Shouldn't this then work using the following in the hosts file? 192.168.0.xx mail.test.com 173.164.181.xx mail.test.com On 05/17/2012 11:19 PM, Dhulla, Deepen Vinod wrote: hi Use DNS not ip address. Example : You set your local DNS server with Caching...easy one is BIND DNS. like you have exampl : webmail.test.com as your DNS for using from outside officewhich connects to Internet ip. when in office use your local DNS, which points webmail.test.com to local ip. Thus same URL works internal External. I have my Mail-server DNS configured same one. and it works. - Deepen Dhulla “Nothing is particularly hard if you divide it into small jobs.” http://in.linkedin.com/in/deependhulla http://www.facebook.com/deependhulla http://www.twitter.com/deependhulla Skype: callto://deependhulla On Friday, 18-05-2012 on 10:52 Maxwell Smart wrote: Deepen, I got it all working. It turns out there were several issues at hand. The last that I have to sort is the connection between my desktop and the server. The firewall must be misconfigured. It's an odd one for sure. I can access the server via the LAN address, but not the WAN address. I can access all other outside web pages , but not my own. The firewall shouldn't require a specific rule, but something is not right with it. Thank you for you input. CJ Dear Maxwell you can use ETHO ETH1 different ..provide you have two different network mask. Like I have Local Network Internet Network. Whats your requirement actually. - Deepen Dhulla “Nothing is particularly hard if you divide it into small jobs.” http://in.linkedin.com/in/deependhulla http://www.facebook.com/deependhulla http://www.twitter.com/deependhulla Skype: callto://deependhulla On Tuesday, 08-05-2012 on 8:36 Maxwell Smart wrote: It appears as though I have it all sorted. Does anyone have experience using 2 NIC's one for outside and one for inside? I can't seem to get them working in concert. Here's what I have ETH0 outside ETH1 inside If I set it up this way it times out after a while and connection from the outside is not possible. Turn off ETH1 and connectivity is restored. Anyone else have experience with this and how to make it work. Thanks for all the help On 05/07/2012 12:09 PM, Alvaro Alejandro Sepulveda Orellana wrote: User vpopmail Group vchkpw El 07-05-12 15:00, Cecil Yother, Jr. c...@yother.com escribió: OK, I moved the entire directory and it worked. Now I need to modify the file permissions of my vpopmail directory. I have moved the entire contents of the vpopmail folder and changed ownership to the correct ownership and now everything appears to be working. I may need to run the queue repair once more now that the ownership is corrected. It was root:root before when I ran it. On 05/07/2012 10:49 AM, Cecil Yother, Jr. wrote: I have had to move a server from a colo. The server motherboard was damaged. I need to retrieve the mysql databases and only have access to the hd from another system. Can this be done? If so how? -- Atentamente, Alvaro A. Sepúlveda Orellana. Departamento de Redes y Enlaces. Fono: 75 38 200 - 221 21 16. CEL:+569 95542326 -- -- -- - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
Re: [qmailtoaster] Re: 2 NIC
I am not sure I quite understand why it doesn't work and a resolver is needed. If I do a dig it answers to the proper IP. It stands to reason that I should be able to access that server through a web browser, and it cannot. What is a resolver going to tell my system that it already doesn't know ? On 05/21/2012 10:52 AM, Eric Shubert wrote: I don't think so. I don't think you should have the same name twice in your hosts file. I'm not sure off hand which address linux would return in this case. (How would it know when to return which one?) What makes this work is that one resolver (your local resolver) is used when connected to the LAN which returns the LAN address corresponding to the name, and a different resolver (internet authoritative dns) is used when connected to the WAN. A firewall such as IPCop can be used as a local resolver to provide the local addresses (recommended method). This can also be implemented in a single bind host using the split horizon feature, but that's a bit tricky. --
[qmailtoaster] Re: 2 NIC
On 05/21/2012 10:59 AM, Cecil Yother, Jr. wrote: I am not sure I quite understand why it doesn't work and a resolver is needed. If I do a dig it answers to the proper IP. It stands to reason that I should be able to access that server through a web browser, and it cannot. What is a resolver going to tell my system that it already doesn't know ? On 05/21/2012 10:52 AM, Eric Shubert wrote: I don't think so. I don't think you should have the same name twice in your hosts file. I'm not sure off hand which address linux would return in this case. (How would it know when to return which one?) What makes this work is that one resolver (your local resolver) is used when connected to the LAN which returns the LAN address corresponding to the name, and a different resolver (internet authoritative dns) is used when connected to the WAN. A firewall such as IPCop can be used as a local resolver to provide the local addresses (recommended method). This can also be implemented in a single bind host using the split horizon feature, but that's a bit tricky. -- Did doesn't look at /etc/hosts. If your dig answers with the proper IP, you should be ok. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: 2 NIC
On 05/21/2012 11:12 AM, Eric Shubert wrote: On 05/21/2012 10:59 AM, Cecil Yother, Jr. wrote: I am not sure I quite understand why it doesn't work and a resolver is needed. If I do a dig it answers to the proper IP. It stands to reason that I should be able to access that server through a web browser, and it cannot. What is a resolver going to tell my system that it already doesn't know ? On 05/21/2012 10:52 AM, Eric Shubert wrote: I don't think so. I don't think you should have the same name twice in your hosts file. I'm not sure off hand which address linux would return in this case. (How would it know when to return which one?) What makes this work is that one resolver (your local resolver) is used when connected to the LAN which returns the LAN address corresponding to the name, and a different resolver (internet authoritative dns) is used when connected to the WAN. A firewall such as IPCop can be used as a local resolver to provide the local addresses (recommended method). This can also be implemented in a single bind host using the split horizon feature, but that's a bit tricky. -- Did doesn't look at /etc/hosts. If your dig answers with the proper IP, you should be ok. Yes, it does. So that's why I'm a bit confused. --
[qmailtoaster] Re: 2 NIC
On 05/21/2012 11:14 AM, Cecil Yother, Jr. wrote: On 05/21/2012 11:12 AM, Eric Shubert wrote: On 05/21/2012 10:59 AM, Cecil Yother, Jr. wrote: I am not sure I quite understand why it doesn't work and a resolver is needed. If I do a dig it answers to the proper IP. It stands to reason that I should be able to access that server through a web browser, and it cannot. What is a resolver going to tell my system that it already doesn't know ? On 05/21/2012 10:52 AM, Eric Shubert wrote: I don't think so. I don't think you should have the same name twice in your hosts file. I'm not sure off hand which address linux would return in this case. (How would it know when to return which one?) What makes this work is that one resolver (your local resolver) is used when connected to the LAN which returns the LAN address corresponding to the name, and a different resolver (internet authoritative dns) is used when connected to the WAN. A firewall such as IPCop can be used as a local resolver to provide the local addresses (recommended method). This can also be implemented in a single bind host using the split horizon feature, but that's a bit tricky. -- Did doesn't look at /etc/hosts. If your dig answers with the proper IP, you should be ok. Yes, it does. So that's why I'm a bit confused. -- What exactly is confusing? -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: 2 NIC
On 05/21/2012 11:24 AM, Cecil Yother, Jr. wrote: It resolves to the correct address, but will not answer. I just added the LAN address, ie. Listen 192.168.0.168:80 to the httpd.conf file and now it answers and I'm able to access the pages, but it's not answering them via the WAN. -- That's nothing to do with name resolution. It's a problem with apache config. Have you tried Listen *:80 ? I hesitate to ask this, but what's the point of using 2 nics on a web server this way? -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: 2 NIC
On 05/21/2012 11:46 AM, Eric Shubert wrote: On 05/21/2012 11:24 AM, Cecil Yother, Jr. wrote: It resolves to the correct address, but will not answer. I just added the LAN address, ie. Listen 192.168.0.168:80 to the httpd.conf file and now it answers and I'm able to access the pages, but it's not answering them via the WAN. -- That's nothing to do with name resolution. It's a problem with apache config. Have you tried Listen *:80 ? It was Listen *:80 and didn't work, but it still doesn't answer to the WAN which it should. I know the WAN address works since I can use a proxy server or access from my home without issue. It's not a big deal since I can do what I need to, but the setup is not working as expected and I want to know why. I hesitate to ask this, but what's the point of using 2 nics on a web server this way? Because server management, and file transfers are faster using the LAN. --
[qmailtoaster] Re: 2 NIC
On 05/21/2012 11:59 AM, Cecil Yother, Jr. wrote: On 05/21/2012 11:46 AM, Eric Shubert wrote: On 05/21/2012 11:24 AM, Cecil Yother, Jr. wrote: It resolves to the correct address, but will not answer. I just added the LAN address, ie. Listen 192.168.0.168:80 to the httpd.conf file and now it answers and I'm able to access the pages, but it's not answering them via the WAN. -- That's nothing to do with name resolution. It's a problem with apache config. Have you tried Listen *:80 ? It was Listen *:80 and didn't work, but it still doesn't answer to the WAN which it should. I know the WAN address works since I can use a proxy server or access from my home without issue. It's not a big deal since I can do what I need to, but the setup is not working as expected and I want to know why. Likely a routing problem then. Did you have a look at the routing table? -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: QMT 3+ years newer, migration .. need links
Thank you, notes below .. On Mon, May 21, 2012 09:22, Eric Shubert wrote: On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain Thanks ... /Everett http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-backupqtp-restore -- -Eric 'shubes' Eric, I have QmailToaster .17 (on CentOS 5.8) .. Don't think I got QT Plus .. no qtp- commands .. Is QTP an upgrade or a re-do? / re-install ? Thank you, -- Best Wishes, Everett e...@cotdazr.org / efba...@gmail.com +1 (805) 340-6471 / (703) 879-6471 http://www.cotdazr.org IS/IT/Unix/Web - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: QMT 3+ years newer, migration .. need links
On 05/21/2012 01:23 PM, Everett Batey (WA6CRE) wrote: Thank you, notes below .. On Mon, May 21, 2012 09:22, Eric Shubert wrote: On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain Thanks ... /Everett http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-backupqtp-restore -- -Eric 'shubes' Eric, I have QmailToaster .17 (on CentOS 5.8) .. Don't think I got QT Plus .. no qtp- commands .. Is QTP an upgrade or a re-do? / re-install ? Thank you, QTP is an add-on standalone package containing various scripts and commands that aid in QMT administration. See http://qtp.qmailtoaster.com/trac/wiki/WikiStart#Installation for installation instructions. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Help request to comunity on tech issue.
Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot.
Re: [qmailtoaster] Help request to comunity on tech issue.
I can only think in one solution. Via iptables and src-nat. Not so-random, but you can change your outbound IP address every minute. And AFAIK, once a connection has been established, the nat table mantains the translation. On Mon, May 21, 2012 at 5:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot.
[qmailtoaster] Re: Help request to comunity on tech issue.
I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Eric: Couldn't you try with fail2ban: - Checking qmail logs http://wiki.qmailtoaster.com/index.php/Fail2Ban - Checking spamdyke logs http://notes.benv.junerules.com/qmail-spamdyke-and-fail2ban/ and also Ernesto Vargas-Azofeifa Senior Web Developer IT Manager Macromedia Certified Cold Fusion Web Developer LAMP stack expert. From: Eric Shubert e...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Monday, May 21, 2012 3:55 PM Subject: [qmailtoaster] Re: Help request to comunity on tech issue. I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Thanks. On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com [1] wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com [2] For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com [3]
Re: [qmailtoaster] Help request to comunity on tech issue.
Hello Natalio, do you have a precise example on how to implement this? Thanks. On lun 21/05/12 4:35 PM , Natalio Gatti nga...@gmail.com sent: I can only think in one solution. Via iptables and src-nat. Not so-random, but you can change your outbound IP address every minute. And AFAIK, once a connection has been established, the nat table mantains the translation. On Mon, May 21, 2012 at 5:42 PM, wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot.
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Have you tried a DNS round robin solution? On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Thanks. On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see
[qmailtoaster] Re: Help request to comunity on tech issue.
I was going to write that RR would be of no help, then it dawned on me. You could set up a single submission server, then smtproute all outbound messages from it to a DNS round robin set of sending agent machines. Virtual machines would work nicely for this. Goes to show, there's more than one way to do things. :) -- -Eric 'shubes' On 05/21/2012 03:37 PM, Cecil Yother, Jr. wrote: Have you tried a DNS round robin solution? On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Thanks. On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com mailto:fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need
[qmailtoaster] Re: Help request to comunity on tech issue.
On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. With so many clients, the probability of compromised passwords is fairly high. I wouldn't be very quick to dismiss this as a possibility. Do your anti-spam measures have any effect on authenticated smtp sessions? All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. 350 per hour per account seems like a high limit to me for typical email use. In any case, how are you enforcing this limit? So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Are all machines in the cluster going out on the the same public IP? If so, I presume you have NAT in effect. If that's the case, you should look into implementing SNAT along with NAT, so the source IP changes according to which machine behind the NAT is the source of the packets. This is something your NAT router needs to do. Thanks. A little more detailed description of your current setup might be helpful for us to know what might be most effective for you. -- -Eric 'shubes' On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com mailto:fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this
Re: [qmailtoaster] Re: QMT 3+ years newer, migration .. need links
Comments below.. On Mon, May 21, 2012 09:22, Eric Shubert wrote: On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain /Everett http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-backupqtp-restore -- -Eric 'shubes' ERic, Thank you .. That works well on my NEW QMT version: 5.4.17 /CentOS release 5.8 (Final) Not so well on my OLD QMT version: 5.4.13 /CentOS release 4.6 (Final) Any idea if there is an easy way to get QTP on Centos 4.6 ? to create the baclupqtp ? -- Best Wishes y hasta luego, Everett +1 (805) 340-6471 / (703) 879-6471 PA Cell: 011 507 6766-8244 http://www.cotdazr.org IS/IT/Unix/Web - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: QMT 3+ years newer, migration .. need links
On 05/21/2012 06:56 PM, Everett Batey (WA6CRE) wrote: Comments below.. On Mon, May 21, 2012 09:22, Eric Shubert wrote: On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not found and no bounces returned, sending to postmas...@newhost.my.domain /Everett http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-backupqtp-restore -- -Eric 'shubes' ERic, Thank you .. That works well on my NEW QMT version: 5.4.17 /CentOS release 5.8 (Final) Not so well on my OLD QMT version: 5.4.13 /CentOS release 4.6 (Final) Any idea if there is an easy way to get QTP on Centos 4.6 ? to create the baclupqtp ? I presume you're referring to vpomail versions (5.4.13 to 5.4.17). I'm guessing that there was perhaps a database change between those versions. If you don't have a lot of accounts, you could simply create the domains (do *not* use vqadmin) and users on the new system, then scp over the maildirs. If you have a lot of accounts, have a look at what has changed between your old database schema and the newer one. Whatever problem you're having is probably in the difference in the vpopmail database. I'm just guessing here, so YMMV. My off hand recollection doesn't go back so far as vpopmail 5.4.13. Anyone else have some idea? -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Hi all, I am also a small ISP but I don't have such problems and I don't use a cluster yet. The easiest solution is normall the best one. If you have a Storage try to implement a Load Balance with multiple mail servers instead of a cluster. This way you will be able to answer smtp/pop3 requests using multiple IP addresses. But before that you should check your bandwidth and delay also. Many problems occur on the transmission side. Regards On 22 May 2012 01:14, Eric Shubert e...@shubes.net wrote: On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. With so many clients, the probability of compromised passwords is fairly high. I wouldn't be very quick to dismiss this as a possibility. Do your anti-spam measures have any effect on authenticated smtp sessions? All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. 350 per hour per account seems like a high limit to me for typical email use. In any case, how are you enforcing this limit? So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Are all machines in the cluster going out on the the same public IP? If so, I presume you have NAT in effect. If that's the case, you should look into implementing SNAT along with NAT, so the source IP changes according to which machine behind the NAT is the source of the packets. This is something your NAT router needs to do. Thanks. A little more detailed description of your current setup might be helpful for us to know what might be most effective for you. -- -Eric 'shubes' On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any thoughts on this, please chime in. It's in everyone's interest to be protecting our public IP addresses so they don't get blacklisted. Thanks. -- -Eric 'shubes' On 05/21/2012 01:42 PM, fmende...@terra.com mailto:fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a
