[xmail] Re: Lockdown xMail
Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab without specifying authentication, however I'd not trust it as being secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my xMail and the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25 or 587 -- to Internal domains or relay'd Out-Bound for external domains. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Can't you create a new instance of XMail just for Postini (in- postini.myisp.com) and set that up to only allow connections from Postini's servers? For MailLaunder, we suggest our clients only accept untrusted email from our IP block. Then have the in-postini.myisp.com forward to the internal servers (using custdomain?), and setup internal servers to accept email from in-postini.myisp.com via smtprelay.tab? I think there are potential solutions besides SMTP authorization. -Don -- Don Drake www.drakeconsult.com www.maillaunder.com 312-560-1574 800-733-2143 On May 5, 2008, at 1:21 AM, Hal Dell wrote: Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab without specifying authentication, however I'd not trust it as being secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my xMail and the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25 or 587 -- to Internal domains or relay'd Out-Bound for external domains. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Deal Mr Hal Dell It was just a joke, because your Postini presentation looked like a 'promotional' mail, so take it like a joke :) Sorry if I offended you, it was not wanted. Francis -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Hal Dell Envoy=E9 : lundi 5 mai 2008 08:21 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail I am offended buy your comment sir -- even in fun - to be clear my = original eMail did NOT solicit any business from the list. Your comments take = away from the urgency of the issue at hand and the fact that my customers = are getting buried by SPAM! Beside, their are plenty of commercial solutions for eMail Filtering = and compliance like SonicWALL's eMail Security Appliance which also would require this same configuration. =20 /IMMO - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
I suggested Mr Har Dell to simply add another ip to xmail server, then lookup down xmail to accept only postini servers on this ip with a = firewall rule, and use a smtpconfig Mailauth for original xmail ip. Setup will be : Xmail server with two ips : - current one, with no changes in current xmail setup (configured in server.tab file with smtpconfig mailauth for it's customers that will = have to 'auth' to be relayed) - new ip, configured only for port 25 in xmail cmd line, without any 'smtpconfig' in server.tab, but with postini servers in smtp relay tab = file Firewall configured with : - no specific rules for current xmail ip smtp port 25 - rule that accept only postini servers on second xmail server ip port = 25 Postini servers configured to send to the second xmail server ip, not = the current. No need to have two instances in this case. Yes, actually this need external intervention (firewall). That will be not needed anymore when Davide add a mailauth=3D0 for smtp.relay and smtp.ipprop files. As your 'second instance' solution or mine need another ip, the = question is : Can Mr Har Dell add another ip to xmail server ? Francis -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Don Drake Envoy=E9 : lundi 5 mai 2008 16:24 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail Can't you create a new instance of XMail just for Postini (in-=20 postini.myisp.com) and set that up to only allow connections from =20 Postini's servers? For MailLaunder, we suggest our clients only =20 accept untrusted email from our IP block. Then have the in-postini.myisp.com forward to the internal servers =20 (using custdomain?), and setup internal servers to accept email from =20 in-postini.myisp.com via smtprelay.tab? I think there are potential solutions besides SMTP authorization. -Don -- Don Drake www.drakeconsult.com www.maillaunder.com 312-560-1574 800-733-2143 On May 5, 2008, at 1:21 AM, Hal Dell wrote: Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter = fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab = without specifying authentication, however I'd not trust it as being = secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my=20 xMail and =20 the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25 or
[xmail] Re: Lockdown xMail
Deal Clement Francis - It was just a joke, because your Postini presentation looked like a 'promotional' mail, so take it like a joke :) Sorry if I offended you, it was not wanted. I appreciate your comment. Normally, I would jest too... However, you have to understand this is a huge issue for my customers and a lot of my customers are at risk of switching out because of the the stupid SPAMers. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Hal Dell Envoy=E9 : lundi 5 mai 2008 17:55 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail However, you have to understand this is a huge issue for my customers and a lot of my customers are at risk of switching out because of the the stupid SPAMers. I understand, and I proposed a possible 'temporary' solution Can you add another ip to your xmail server ? If so, you can at this time use Don Drake or my proposed setups. Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]