Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-13 Thread d...@acbsco.com 




Aleksander,
yeah kinda weird posting questions on qmail-toaster page regarding
postfix.  However, if you read the entire post, I was following a
previous post by Eric Shubert on Oct. 29th about using postfix to
securely relay mail to a qmailtoaster server. 
Eric, did you mention you this would like a wiki entry regarding this? 
I have never done a wiki entry before, but I am up to the task. Let me
know.
Thanks,
Dave

Aleksander Podsiadly wrote:

  
  
W dniu 13.11.2009 20:15, d...@acbsco.com
pisze:
  

Eric and list,
I am sending emails now.  I changed the line echo "mail.domain.com:587 postmas...@domain.com:password" 
>sasl_passwd 
and used echo "192.168.5.2:587 " >sasl_passwd
ran postmap sasl_passwd
restarted postfix and emails started coming through.
I still get some certificate errors though, what would be the cause?
Nov 13 13:09:03 inet postfix/pickup[19149]: A3DCC20E014B: uid=0
from=
Nov 13 13:09:03 inet postfix/cleanup[19336]: A3DCC20E014B:
message-id=<20091113190903.a3dcc20e0...@inet.local.solution-group.com>
Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B:
from=,
size=729, nrcpt=1 (queue active)
Nov 13 13:09:03 inet postfix/smtp[19338]:
certificate verification failed for 192.168.5.2: num=18:self signed
certificate 
Nov 13 13:09:03 inet postfix/smtp[19338]: A3DCC20E014B:
to=,
relay=192.168.5.2[192.168.5.2]:587,
delay=0.16, delays=0.02/0.03/0.09/0.02, dsn=2.0.0, status=sent (250 ok
1258139320 qp 10933)
Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B: removed

Is this because it is a self signed cert?

Thanks,
Dave
  
Is the Postfix MTA part of qmailtoaster? Do I miss something?
  -- 
Pozdrawiam / Regards,
Aleksander Podsiadły
mail: a...@westside.kielce.pl
jid: a...@jabber.westside.kielce.pl
ICQ: 201121279
gg: 9150578
  




-
Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-13 Thread Aleksander Podsiadly 

W dniu 13.11.2009 20:15, d...@acbsco.com pisze:

Eric and list,
I am sending emails now.  I changed the line echo "mail.domain.com:587 
postmas...@domain.com:password 
" >sasl_passwd

and used echo "192.168.5.2:587 " >sasl_passwd
ran postmap sasl_passwd
restarted postfix and emails started coming through.
I still get some certificate errors though, what would be the cause?
Nov 13 13:09:03 inet postfix/pickup[19149]: A3DCC20E014B: uid=0 
from=
Nov 13 13:09:03 inet postfix/cleanup[19336]: A3DCC20E014B: 
message-id=<20091113190903.a3dcc20e0...@inet.local.solution-group.com> 

Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B: 
from= , size=729, 
nrcpt=1 (queue active)
Nov 13 13:09:03 inet postfix/smtp[19338]: certificate verification 
failed for 192.168.5.2: num=18:self signed certificate
Nov 13 13:09:03 inet postfix/smtp[19338]: A3DCC20E014B: 
to= , 
relay=192.168.5.2[192.168.5.2]:587, delay=0.16, 
delays=0.02/0.03/0.09/0.02, dsn=2.0.0, status=sent (250 ok 1258139320 
qp 10933)

Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B: removed

Is this because it is a self signed cert?

Thanks,
Dave

Is the Postfix MTA part of qmailtoaster? Do I miss something?

--
Pozdrawiam / Regards,
Aleksander Podsiad?y
mail: a...@westside.kielce.pl
jid: a...@jabber.westside.kielce.pl
ICQ: 201121279
gg: 9150578

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-13 Thread d...@acbsco.com 




Eric and list,
I am sending emails now.  I changed the line echo "mail.domain.com:587 postmas...@domain.com:password" 
>sasl_passwd

and used echo "192.168.5.2:587 " >sasl_passwd
ran postmap sasl_passwd
restarted postfix and emails started coming through.
I still get some certificate errors though, what would be the cause?
Nov 13 13:09:03 inet postfix/pickup[19149]: A3DCC20E014B: uid=0
from=
Nov 13 13:09:03 inet postfix/cleanup[19336]: A3DCC20E014B:
message-id=<20091113190903.a3dcc20e0...@inet.local.solution-group.com>
Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B:
from=, size=729, nrcpt=1 (queue active)
Nov 13 13:09:03 inet postfix/smtp[19338]:
certificate verification failed for 192.168.5.2: num=18:self signed
certificate
Nov 13 13:09:03 inet postfix/smtp[19338]: A3DCC20E014B:
to=, relay=192.168.5.2[192.168.5.2]:587,
delay=0.16, delays=0.02/0.03/0.09/0.02, dsn=2.0.0, status=sent (250 ok
1258139320 qp 10933)
Nov 13 13:09:03 inet postfix/qmgr[19150]: A3DCC20E014B: removed

Is this because it is a self signed cert?

Thanks,
Dave

d...@acbsco.com wrote:

  
  
Hi Eric,
I must be missing something here.  I decided to give postfix and
followed your quickie howto, but I cannot send email out. First this is
what I have done.
Stopped qmail-smtpd and qmail-send using svc -d service name and adding
the "down" files to the proper directories.
I used yum on my Centos 5.3 system and install postfix-2.3.3-2.1.el5_2.
  
Then I used these instructions:
# cd /etc/pki/tls/certs
  
# make postfix.pem
  
# cd /etc/postfix
  
# echo "mail.domain.com:587 postmas...@domain.com:password"
\
  I replace mail.domain.com with
mail.accsnetwork.com and postmas...@accsnetwork.com:
    >sasl_passwd
  
# chmod 600 sasl_passwd
  
# postmap sasl_passwd
  
  
Edit /etc/postfix/main.cf settings:
  
myorigin = domain.com   
  Used accsnetwork.com here
#mydestination =
  
mynetworks_style = host
  
relayhost = mail.domain.com:587
  Used mail.accsnetwork.com:587 here.
smtp_sasl_auth_enable = yes
  
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  
smtp_sasl_security_options =
  
smtp_use_tls = yes
  
smtp_tls_CAfile = /etc/pki/tls/certs/postfix.pem
  
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
  
  
Then I had to create some symbolic links:
# ln -s /usr/sbin/sendmail.postfix /usr/sbin/sendmail
# ln -s /usr/lib/sendmail.postfix /usr/lib/sendmail
  
started postfix
watched the /var/log/maillog file
sent a test email from the command line
I get this these errors:
  Nov 13 12:46:37 inet postfix/pickup[17384]:
BA2DD20E0152: uid=0 from=
Nov 13 12:46:37 inet postfix/cleanup[17397]: BA2DD20E0152:
message-id=<20091113184637.ba2dd20e0...@inet.local.solution-group.com>
Nov 13 12:46:37 inet postfix/qmgr[17385]: BA2DD20E0152:
from=,
size=729, nrcpt=1 (queue active)
Nov 13 12:47:07 inet postfix/smtp[17399]: connect to
mail.accsnetwork.com[207.224.111.118]: Connection timed out (port 587)
Nov 13 12:47:07 inet postfix/smtp[17399]: BA2DD20E0152:
to=, relay=none,
delay=30, delays=0.02/0.04/30/0,
dsn=4.4.1, status=deferred (connect to
mail.accsnetwork.com[207.224.111.118]: Connection timed out)
  
Do I need to set something up on the qmailtoaster server?
  
Thanks,
Dave
  
  
  
Eric Shubert wrote:
  I think
that postfix is your best route as well. 

Just to clarify the log messages a little, when spamdyke issues a
DENIED_OTHER message, it's saying that something else (other than
spamdyke) rejected the message. This could be absolutely anything
further down the pipe. spamdyke is simply saying that "something other
than rejected the message, so I'm obeying that rejection". 

In this case it appears to be eMPF that's doing the rejecting, but it
could also be chkuser, clamav, spamassassin etc. as far as spamdyke
knows. There should be a rejection message in the log just before
spamdyke's DENIED_OTHER that details the rejection. 

HTH. 

d...@acbsco.com wrote: 
Thanks guys for all the input. I should be
more descriptive with my 
issue.  First, my users do not connect to any email accounts on my 
internal servers.  I have different applications running on my internal
  
servers that need to send email to accounts on my external 
(qmail-toaster).  For instance, I run timetrex on one server.  Users 
login and clock in and out.  Managers can send email to the time 
administrator email account which resides on my external server 
(a...@solution-group.com). 
These are the emails that are failing in
the 
example logs I posted. 
Thinking of what Jake was suggesting: 
I added 192.168.105.110 to the whitelist_ip and 
@local.solution-group.com to whitelist_rdns and whitelist_senders in 
/etc/spamdyke.  I still get the "11-10 16:07:45 spamdyke[27917]: 
DENIED_OTHER from: d...@acbsco.com
to: a...@solution-group.com
origin_ip: 
192.168.105.110 origin_rdns: " message in the smtp logfile on the 
qmailtoaster. 
  
I can say with 100% confidence that when I remove all entries from the 
polic

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-13 Thread d...@acbsco.com 




Hi Eric,
I must be missing something here.  I decided to give postfix and
followed your quickie howto, but I cannot send email out. First this is
what I have done.
Stopped qmail-smtpd and qmail-send using svc -d service name and adding
the "down" files to the proper directories.
I used yum on my Centos 5.3 system and install postfix-2.3.3-2.1.el5_2.

Then I used these instructions:
# cd /etc/pki/tls/certs

# make postfix.pem

# cd /etc/postfix

# echo "mail.domain.com:587 postmas...@domain.com:password"
\
I replace mail.domain.com with
mail.accsnetwork.com and postmas...@accsnetwork.com:
    >sasl_passwd

# chmod 600 sasl_passwd

# postmap sasl_passwd


Edit /etc/postfix/main.cf settings:

myorigin = domain.com   
Used accsnetwork.com here
#mydestination =

mynetworks_style = host

relayhost = mail.domain.com:587
Used mail.accsnetwork.com:587 here.
smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options =

smtp_use_tls = yes

smtp_tls_CAfile = /etc/pki/tls/certs/postfix.pem

smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache


Then I had to create some symbolic links:
# ln -s /usr/sbin/sendmail.postfix /usr/sbin/sendmail
# ln -s /usr/lib/sendmail.postfix /usr/lib/sendmail

started postfix
watched the /var/log/maillog file
sent a test email from the command line
I get this these errors:
Nov 13 12:46:37 inet postfix/pickup[17384]:
BA2DD20E0152: uid=0 from=
Nov 13 12:46:37 inet postfix/cleanup[17397]: BA2DD20E0152:
message-id=<20091113184637.ba2dd20e0...@inet.local.solution-group.com>
Nov 13 12:46:37 inet postfix/qmgr[17385]: BA2DD20E0152:
from=, size=729, nrcpt=1 (queue active)
Nov 13 12:47:07 inet postfix/smtp[17399]: connect to
mail.accsnetwork.com[207.224.111.118]: Connection timed out (port 587)
Nov 13 12:47:07 inet postfix/smtp[17399]: BA2DD20E0152:
to=, relay=none, delay=30, delays=0.02/0.04/30/0,
dsn=4.4.1, status=deferred (connect to
mail.accsnetwork.com[207.224.111.118]: Connection timed out)

Do I need to set something up on the qmailtoaster server?

Thanks,
Dave



Eric Shubert wrote:
I think
that postfix is your best route as well.
  
  
Just to clarify the log messages a little, when spamdyke issues a
DENIED_OTHER message, it's saying that something else (other than
spamdyke) rejected the message. This could be absolutely anything
further down the pipe. spamdyke is simply saying that "something other
than rejected the message, so I'm obeying that rejection".
  
  
In this case it appears to be eMPF that's doing the rejecting, but it
could also be chkuser, clamav, spamassassin etc. as far as spamdyke
knows. There should be a rejection message in the log just before
spamdyke's DENIED_OTHER that details the rejection.
  
  
HTH.
  
  
d...@acbsco.com wrote:
  
  Thanks guys for all the input. I should be
more descriptive with my

issue.  First, my users do not connect to any email accounts on my

internal servers.  I have different applications running on my internal

servers that need to send email to accounts on my external

(qmail-toaster).  For instance, I run timetrex on one server.  Users

login and clock in and out.  Managers can send email to the time

administrator email account which resides on my external server

(a...@solution-group.com).  These are the emails that are failing in
the

example logs I posted. 
Thinking of what Jake was suggesting:

I added 192.168.105.110 to the whitelist_ip and

@local.solution-group.com to whitelist_rdns and whitelist_senders in

/etc/spamdyke.  I still get the "11-10 16:07:45 spamdyke[27917]:

DENIED_OTHER from: d...@acbsco.com to: a...@solution-group.com
origin_ip:

192.168.105.110 origin_rdns: " message in the smtp logfile on the

qmailtoaster.


I can say with 100% confidence that when I remove all entries from the

policy (eMPF) file on the external mail server - these emails are

successfully delivered.  The issue is, timetrex and other application

have no configuration file where I can put the smtp username and

password.  Since eMPF requires a user to authenticate (it has to know

who you are so it can apply a rule if applicable) it fails any message

that does not authenticate.


So, at this point, my best option is to follow the quickie guide to

installing postfix.


If anyone has anything else to add or suggest, I am all ears.


Thanks,

Dave

 


Jake Vickers wrote:

Eric Shubert wrote:
  
  Good question. I don't know the answer to
that off hand.


Michael Colvin wrote:

Oh, I totally agree, Eric.  I guess my
point was trying to find out
  
if there
  
was any reason they needed to do it that way...  Really, the eMPF
  
functionality should be on his internal server, not the external relay
  
server...  Then, the internal server could relay to th

RE: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-11 Thread Michael Colvin 
Ok...Clearer now...You had mentioned what you were using the internal server
for, I just forgot, or got your issue confused with someone else's.  :-)

Have you tried to see if you can send via port 587 w/o eMPF getting in the
way?  If you can, then you could just set your smtproutes to use your QMT's
IP and port 587.  I think it's:  *:ipaddressofserver:587

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 



> -Original Message-
> From: d...@acbsco.com [mailto:d...@acbsco.com]
> Sent: Wednesday, November 11, 2009 9:13 AM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Re: eMPF requires authentication to work?
> 
> Thanks guys for all the input. I should be more descriptive with my
> issue.  First, my users do not connect to any email accounts on my
> internal servers.  I have different applications running on my internal
> servers that need to send email to accounts on my external
> (qmail-toaster).  For instance, I run timetrex on one server.  Users
> login and clock in and out.  Managers can send email to the time
> administrator email account which resides on my external server
> (a...@solution-group.com).  These are the emails that are failing in the
> example logs I posted.
> 
> Thinking of what Jake was suggesting:
> I added 192.168.105.110 to the whitelist_ip and
> @local.solution-group.com to whitelist_rdns and whitelist_senders in
> /etc/spamdyke.  I still get the "11-10 16:07:45 spamdyke[27917]:
> DENIED_OTHER from: d...@acbsco.com to: a...@solution-group.com origin_ip:
> 192.168.105.110 origin_rdns: " message in the smtp logfile on the
> qmailtoaster.
> 
> I can say with 100% confidence that when I remove all entries from the
> policy (eMPF) file on the external mail server - these emails are
> successfully delivered.  The issue is, timetrex and other application
> have no configuration file where I can put the smtp username and
> password.  Since eMPF requires a user to authenticate (it has to know
> who you are so it can apply a rule if applicable) it fails any message
> that does not authenticate.
> 
> So, at this point, my best option is to follow the quickie guide to
> installing postfix.
> 
> If anyone has anything else to add or suggest, I am all ears.
> 
> Thanks,
> Dave
> 
> 
> Jake Vickers wrote:
> > Eric Shubert wrote:
> >> Good question. I don't know the answer to that off hand.
> >>
> >> Michael Colvin wrote:
> >>> Oh, I totally agree, Eric.  I guess my point was trying to find out
> >>> if there
> >>> was any reason they needed to do it that way...  Really, the eMPF
> >>> functionality should be on his internal server, not the external relay
> >>> server...  Then, the internal server could relay to the QMT w/o
> >>> having eMPF
> >>> on it, and the internal server would still limit user e-mails.
> >>>
> >>> Unless of course the users also connect from externally...
> >>>
> >>> Couldn't he also have the internal server relay via port 587 to the
> >>> toaster?
> >>> Does eMPF look at 587 traffic also?
> >
> > I'm 99% sure that it does, since it's a patch applied to the smtp
> > daemon in a global sense.
> > Also, isn't this a Spamdyke config issue with the IP addres?
> >
> > 11-10 16:07:45 spamdyke[27917]: DENIED_OTHER from: d...@acbsco.com to:
> > a...@solution-group.com origin_ip: 192.168.105.110 origin_rdns:
> >
> > It reads to me that it was denied because of "DENIED_OTHER" by
> > spamdyke for origin_rdns.
> > It's late, so correct me if I'm wrong.
> >
> > 
> -
> >
> > Qmailtoaster is sponsored by Vickers Consulting Group
> > (www.vickersconsulting.com)
> >Vickers Consulting Group offers Qmailtoaster support and
> > installations.
> >  If you need professional help with your setup, contact them today!
> > 
> -
> >
> > Please visit qmailtoaster.com for the latest news, updates, and
> > packages.
> >  To unsubscribe, e-mail:
> > qmailtoaster-list-unsubscr...@qmailtoaster.com
> > For additional commands, e-mail:
> > qmailtoaster-list-h...@qmailtoaster.com
> >
> >
> 
> --
> ---
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailto

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-11 Thread d...@acbsco.com 
Thanks guys for all the input. I should be more descriptive with my
issue.  First, my users do not connect to any email accounts on my
internal servers.  I have different applications running on my internal
servers that need to send email to accounts on my external
(qmail-toaster).  For instance, I run timetrex on one server.  Users
login and clock in and out.  Managers can send email to the time
administrator email account which resides on my external server
(a...@solution-group.com).  These are the emails that are failing in the
example logs I posted. 

Thinking of what Jake was suggesting:
I added 192.168.105.110 to the whitelist_ip and
@local.solution-group.com to whitelist_rdns and whitelist_senders in
/etc/spamdyke.  I still get the "11-10 16:07:45 spamdyke[27917]:
DENIED_OTHER from: d...@acbsco.com to: a...@solution-group.com origin_ip:
192.168.105.110 origin_rdns: " message in the smtp logfile on the
qmailtoaster.

I can say with 100% confidence that when I remove all entries from the
policy (eMPF) file on the external mail server - these emails are
successfully delivered.  The issue is, timetrex and other application
have no configuration file where I can put the smtp username and
password.  Since eMPF requires a user to authenticate (it has to know
who you are so it can apply a rule if applicable) it fails any message
that does not authenticate.

So, at this point, my best option is to follow the quickie guide to
installing postfix.

If anyone has anything else to add or suggest, I am all ears.

Thanks,
Dave
 

Jake Vickers wrote:
> Eric Shubert wrote:
>> Good question. I don't know the answer to that off hand.
>>
>> Michael Colvin wrote:
>>> Oh, I totally agree, Eric.  I guess my point was trying to find out
>>> if there
>>> was any reason they needed to do it that way...  Really, the eMPF
>>> functionality should be on his internal server, not the external relay
>>> server...  Then, the internal server could relay to the QMT w/o
>>> having eMPF
>>> on it, and the internal server would still limit user e-mails.
>>>
>>> Unless of course the users also connect from externally...
>>>
>>> Couldn't he also have the internal server relay via port 587 to the
>>> toaster?
>>> Does eMPF look at 587 traffic also?
>
> I'm 99% sure that it does, since it's a patch applied to the smtp
> daemon in a global sense.
> Also, isn't this a Spamdyke config issue with the IP addres?
>
> 11-10 16:07:45 spamdyke[27917]: DENIED_OTHER from: d...@acbsco.com to:
> a...@solution-group.com origin_ip: 192.168.105.110 origin_rdns:
>
> It reads to me that it was denied because of "DENIED_OTHER" by
> spamdyke for origin_rdns.
> It's late, so correct me if I'm wrong.
>
> -
>
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
>Vickers Consulting Group offers Qmailtoaster support and
> installations.
>  If you need professional help with your setup, contact them today!
> -
>
> Please visit qmailtoaster.com for the latest news, updates, and
> packages.
>  To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-10 Thread Jake Vickers 

Eric Shubert wrote:

Good question. I don't know the answer to that off hand.

Michael Colvin wrote:
Oh, I totally agree, Eric.  I guess my point was trying to find out 
if there

was any reason they needed to do it that way...  Really, the eMPF
functionality should be on his internal server, not the external relay
server...  Then, the internal server could relay to the QMT w/o 
having eMPF

on it, and the internal server would still limit user e-mails.

Unless of course the users also connect from externally...

Couldn't he also have the internal server relay via port 587 to the 
toaster?

Does eMPF look at 587 traffic also?


I'm 99% sure that it does, since it's a patch applied to the smtp daemon 
in a global sense.

Also, isn't this a Spamdyke config issue with the IP addres?

11-10 16:07:45 spamdyke[27917]: DENIED_OTHER from: d...@acbsco.com to: 
a...@solution-group.com origin_ip: 192.168.105.110 origin_rdns:


It reads to me that it was denied because of "DENIED_OTHER" by spamdyke 
for origin_rdns.

It's late, so correct me if I'm wrong.

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-10 Thread Michael Colvin 
Oh, I totally agree, Eric.  I guess my point was trying to find out if there
was any reason they needed to do it that way...  Really, the eMPF
functionality should be on his internal server, not the external relay
server...  Then, the internal server could relay to the QMT w/o having eMPF
on it, and the internal server would still limit user e-mails.

Unless of course the users also connect from externally...

Couldn't he also have the internal server relay via port 587 to the toaster?
Does eMPF look at 587 traffic also?

 
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
 



> -Original Message-
> From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric Shubert
> Sent: Tuesday, November 10, 2009 3:46 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: [qmailtoaster] Re: eMPF requires authentication to work?
> 
> That's a valid way of doing things, but it presents another set of
> problems. It's sometimes difficult to get mail delivered to some larger
> mail destinations, such as yahoo, hotmail, and gmail. Having everything
> going out from a single host makes delivery easier to administer. There
> are fewer IPs that can be blacklisted, the SPF record is simpler, and
> it's easier to administer DKIM. That's just my opinion though.
> 
> Michael Colvin wrote:
> > I think you missed what I was trying to get at…  You’re using your
> > internal servers for your users to connect to, and send mail, right?
> > Yet, you have your internal server try to relay through the QMT server.
> > Since that server is requiring authentication, the QMT server is
> > rejecting it.
> >
> >
> >
> > Why not have your internal server deliver your user mail directly to the
> > remote mail server, not relaying it through your QMT servers.
> >
> >
> >
> > IE, instead of:
> >
> >
> >
> > YOURINTERNALSERVER -> YOURQMT -> REMOTESERVER
> >
> >
> >
> > why not:
> >
> >
> >
> > YOURINTERNALSERVER -> REMOTE SERVER
> >
> >
> >
> > If you remove the info in smtrproutes, the server should deliver the
> > mail directly to the destination server by using MX record information,
> > which should work, and there should be no log entry in the QMT servers
> > logs.  If there is, then your internal server is still trying to send
> > all mail via the QMT..  Make sure you’ve restarted qmail, you might even
> > try rebooting to make sure it’s reloaded the correct smtproutes info.
> >
> >
> >
> > **Michael J. Colvin**
> >
> > **NorCal Internet Services**
> >
> > **//www.norcalisp.com// **
> >
> >
> >
> > 
> >
> >
> >
> > 
> >
> > *From:* d...@acbsco.com [mailto:d...@acbsco.com]
> > *Sent:* Tuesday, November 10, 2009 2:17 PM
> > *To:* qmailtoaster-list@qmailtoaster.com
> > *Subject:* Re: [qmailtoaster] eMPF requires authentication to work?
> >
> >
> >
> > Michael,
> > good question.  I hate this answer, "because that's the way its always
> > been". :)  Actually, I tried removing the contents of
> > /var/qmail/control/smtproutes on the internal server and restarted
> > qmail.  I get the same darn error message in the log file on the
> > qmail-toaster server.
> > 11-10 16:07:45 CHKUSER accepted rcpt: from 
> >  remote
> >  rcpt  > s...@solution-group.com > : found existing
> > recipient
> > 11-10 16:07:45 policy_check: local d...@acbsco.com
> >  -> local a...@solution-group.com
> >  (UNAUTHENTICATED SENDER)
> > 11-10 16:07:45 spamdyke[27917]: DENIED_OTHER from: d...@acbsco.com
> >  to: a...@solution-group.com
> >  origin_ip: 192.168.105.110 origin_rdns:
> > (unknown) auth: (unknown)
> >
> > And in the logfile of the internal server, it looks like everything went
> > fine.
> > @40004af9e452316418ac new msg 33916470
> > @40004af9e4523164b8d4 info msg 33916470: bytes 1346 from <> qp 20677
> > uid 10040
> > @40004af9e452318befe4 starting delivery 6: msg 33916470 to remote
> > d...@acbsco.com 
> > @40004af9e452318c518c status: local 0/10 remote 1/20
> > @40004af9e452380fd844 delivery 6: success:
> >
> 207.224.111.118_accepted_message./Remote_host_said:_250_ok_1257890865_qp_2
> 7923/
> > @40004af9e452380fe3fc status: local 0/10 remote 0/20
> > @40004af9e452380febcc end msg 33916470
> >
> > My eMPF policy file on the qmail-toaster server does not restrict any
> > accounts with ending in solution-group.com.
> > Strange.
> >
> > Dave
> >
> >
> > Michael Colvin wrote:
> >
> > Why not have the internal server deliver the mail itself?  Is there a
> >
> > particular reason you need to relay through the QMT servers?
> >
> >
> >
> >
> >
> > Michael J. Colvin
> >
> > NorCal Internet Services
> >
> > www.norcalisp.com 
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >> -Original Messa

Re: [qmailtoaster] Re: eMPF requires authentication to work?

2009-11-10 Thread d...@acbsco.com 
Thanks Eric,
the internal servers are running netqmail-1.06.  So what you are saying
is to make sure the qmail daemons are not running by stopping them and
moving the run scripts out of  /service directory.  Then install postfix
via yum and configure it per your instructions in the quickie guide to
configuring postfix to relay securely to a toaster.

Does that sound about right?  Then if postfix works, I can go about
finding and removing qmail if I wish.

Thanks,
Dave


Eric Shubert wrote:
> d...@acbsco.com wrote:
>> Hello list,
>> I have been using eMPF for about one year now and it does a great job
>> limiting email accounts and/or who they can send or receive emails
>> from.  Thanks for including it in the distribution.
>>
>> I have noticed that eMPF requires that the user sending the email
>> authenticates (otherwise how would it know if the user was allowed to
>> send or not). I run several applications (nagios, timetrex, etc) on
>> servers I have on my LAN.  These internal servers occasionally send
>> automated emails.  I have qmail (from source boo!) installed on the
>> internal servers, but not qmailtoaster.  I have the internal servers
>> relay mail to my qmailtoaster server.  I entered the ip address of the
>> qmailtoaster server into /var/qmail/control/smtproutes control file
>> of my internal servers.
>>
>> If the application I am running (see above) has a config section where I
>> can enter a smtp server, a valid usern...@domainname.com and a valid
>> password, then my qmailtoaster will accept the email and relay
>> successfully.  However, if application does not have a config section
>> for the smtp server, username, and password or the application uses a
>> phpmailer (which many do) the relayed email fails.  In the smtp log file
>> on the qmailtoaster spamdyke reports "DENIED OTHER" which means "The
>> text returned by qmail (or the downstream filter that generated the
>> rejection).".  Here is a section of the smtp logfile on the qmailtoaster
>> server when the email fails:
>> 11-10 11:55:20 policy_check: local d...@acbsco.com -> local
>> a...@solution-group.com (UNAUTHENTICATED SENDER)
>> 11-10 11:55:20 spamdyke[21618]: DENIED_OTHER from: d...@acbsco.com to:
>> a...@solution-group.com origin_ip: 192.168.105.110 origin_rdns:
>> (unknown) auth: (unknown)
>>
>> If I empty my /var/qmail/control/policy file (empf config file)
>> basically turning eMPF off,  and send the same message, it is
>> successful. Here is a section of the smtp logfile on the qmail toaster
>> after turning off eMPF
>> 11-10 13:26:25 policy_check: local d...@acbsco.com -> local
>> a...@solution-group.com (UNAUTHENTICATED SENDER)
>> 11-10 13:26:25 spamdyke[24110]: ALLOWED from: d...@acbsco.com to:
>> a...@solution-group.com origin_ip: 192.168.105.110 origin_rdns:
>> (unknown) auth: (unknown)
>>
>> Does anyone know a way around this?
>> Turning off eMPF is not an option since my client insists on limiting
>> email accounts.  I read a post by Eric dated 10/29/2009 regarding "a
>> quickie guide to configuring postfix to relay securely to a toaster".
>> This seems simple enough.  I suppose I would need to remove qmail first
>> and seeing how it was installed from source, it may be a little more
>> complicated than "rpm -e".
>> Any suggestions, comments, etc. would be greatly appreciated.
>>
>> Thanks,
>> Dave
>>
>
> Sounds to me like getting your other servers to authenticate is your
> best solution.
>
> Which mailer/MTA is running on those hosts? If it's qmail and not an
> rpm, you should simply make sure the daemons are not running. Other
> than that, the critial piece is the sendmail program itself. Be sure
> that, after postfix is installed, that all $PATH settings are picking
> up the correct program (usually /usr/sbin/sendmail).
>
> HTH.

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com