[xmail] Re: Lockdown xMail
Dear Davide - On Tue, 22 Apr 2008, Hal Dell wrote: Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. On Thursday, April 24, 2008, Davide wrote: OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Any way you can provide a solution sooner then later that I can test? Since, I moved my xMail to a new IP the domains on this server had been SPAM free since the MX records the oustide world see points to Postini and the old xMail server running on the old IP no longer accepts eMail my for domain. This new IP was never used for anything previously. However, the SPAMers found the new xMail Server -- it only took about 1.5 weeks. Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab without specifying authentication, however I'd not trust it as being secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my xMail and the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25 or 587 -- to Internal domains or relay'd Out-Bound for external domains. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Can't you create a new instance of XMail just for Postini (in- postini.myisp.com) and set that up to only allow connections from Postini's servers? For MailLaunder, we suggest our clients only accept untrusted email from our IP block. Then have the in-postini.myisp.com forward to the internal servers (using custdomain?), and setup internal servers to accept email from in-postini.myisp.com via smtprelay.tab? I think there are potential solutions besides SMTP authorization. -Don -- Don Drake www.drakeconsult.com www.maillaunder.com 312-560-1574 800-733-2143 On May 5, 2008, at 1:21 AM, Hal Dell wrote: Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab without specifying authentication, however I'd not trust it as being secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my xMail and the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25 or 587 -- to Internal domains or relay'd Out-Bound for external domains. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Deal Mr Hal Dell It was just a joke, because your Postini presentation looked like a 'promotional' mail, so take it like a joke :) Sorry if I offended you, it was not wanted. Francis -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Hal Dell Envoy=E9 : lundi 5 mai 2008 08:21 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail I am offended buy your comment sir -- even in fun - to be clear my = original eMail did NOT solicit any business from the list. Your comments take = away from the urgency of the issue at hand and the fact that my customers = are getting buried by SPAM! Beside, their are plenty of commercial solutions for eMail Filtering = and compliance like SonicWALL's eMail Security Appliance which also would require this same configuration. =20 /IMMO - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
I suggested Mr Har Dell to simply add another ip to xmail server, then lookup down xmail to accept only postini servers on this ip with a = firewall rule, and use a smtpconfig Mailauth for original xmail ip. Setup will be : Xmail server with two ips : - current one, with no changes in current xmail setup (configured in server.tab file with smtpconfig mailauth for it's customers that will = have to 'auth' to be relayed) - new ip, configured only for port 25 in xmail cmd line, without any 'smtpconfig' in server.tab, but with postini servers in smtp relay tab = file Firewall configured with : - no specific rules for current xmail ip smtp port 25 - rule that accept only postini servers on second xmail server ip port = 25 Postini servers configured to send to the second xmail server ip, not = the current. No need to have two instances in this case. Yes, actually this need external intervention (firewall). That will be not needed anymore when Davide add a mailauth=3D0 for smtp.relay and smtp.ipprop files. As your 'second instance' solution or mine need another ip, the = question is : Can Mr Har Dell add another ip to xmail server ? Francis -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Don Drake Envoy=E9 : lundi 5 mai 2008 16:24 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail Can't you create a new instance of XMail just for Postini (in-=20 postini.myisp.com) and set that up to only allow connections from =20 Postini's servers? For MailLaunder, we suggest our clients only =20 accept untrusted email from our IP block. Then have the in-postini.myisp.com forward to the internal servers =20 (using custdomain?), and setup internal servers to accept email from =20 in-postini.myisp.com via smtprelay.tab? I think there are potential solutions besides SMTP authorization. -Don -- Don Drake www.drakeconsult.com www.maillaunder.com 312-560-1574 800-733-2143 On May 5, 2008, at 1:21 AM, Hal Dell wrote: Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter = fo scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. ... you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option SmtpConfig-ip,port with MailAuth. The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with SmtpConfig. What we are waiting on from Davide is some new option to allow an override of the present behavior of SmtpConfig with MailAuth. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab = without specifying authentication, however I'd not trust it as being = secure without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my=20 xMail and =20 the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: DNS Name -- MX records with public IPs of Postini MTA -- [ Postini In-Bound MTAs -- Postini Scanner Engines -- Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] -- xMail MTA. Client config looks like: DNS Name -- A Record with public IP -- xMail MTA on Port 25
[xmail] Re: Lockdown xMail
Deal Clement Francis - It was just a joke, because your Postini presentation looked like a 'promotional' mail, so take it like a joke :) Sorry if I offended you, it was not wanted. I appreciate your comment. Normally, I would jest too... However, you have to understand this is a huge issue for my customers and a lot of my customers are at risk of switching out because of the the stupid SPAMers. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Hal Dell Envoy=E9 : lundi 5 mai 2008 17:55 =C0 : xmail@xmailserver.org Objet : [xmail] Re: Lockdown xMail However, you have to understand this is a huge issue for my customers and a lot of my customers are at risk of switching out because of the the stupid SPAMers. I understand, and I proposed a possible 'temporary' solution Can you add another ip to your xmail server ? If so, you can at this time use Don Drake or my proposed setups. Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Francis - Is this mailing list a marketing place ? :) If so, Davide, it's time to get some money from google to make xmail 'postini' compliant :) (Or should I say : to help google make postini 'auth' standard compliant to be able to be compatible with xmail and other 'standard' smtp servers LOL) IMMO Since, some folks have not heard about Postini's SPAM + Anti-Spy + Any-AV all in one Software As A Service Solution -- I thought giving folks a short description about the solution would be beneficial. With this kind of interest in Postini (+40K companies) and a less then 0.1% false positive rate This solution is a serious alternative as Not everyone has your combination of skills, time, server resources to roll their own solution. I personally, belive, that blending open source and commerical solutions provide a signficant upside. And this is just ONE way not the ONLY way to solve a technology problem. I am offended buy your comment sir -- even in fun - to be clear my original eMail did NOT solicit any business from the list. Your comments take away from the urgency of the issue at hand and the fact that my customers are getting buried by SPAM! Beside, their are plenty of commercial solutions for eMail Filtering and compliance like SonicWALL's eMail Security Appliance which also would require this same configuration. /IMMO It is my understanding that Mail-Auth was designed be to implement a submission port as defined by RFC 4409? In fact, RFC 4409 states: 3.2. Message Rejection and Bouncing. MTAs and MSAs MAY implement message rejection rules that rely in part on whether the message is a submission or a relay. For example, some sites might configure their MTAs to reject all RCPT commands for messages that do not reference local users, and configure their MSA to reject all message submissions that do not come from authorized users, with authorization based either on authenticated identity or the submitting endpoint being within a protected IP environment. Beyond Mr. Francis prior insights, I'm interested to here additional comments about how to xMail should respond to Relay'd eMail when using Mail-Auth. Finally, in the document we should clarify how something like 96.227.65.4 is interpreted when use in conjunction with slash notation? Is this equal really to 96.227.65.4/32? I think the docs should be updated to say one way or the other. I hope you can see how one my interpret the documentation. Davide can you please tells how this works exactly? Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On 4 May 2008 at 13:00, Hal Dell wrote: .. It is my understanding that Mail-Auth was designed be to implement a submission port as defined by RFC 4409? In fact, RFC 4409 states: 3.2. Message Rejection and Bouncing. MTAs and MSAs MAY implement message rejection rules that rely in part on whether the message is a submission or a relay. For example, some sites might configure their MTAs to reject all RCPT commands for messages that do not reference local users, and configure their MSA to reject all message submissions that do not come from authorized users, with authorization based either on authenticated identity or the submitting endpoint being within a protected IP environment. Beyond Mr. Francis prior insights, I'm interested to here additional comments about how to xMail should respond to Relay'd eMail when using Mail-Auth. I only have four non local users that are allowed to relay. These just have entries in smtpauth.tab. They have their mta connect via port 465 rather than port 25 as at least one has their ISP block port 25. I can't remember any other requirement (other than setting up SSL) and it's worked ok. I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter for scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. David Finally, in the document we should clarify how something like 96.227.65.4 is interpreted when use in conjunction with slash notation? Is this equal really to 96.227.65.4/32? I think the docs should be updated to say one way or the other. I hope you can see how one my interpret the documentation. Davide can you please tells how this works exactly? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter for scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. Please understand that I support eMail for about over 300 Domains and about 450 eMailboxes so changing ports would be large task. Further, you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. The problem is 1) the SPAMers are ignoring the MX records and using a private look-aside IP Address Database(s) which allows the SPAMers to bypass Postini by directly making a connection to the xMail Server on it's IP Address on Port 25; and 2) the SPAMers are constantly scanning IPs around the world for new or moved eMail servers; therfore they will eventually any hidden open Server within weeks -- I'm not just talking about an Issuse with SMTP -- this includes ALL of the protocols including the more common FTP, SQL, SMB, etc. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On 4 May 2008 at 22:16, Hal Dell wrote: Dear David Lord - I've still not worked out if you want mail coming in via postini to be allowed to be relayed or if postini is just an external filter for scanning some of your incoming mail. If the latter, I can't see why it should need to be treated different to any other incoming email. However you've mentioned putting an entry for postini in smtprelay.tab which would indicate that you intend it is allowed to be relayed. I can't see how that can be done securely though without authentication. Please understand that I support eMail for about over 300 Domains and about 450 eMailboxes so changing ports would be large task. Further, you are correct that the eMail from Postini plus outbound eMail from clients are Relay'd on Port 25. There is no problem so far as I know in using port 25, but in my case that port is blocked for outgoing by the ISPs except via their particular gateways. Can you arrange for your clients to use authentication on port 25? The problem is 1) the SPAMers are ignoring the MX records and using a private look-aside IP Address Database(s) which allows the SPAMers to bypass Postini by directly making a connection to the xMail Server on it's IP Address on Port 25; and 2) the SPAMers are constantly scanning IPs around the world for new or moved eMail servers; therfore they will eventually any hidden open Server within weeks -- I'm not just talking about an Issuse with SMTP -- this includes ALL of the protocols including the more common FTP, SQL, SMB, etc. Mostly glst removes majority of spam but there are periods, as just now, when a lot of spam is arriving via normal mailservers and this is being quarantined by spamassassin. I only run a few services with rest blocked at firewall. I also have a few ip blocklists in use. Thefore, one has no choice but to lock the relay function to only accept eMails from the upstream relay MTA; in this case Postini IPs. This is easily doable on Many of the MTAs that I've come across in the past like Microsoft Exchange; and RFC 4409 already proposed this concept. If you can be sure only your own customers will attempt to relay via postini you can just add that ip block to smtprelay.tab without specifying authentication, however I'd not trust it as being secure without knowing a lot more as to how the service works. ie. (1) your account users authenticate (2) postini only allowed to relay via its ip block Do you need authentication capability for postini? David - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
-Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 03/05/08 06:49 Objet: [xmail] Re: Lockdown xMail On Fri, 2 May 2008, David Lord wrote: On 2 May 2008 at 10:27, Hal Dell wrote: Hello... For those of you who don't know Postini -- the company was founded in 1999 in California as a eMail Communication Security and Compliance company. By May 2004 it was relaying 1.4B eMail annually for over 3300 companies. Postini was recently purchased by Google for just over 1/2 Billon Dollars. In one package you get SPAM Filtering, Anti-Spyware and Anti-Virus checking plus a web site to to manage white/black lists and quarantined eMail on a per eMailbox basis. Today, Postini is processing eMails for 40,000 Business with 10M eMailboxes which means 1B eMail messages per day flow thru their systems of which 85% of these messages are blocked as unsolicited or malicious. Of the remaining, about 10% are quarantined and the balance are delivered as clean eMail. For example over the last 30 Days we received 55,000 messages and 6.5% were delivered as clean. We now have a reseller agreement in place and are now signing up our ISP customers for this service. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. Cheers that's explains your problems then :-) Hehe :) - Davide Is this mailing list a marketing place ? :) If so, Davide, it's time to get some money from google to make xmail 'postini' compliant :) (Or should I say : to help google make postini 'auth' standard compliant to be able to be compatible with xmail and other 'standard' smtp servers LOL) Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Hello... For those of you who don't know Postini -- the company was founded in 1999 in California as a eMail Communication Security and Compliance company. By May 2004 it was relaying 1.4B eMail annually for over 3300 companies. Postini was recently purchased by Google for just over 1/2 Billon Dollars. In one package you get SPAM Filtering, Anti-Spyware and Anti-Virus checking plus a web site to to manage white/black lists and quarantined eMail on a per eMailbox basis. Today, Postini is processing eMails for 40,000 Business with 10M eMailboxes which means 1B eMail messages per day flow thru their systems of which 85% of these messages are blocked as unsolicited or malicious. Of the remaining, about 10% are quarantined and the balance are delivered as clean eMail. For example over the last 30 Days we received 55,000 messages and 6.5% were delivered as clean. We now have a reseller agreement in place and are now signing up our ISP customers for this service. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On 2 May 2008 at 10:27, Hal Dell wrote: Hello... For those of you who don't know Postini -- the company was founded in 1999 in California as a eMail Communication Security and Compliance company. By May 2004 it was relaying 1.4B eMail annually for over 3300 companies. Postini was recently purchased by Google for just over 1/2 Billon Dollars. In one package you get SPAM Filtering, Anti-Spyware and Anti-Virus checking plus a web site to to manage white/black lists and quarantined eMail on a per eMailbox basis. Today, Postini is processing eMails for 40,000 Business with 10M eMailboxes which means 1B eMail messages per day flow thru their systems of which 85% of these messages are blocked as unsolicited or malicious. Of the remaining, about 10% are quarantined and the balance are delivered as clean eMail. For example over the last 30 Days we received 55,000 messages and 6.5% were delivered as clean. We now have a reseller agreement in place and are now signing up our ISP customers for this service. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. Cheers that's explains your problems then :-) DL - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On Fri, 2 May 2008, David Lord wrote: On 2 May 2008 at 10:27, Hal Dell wrote: Hello... For those of you who don't know Postini -- the company was founded in 1999 in California as a eMail Communication Security and Compliance company. By May 2004 it was relaying 1.4B eMail annually for over 3300 companies. Postini was recently purchased by Google for just over 1/2 Billon Dollars. In one package you get SPAM Filtering, Anti-Spyware and Anti-Virus checking plus a web site to to manage white/black lists and quarantined eMail on a per eMailbox basis. Today, Postini is processing eMails for 40,000 Business with 10M eMailboxes which means 1B eMail messages per day flow thru their systems of which 85% of these messages are blocked as unsolicited or malicious. Of the remaining, about 10% are quarantined and the balance are delivered as clean eMail. For example over the last 30 Days we received 55,000 messages and 6.5% were delivered as clean. We now have a reseller agreement in place and are now signing up our ISP customers for this service. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. Cheers that's explains your problems then :-) Hehe :) - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Thanks to every for their help. I'll be waiting on the fix to solve the Postini problem. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
At 06.45 25/04/08, you wrote: Greylisting is not working as well as it used to... Verizon, Hotmail and Yahoo Mail seem to not re-send correctly when Graylisting is ON. I previously posted about this AFAIK it is only Yahoo Groups that does no resend and requires xnet or white list. In any event, if they do not resend on a 4xx they are likely to lose mails whenever the recipient is busy for whatever reason, besides glst, and besides breaking RFCs. And yes, glst seems to be the ultimate solution against mail viri: I have hardly seen any virus hitting my server since using glst, and the very few come with DSNs to forged senders or from legitimate servers without an (updated) AV. Unfortunately glst seems to be ineffective against phishers: they systematically retry and bypass it, and need be blocked by other means. Ciao, Francesco - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
-Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 25/04/08 10:33 Objet: [xmail] Re: Lockdown xMail At 06.45 25/04/08, you wrote: Greylisting is not working as well as it used to... Verizon, Hotmail and Yahoo Mail seem to not re-send correctly when Graylisting is ON. I previously posted about this AFAIK it is only Yahoo Groups that does no resend and requires xnet or white list. In any event, if they do not resend on a 4xx they are likely to lose mails whenever the recipient is busy for whatever reason, besides glst, and besides breaking RFCs. Absolutly :) On our servers, the more spams we get are from yahoo accounts using yahoo server !! This confirm that Yahoo server retry well, because the spams are catched with our last filter spamassissin, not with glst. And yes, glst seems to be the ultimate solution against mail viri: I have hardly seen any virus hitting my server since using glst, and the very few come with DSNs to forged senders or from legitimate servers without an (updated) AV. Unfortunately glst seems to be ineffective against phishers: they systematically retry and bypass it, and need be blocked by other means. Ciao, Francesco IMOO the best combination is : 1 - At connexion used a RBL 2 - Then do glst 3 - Then scan for av 4 - Then scan for spam/phishers/... On our server the filtering scores are : 1 - RBL : 60% connexion removed due to blacklisted ip 2 - GLST: 30% rejected due to no retry (some rare xnet in use) 3 - AV check : 1% rejected 4 - Spam check : 4% rejected Finaly only 4% are 'good' ! (with no 'false' nor 'lost' mail) This on a very small xmail server (P4 1Ghz, 512Mo ram), with more than 500 users ! No need to use external solutions, all directly handled by xmail, with only free sofware :) (Postini is free ? if not take a look at assp, transparent filtering proxy, very good :) I used it too with xmail but finaly preferred to use separate softwares for each steep to be able to implement some specific features without risks to break all the filtering stack) Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Guys... Thanks for all of you input... Of course Postini is just another solution. It is just unfortunate that I'm the the first one to try to make Postini work with xMail here in April 2008. I guess I have to wait on Davide to solve this problem. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Many of us use free solutions easy to interface with xmail :) Even if Postini is a great product (don't know, never heard about it until you posted your problem), it seems it does not 'support' smtp auth (many other products free or not can) as xmail miss some functionalities. So no one is perfect :) Until Davide add the missing option to help interfacing postini with xmail, you can use a temporary solution to allow postini to send to you locked down xmail server : Can you add another IP to your xmail server ? If so, add it to xmail inbound cmd line parameters, then for this ip add a rule in your firewall to block any traffic except postini server. If you can't add another IP, add another input port to xmail inbound config that will be dedicated to postini, then for this port add a rule in your firewall to block any traffic except postini server. (this solution only if postini can be configured to send to a specific port) In either cases don't add any Smtp-config line for the ip/port allocated for postini. Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 25/04/08 15:26 Objet: [xmail] Re: Lockdown xMail Guys... Thanks for all of you input... Of course Postini is just another solution. It is just unfortunate that I'm the the first one to try to make Postini work with xMail here in April 2008. I guess I have to wait on Davide to solve this problem. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
-Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 24/04/08 05:21 Objet: [xmail] Re: Lockdown xMail Dear Francis - Effectively, it seems the MailAuth feature does not take into account the 'WhiteList' parameter in the smtp.ipprop.tab file. But should it be the case as the smtp.ipprop.tab Whitelist is supposed to be used to change ip checks ? Davide is the one who suggested the smtp.ipprop.tab option to me as I did not really use this tab before. As programs are more and more complex when adding features, it is frequent to miss/forget some 'old' internal implementations details :) I originally tried adding entries to smtprelay.tab which did not work either. For now, Hal, I think you could use your firewall to block any 'external' attempts to go to you Postini dedicated xmail server ip and ports ;) The problem is that I use xMail as part of my ISP service therefore customers are using xMail as their outbound eMail MTA on Port 25 from all over the place on the net therefore it is not possible to block the port. Even if I could use my firewall to block access; Postini does not have a feature to change the forwarding IP Port for the Relay nor any kind of Authorization that I know of. Can you add another IP to your xmail server ? If so, add it to xmail inbound cmd line parameters, then for this ip add a rule in your firewall to block any traffic except postini server. (If postini is on the same server as xmail, you could add 127.0.0.1 to xmail inbound, then ask postini to send to ip 127.0.0.1. No firewall rules at all needed then.) IMOO another smtp.ipprop.tab parameter like MailAuth=0 should be created (to not change/mix 'ip checks' rules) IMOO I think of this as a Relay function so I think the smtprelay.tab is the place for the information. The docs define the purpose is to allow hosts or networks to use the server as relay. Yes it could be an alternative placement for this parameter for 'relay'. But, adding it also to ipprop could allow to accept specific clients without auth but with relay not allowed. MailAuth=0 in smtp.relay : accept this ip to relay without auth MailAuth=0 in smtp.ipprop : accept this ip without auth for local delivery only So the two implementations could be nice :) Agains the docs say using SmtpConfig-IP makes authentication require[d] to send mail to the server. Please note that by setting this value everything requires authentication, even for sending to local domains, and this is probably not what you want. However, I'm not sure why SmtpConfig-IP is locked down so hard? The problem is not in SmtpConfig-IP rules if you can use specific rules to 'open the door a little', the problem is that actually 'open the door a little' is missing in xmail (some MailAuth=0 in some places) :) (Notice that using some other ip and/or ports, and some firewall rules, you can do the job.) Maybe, another way to think about this is that a parameter needs to be added to SmtpConfig-IP to determine if the smtp.ipprop.tab or smtprelay.tab should override the MailAuth. For example: SmtpConfig-64.74.149.27,25 MailAuth ipprop SmtpConfig-64.74.149.27,25 MailAuth relay IMOO not enough secure, as the flags here will be valid for all the entries in the corresponding files. Using MailAuth=0 in the 'good' places (ipprop and relay) seems to be better. Any further suggestions Francis? I just can't believe that as popular as Postini has become that I'm the first one trying to get xMail integrate with it! Anyone done this before? Seems xmail users prefer alternative solutions :) (and many exist) Personnaly I use xmail with blacklists, then glst filter, then xmail with av filters. Simple to implement, and more than 95% spams and viruses down at first and second stage without 'big' filtering mecanisms/products/gaz machines :) Davide what is our next step? I could really use a patched version of xMail to test. Thanks, Hal Dell ePodWorks.net, Inc. Managing Partner - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On Tue, 22 Apr 2008, Hal Dell wrote: Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
If you need a quick temporary solution to your spam problems you should look into putting an Untangle server ( www.untangle.com ) in transparent mode between your mail server and the outside world. It's free and can be set to block most spam. Transparent mode is just as it sounds, you don't have to give it the IP address of your server and change your servers IP address and do relaying. It does get an IP address, but it's unrelated to your server and is just for management of the Untangle box and quarantine access if you use that feature. It does use a combination of black lists and spam signatures, so if any of your customers are connecting from black listed IP address that could be a problem unless you want to whitelist any problem addresses. Bill -- From: Hal Dell[SMTP:[EMAIL PROTECTED] Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Another possibility, as I said, is to use : - xmail CustMapList (I use spamhaust.org very good) - Davide glst for xmail (excluding auth users with eax setting in smtp-in filter) - some av filter for xmail With this solution, you stop more than 90% spams/viruses (for me it's actually more than 99% !) without complex setup, and all handled by xmail. Francis -Message d'origine- De: [EMAIL PROTECTED] A: 'xmail@xmailserver.org' Date: 24/04/08 18:07 Objet: [xmail] Re: Lockdown xMail If you need a quick temporary solution to your spam problems you should look into putting an Untangle server ( www.untangle.com ) in transparent mode between your mail server and the outside world. It's free and can be set to block most spam. Transparent mode is just as it sounds, you don't have to give it the IP address of your server and change your servers IP address and do relaying. It does get an IP address, but it's unrelated to your server and is just for management of the Untangle box and quarantine access if you use that feature. It does use a combination of black lists and spam signatures, so if any of your customers are connecting from black listed IP address that could be a problem unless you want to whitelist any problem addresses. Bill -- From: Hal Dell[SMTP:[EMAIL PROTECTED] Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Cool :) Thanks Davide ! Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 24/04/08 17:17 Objet: [xmail] Re: Lockdown xMail On Tue, 22 Apr 2008, Hal Dell wrote: Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
xmail CustMapList (I use spamhaust.org very good) Davide glst for xmail (excluding auth users with eax setting in smtp-in filter) some av filter for xmail I used spamhaus.org at my Firewall and filter out 8-10K eMails per hour during the day and the SPAM keeps coming. Greylisting is not working as well as it used to... Verizon, Hotmail and Yahoo Mail seem to not re-send correctly when Graylisting is ON. I previously posted about this Finally, my Firewall eliminates all of if not most of the Virus and such... The right solution is to simply get xMail to work with Postini. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Effectively, it seems the MailAuth feature does not take into account the 'WhiteList' parameter in the smtp.ipprop.tab file. But should it be the case as the smtp.ipprop.tab Whitelist is supposed to be used to change ip checks ? Davide ? any idea ? IMOO another smtp.ipprop.tab parameter like MailAuth=0 should be created (to not change/mix 'ip checks' rules) For now, Hal, I think you could use your firewall to block any 'external' attempts to go to you Postini dedicated xmail server ip and ports ;) Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 23/04/08 05:57 Objet: [xmail] Re: Lockdown xMail Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32 WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. Also, tested the xMail server against my local IP (10.0.0.25), as I have a VPN connection to the eMail server as well and that did NOT work as well. And the answer is YES, when I test the 96. address I dropped the VPN tunnel before testing. I also thought of another idea to determine if xMail returns the correct data I performed the following command: ctrlclnt -s XX.XX.XX.XX -n -u Y -p Z cfgfileget smtp.ipprop.tab The command line program returned: 10.0.0.0/16 WhiteList=1 64.18.0.0/20 WhiteList=1 96.227.65.4/32WhiteList=1 Unless you have any further suggestions... What is our next step? Thanks, Hal Dell ePodWorks.net, Inc. Managing Partner - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Francis - Effectively, it seems the MailAuth feature does not take into account the 'WhiteList' parameter in the smtp.ipprop.tab file. But should it be the case as the smtp.ipprop.tab Whitelist is supposed to be used to change ip checks ? Davide is the one who suggested the smtp.ipprop.tab option to me as I did not really use this tab before. I originally tried adding entries to smtprelay.tab which did not work either. For now, Hal, I think you could use your firewall to block any 'external' attempts to go to you Postini dedicated xmail server ip and ports ;) The problem is that I use xMail as part of my ISP service therefore customers are using xMail as their outbound eMail MTA on Port 25 from all over the place on the net therefore it is not possible to block the port. Even if I could use my firewall to block access; Postini does not have a feature to change the forwarding IP Port for the Relay nor any kind of Authorization that I know of. IMOO another smtp.ipprop.tab parameter like MailAuth=0 should be created (to not change/mix 'ip checks' rules) IMOO I think of this as a Relay function so I think the smtprelay.tab is the place for the information. The docs define the purpose is to allow hosts or networks to use the server as relay. Agains the docs say using SmtpConfig-IP makes authentication require[d] to send mail to the server. Please note that by setting this value everything requires authentication, even for sending to local domains, and this is probably not what you want. However, I'm not sure why SmtpConfig-IP is locked down so hard? Maybe, another way to think about this is that a parameter needs to be added to SmtpConfig-IP to determine if the smtp.ipprop.tab or smtprelay.tab should override the MailAuth. For example: SmtpConfig-64.74.149.27,25MailAuth ipprop SmtpConfig-64.74.149.27,25MailAuth relay Any further suggestions Francis? I just can't believe that as popular as Postini has become that I'm the first one trying to get xMail integrate with it! Anyone done this before? Davide what is our next step? I could really use a patched version of xMail to test. Thanks, Hal Dell ePodWorks.net, Inc. Managing Partner - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask So change this 'smtp.ipprop.tab' line : 96.227.65.4 WhiteList=1 with this this one : 96.227.65.4/32WhiteList=1 Then redoo your telnet tests, and if it don't work, report again :) Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 22/04/08 06:22 Objet: [xmail] Re: Lockdown xMail Dear Davide - On 4/18/2008 3:24PM ET you responded to my eMail about how to lockdown xMail for use with Postini or any private mail Relay. My OS is Windows 2003 Enterprise R2 Server SP2 running xMail 1.25. Please note that I do have two instances of xMail running on the same server. As far as I can this configuration works just fine. This configuration was perfected with information gleaned from several sources including the kind folks on this list. This xMail server in question is the second instance. The reason I have two xMail servers is so that the first one serves my existing eMailboxes and the second xMail Server will only accept eMail relayed to it from Postini. The xMail servers are behind a Firewall in a DMZ using public IPs. Your suggestion was: Add the IP of the Postini box to SMTP.IPPROP.TAB (lowercase, you know), with a WhiteList=1 property. I continue to get the 551 Server use forbidden from Postini which I assumed was still being sent back from xMail. To prove the source of the issue (Postini vs. xMail) I manually telnet-ed to the xMail server and typed HELO relay.example.org then MAIL FROM:[EMAIL PROTECTED] from my home office network which is NATed to a single public IP. As you will see from the test below that I included my home office public IP network address which is 96. address in the config files (to stand in for the Postini infrastructure). So I reviewed my following configs for errors and did not find any -- so here are the details -- server.tab more config SmtpConfig-64.74.149.27,25MailAuth SmtpConfig-64.74.149.27,8291 MailAuth more config smtp.ipprop.tab 10.0.0.0/24 WhiteList=1 64.18.0.0/20 WhiteList=1 96.227.65.4 WhiteList=1 blank line I also tried smtprelay.tab with the following just because I thought I should try: 10.0.0.0 255.255.255.0 64.18.0.0 255.255.240.0 96.227.65.4 255.255.255.255 blank line Finally, I went back into the server config and commented out the SmtpConfig- lines in the server.tab and xMail responded with 250 OK instead of the 551 Server use forbidden. Without the SmtpConfig I then sent an eMail from Hotmail to my test domain and Postini was able to delivery an eMail fine! Can you spot my config issue? Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. =WITH SmtpConfig 220 smtp-03.phl1.epodworks.net [EMAIL PROTECTED] [XMail 1.25 ESMTP Server] service ready; Mon, 21 Apr 2008 23:34:39 -0400 HELO relay.example.org 250 smtp-03.phl1.epodworks.net MAIL FROM:[EMAIL PROTECTED] 551 Server use forbidden quit 221 [XMail 1.25 ESMTP Server] service closing transmission channel =WITHOUT SmtpConfig 220 smtp-03.phl1.epodworks.net [EMAIL PROTECTED] [XMail 1.25 ESMTP Server] service ready; Mon, 21 Apr 2008 23:38:30 -0400 HELO relay.example.org 250 smtp-03.phl1.epodworks.net MAIL FROM:[EMAIL PROTECTED] 250 OK quit 221 [XMail 1.25 ESMTP Server] service closing transmission channel =SUCCESSFUL MAIL DELIVERY WITHOUT SmtpConfig= (X@ was replaced for real eMail address because this eMail will be publicly archived) Received: from psmtp.com ([64.18.0.75]:45028) by smtp-03.phl1.epodworks.net ([64.74.149.27]:25) with [XMail 1.25 ESMTP Server] id S13 for [EMAIL PROTECTED] from [EMAIL PROTECTED]; Mon, 21 Apr 2008 23:49:09 -0400 Received: from source ([65.54.246.139]) by exprod5mx216.postini.com ([64.18.4.10]) with SMTP; Mon, 21 Apr 2008 20:49:09 PDT Received: from BAY124-W44 ([207.46.11.207]) by bay0-omc2-s3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 21 Apr 2008 20:49:08 -0700 Message-ID: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_1731ae70-8835-4c66-91d6-b2a54a21882f_ X-Originating-IP: [96.227.65.4] From: Hal Dell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Postini test day 2008-04-21-11-48 Date: Mon, 21 Apr 2008 23:49:08 -0400 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 22 Apr 2008 03:49:08.0976 (UTC) FILETIME=[D1C1FF00:01C8A42B] X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:37.90482/99.9 CV:99. R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 5 (2.:2.) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from [EMAIL PROTECTED] [15/1] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help
[xmail] Re: Lockdown xMail
Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32 WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. Also, tested the xMail server against my local IP (10.0.0.25), as I have a VPN connection to the eMail server as well and that did NOT work as well. And the answer is YES, when I test the 96. address I dropped the VPN tunnel before testing. I also thought of another idea to determine if xMail returns the correct data I performed the following command: ctrlclnt -s XX.XX.XX.XX -n -u Y -p Z cfgfileget smtp.ipprop.tab The command line program returned: 10.0.0.0/16 WhiteList=1 64.18.0.0/20 WhiteList=1 96.227.65.4/32WhiteList=1 Unless you have any further suggestions... What is our next step? Thanks, Hal Dell ePodWorks.net, Inc. Managing Partner - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Davide - On 4/18/2008 3:24PM ET you responded to my eMail about how to lockdown xMail for use with Postini or any private mail Relay. My OS is Windows 2003 Enterprise R2 Server SP2 running xMail 1.25. Please note that I do have two instances of xMail running on the same server. As far as I can this configuration works just fine. This configuration was perfected with information gleaned from several sources including the kind folks on this list. This xMail server in question is the second instance. The reason I have two xMail servers is so that the first one serves my existing eMailboxes and the second xMail Server will only accept eMail relayed to it from Postini. The xMail servers are behind a Firewall in a DMZ using public IPs. Your suggestion was: Add the IP of the Postini box to SMTP.IPPROP.TAB (lowercase, you know), with a WhiteList=1 property. I continue to get the 551 Server use forbidden from Postini which I assumed was still being sent back from xMail. To prove the source of the issue (Postini vs. xMail) I manually telnet-ed to the xMail server and typed HELO relay.example.org then MAIL FROM:[EMAIL PROTECTED] from my home office network which is NATed to a single public IP. As you will see from the test below that I included my home office public IP network address which is 96. address in the config files (to stand in for the Postini infrastructure). So I reviewed my following configs for errors and did not find any -- so here are the details -- server.tab more config SmtpConfig-64.74.149.27,25MailAuth SmtpConfig-64.74.149.27,8291 MailAuth more config smtp.ipprop.tab 10.0.0.0/24 WhiteList=1 64.18.0.0/20 WhiteList=1 96.227.65.4 WhiteList=1 blank line I also tried smtprelay.tab with the following just because I thought I should try: 10.0.0.0 255.255.255.0 64.18.0.0 255.255.240.0 96.227.65.4 255.255.255.255 blank line Finally, I went back into the server config and commented out the SmtpConfig- lines in the server.tab and xMail responded with 250 OK instead of the 551 Server use forbidden. Without the SmtpConfig I then sent an eMail from Hotmail to my test domain and Postini was able to delivery an eMail fine! Can you spot my config issue? Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. =WITH SmtpConfig 220 smtp-03.phl1.epodworks.net [EMAIL PROTECTED] [XMail 1.25 ESMTP Server] service ready; Mon, 21 Apr 2008 23:34:39 -0400 HELO relay.example.org 250 smtp-03.phl1.epodworks.net MAIL FROM:[EMAIL PROTECTED] 551 Server use forbidden quit 221 [XMail 1.25 ESMTP Server] service closing transmission channel =WITHOUT SmtpConfig 220 smtp-03.phl1.epodworks.net [EMAIL PROTECTED] [XMail 1.25 ESMTP Server] service ready; Mon, 21 Apr 2008 23:38:30 -0400 HELO relay.example.org 250 smtp-03.phl1.epodworks.net MAIL FROM:[EMAIL PROTECTED] 250 OK quit 221 [XMail 1.25 ESMTP Server] service closing transmission channel =SUCCESSFUL MAIL DELIVERY WITHOUT SmtpConfig= (X@ was replaced for real eMail address because this eMail will be publicly archived) Received: from psmtp.com ([64.18.0.75]:45028) by smtp-03.phl1.epodworks.net ([64.74.149.27]:25) with [XMail 1.25 ESMTP Server] id S13 for [EMAIL PROTECTED] from [EMAIL PROTECTED]; Mon, 21 Apr 2008 23:49:09 -0400 Received: from source ([65.54.246.139]) by exprod5mx216.postini.com ([64.18.4.10]) with SMTP; Mon, 21 Apr 2008 20:49:09 PDT Received: from BAY124-W44 ([207.46.11.207]) by bay0-omc2-s3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 21 Apr 2008 20:49:08 -0700 Message-ID: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_1731ae70-8835-4c66-91d6-b2a54a21882f_ X-Originating-IP: [96.227.65.4] From: Hal Dell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Postini test day 2008-04-21-11-48 Date: Mon, 21 Apr 2008 23:49:08 -0400 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 22 Apr 2008 03:49:08.0976 (UTC) FILETIME=[D1C1FF00:01C8A42B] X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:37.90482/99.9 CV:99. R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 5 (2.:2.) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from [EMAIL PROTECTED] [15/1] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On Fri, 18 Apr 2008, Hal Dell wrote: Dear Davide - As you can see from my previous messages I was unable to lockdown the xMail Server based upon the config below. I did discover that SmtpConfig now seems to work after an upgrade from 1.24 to 1.25. Now , when I attempt to connect directly and type Mail from:[EMAIL PROTECTED] without prior authentication I get the error message 551 Server use forbidden. Which I guess is what should be expected. When I manually perform an AUTH LOGIN and then type Mail from:[EMAIL PROTECTED] I get the message 250 OK. The reason I'm doing all of this is to pass all my eMail thru Postini. I really would appreciate your help on this. However, Postini is going to only work if I can lock out the spammers from connecting to my eMail server directly as they ignore the MX records. As you know Postini acts as an eMail Relay as follows: Postini MTA In --- SPAM Engine -- Postini SMTP Out -- My xMail MTA Target eMail Address is [EMAIL PROTECTED] with MX pointing to Postini Postini Address Space: 64.18.0.0 / 255.255.240.0 My xMail MTA: 64.74.149.27 Now keep in mind that I use xMail in an ISP scenario and as such that I don't know the IPs of the eMail clients connecting to the xMail Server from outside thus I need to allow eMail clients to relay. Of course all clients are required authenticate. I assume I can't use SMTP.IPMAP.TAB because of this. Therefore, it seemed to me that by adding the Postini Address space to the SMTPRELAY.TAB I was hoping it would override the need for authentication. Unfortunately, Postini does provide support for authentication as it is simply a Relay. Add the IP of the Postini box to SMTP.IPPROP.TAB (lowercase, you know), with a WhiteList=1 property. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Hello All... I have an external eMail Server that accepts inbound eMail then relays all of the eMail to my internal xMail Server. eMail Clients wanting to send eMails out will connect to the xMail Server. I want to force any SMTP connections to xMail to require Authentication and the only allow relaying of eMail by the IPs in the smtprelay.tab. The IP Address of the external eMail Server would be listed in the smtprelay.tab so that xMail would accept eMail from the external eMail server without the need for authentication. So I added the following to the server.tab: SmtpConfig-64.74.149.27,25MailAuth SmtpConfig-64.74.149.27,8291 MailAuth However, if you telnet to the above IP and manually perform the protocol exchange then xMail Server accepts the eMail for the local domain epodworks.net. I was under the impression that if I add the above SmtpConfig it would force authentication on ALL inbound SMTP traffic. HELO relay.example.org MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA From: Bob Example [EMAIL PROTECTED] To: Hal [EMAIL PROTECTED] Date: Tue, 15 Apr 2008 16:02:43 -0500 Subject: Test message Hello Alice. This is a test message with 5 headers and 4 lines in the body. Your friend, Bob .. QUIT Any thoughts would be helpful Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Davide - As you can see from my previous messages I was unable to lockdown the xMail Server based upon the config below. I did discover that SmtpConfig now seems to work after an upgrade from 1.24 to 1.25. Now , when I attempt to connect directly and type Mail from:[EMAIL PROTECTED] without prior authentication I get the error message 551 Server use forbidden. Which I guess is what should be expected. When I manually perform an AUTH LOGIN and then type Mail from:[EMAIL PROTECTED] I get the message 250 OK. The reason I'm doing all of this is to pass all my eMail thru Postini. I really would appreciate your help on this. However, Postini is going to only work if I can lock out the spammers from connecting to my eMail server directly as they ignore the MX records. As you know Postini acts as an eMail Relay as follows: Postini MTA In --- SPAM Engine -- Postini SMTP Out -- My xMail MTA Target eMail Address is [EMAIL PROTECTED] with MX pointing to Postini Postini Address Space: 64.18.0.0 / 255.255.240.0 My xMail MTA: 64.74.149.27 Now keep in mind that I use xMail in an ISP scenario and as such that I don't know the IPs of the eMail clients connecting to the xMail Server from outside thus I need to allow eMail clients to relay. Of course all clients are required authenticate. I assume I can't use SMTP.IPMAP.TAB because of this. Therefore, it seemed to me that by adding the Postini Address space to the SMTPRELAY.TAB I was hoping it would override the need for authentication. Unfortunately, Postini does provide support for authentication as it is simply a Relay. I guess the questions is why is the content of the SMTPRELAY.TAB override the need for SMTP Authentication? Or is their something that I need to do to make this work? The line in the realy file is: 64.18.0.0 255.255.240.0 Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. Hal Dell Wrote on: Thursday, April 17, 2008 2:27 PM Hello All... I have an external eMail Server that accepts inbound eMail then relays all of the eMail to my internal xMail Server. eMail Clients wanting to send eMails out will connect to the xMail Server. I want to force any SMTP connections to xMail to require Authentication and the only allow relaying of eMail by the IPs in the smtprelay.tab. The IP Address of the external eMail Server would be listed in the smtprelay.tab so that xMail would accept eMail from the external eMail server without the need for authentication. So I added the following to the server.tab: SmtpConfig-64.74.149.27,25MailAuth SmtpConfig-64.74.149.27,8291 MailAuth However, if you telnet to the above IP and manually perform the protocol exchange then xMail Server accepts the eMail for the local domain epodworks.net. I was under the impression that if I add the above SmtpConfig it would force authentication on ALL inbound SMTP traffic. HELO relay.example.org MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA From: Bob Example [EMAIL PROTECTED] To: Hal [EMAIL PROTECTED] Date: Tue, 15 Apr 2008 16:02:43 -0500 Subject: Test message Hello Alice. This is a test message with 5 headers and 4 lines in the body. Your friend, Bob ... QUIT - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail SMTP
Here is a possible setup : (replace any AAA or BBB with correct Ip where AAA is you upstream MTA outgoing IP and BBB is xmail listening IP) 1 - Configure Xmail to listen ONLY on port 587 by changing xmail smtp binding in Cmd Line parameters : -SI BBB:587 This have two functions : a : Stop Xmail to listen to standard port 25 defeting many 'spammers' and 'viries' that try only on port 25 (see 2 to secure much more port 587 to stop 'intelligent spammers' that try also port 587) b : Help your customers to bypass some ISP blocking outgoing port 25 :) 2 - Add this line in server.tab file : SmtpConfig-BBB,587 [TAB]MailAuth This line force authentication on port 587, so only your customers (see 5) and you mx (AAA) (see 4) will be able to send to xmail (and be eventualy relayed). 3 - Add a dummy account in xmail for use by you mx (AAA) to do auth when sending to xmail (give it a complex name with a strong password :) ) 4 - Configure you mx AAA to forward mails to Xmail on port 587 with the good credentials created at point 3 5 - Ask ALL of your customers to replace smtp port 25 with 587 AND to configure authentication in they MUA for smtp (using they current pop3 email/login and password as credentials) 6 - If necessary, to force xmail to use mx AAA for outgoing mails put this unique line in smtpfwd.tab file : *[TAB]AAA:25 (Change 25 by good port at mx AAA if different for outgoing mails) Doing this, ask xmail to send ANY outgoing mail to AAA I hope I didn't forget something :) Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 25/02/08 16:06 Objet: [xmail] Re: Lockdown xMail SMTP Hello al... How do I configure xMail so that it is locked down -- such that xMail will only accept eMail from authenticated eMail clients. In my case I have an upstream MTA that excepts mail from the outside world -- thus the IP address of this MTA is in the SMTPRELAY.TAB file. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail SMTP
Hello al... How do I configure xMail so that it is locked down -- such that xMail will only accept eMail from authenticated eMail clients. In my case I have an upstream MTA that excepts mail from the outside world -- thus the IP address of this MTA is in the SMTPRELAY.TAB file. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]