No. 1 question:
How do I set up a 'HotMail' type
system?
Questions:
- I like DPOP but I
have half a dozen
users who leave mail on the server and need to read
email direct from Unix drop files.
- What operating
systems is DMail available on?
- What is the
maximum number of email clients
which can be handled by DPOP?
- We have our own
special username/password
routines. Can these be used with DPOP?
- Is the source for
DPOP, DSMTP, DList available
so that we can tailor it to our needs?
- We would like to
try DPOP but are paranoid about
upsetting umpty thousand users. How can we ease into
it?
- Should I use
username suffixes or multiple IP
numbers for virtual domain support?
- Can I setup a 'HotMail' like
system using DMail or DMailWeb?
- I want all domain1 email which
does not go to a specific user to go to one designated
user.
- What is Relaying?
- How do I add extra
fields to wadduser?
- Time Stamp and
Time Zone problems (mostly on Linux platforms).
- How can I transfer mail
accounts (users) from my current email server?
- How can I have some users who can connect
direct to DPOP but others who can only connect with
DMailWeb/CWMail?
- How can I check what aliases
I have set up for a user?
- I'm getting a Read Failed 109 error
message, what's that?
- Can I filter messages
based on the attachment name?
- Tell me about the SMTP
protocol?
- How do I add
Multiple IP numbers on a single machine?
- Can I specify a RANGE of IP addresses?
- I want to UPGRADE, ... ?
- I want to MOVE DMail, ... ?
- I want to park mail for a domain (but
mail is rejected as no relaying)
- Can I run DSMTP (and DPOP) on
another port?
- Can I delete queue files
from the queue?
- Security Note What things can I do
to secure my mail system against hackers?
- Does CWMail and DMail server
support multi-threading?
- Is there a limit to the length
of a username?
- Running DMail on your ISP's Server
- Security Note Robots running as root
- Can I use DMail for a Remote or Dial Up Mail Server?
- Can I use DMail from behind a firewall or proxy server?
Answers:
- Drop users:
You have a few users who check their mail using
a normal POP client but leave the mail on the server
and want to be able to access the
drop files directly, with pine for example. But DPOP
converts the drop files to its own
format for more efficient manipulation, so once the
mail has been checked there is nothing
left in the drop files and the users can't see their
mail. This is easily remedied by
adding a line to your dmail.conf configuration file.
It should look like this:
drop_users ralph,bill,*smith
This would force DPOP to leave all the email
messages for ralph, bill and anyone with a
usercode finishing with the word smith, in drop
files. Be careful not to put spaces in the
list and avoid making it too general as there is a
performance hit in keeping messages in
drop files, that's why DPOP avoids it in the first
place. This setting is only needed for
users who check their mail with a POP3 connection
AND leave it on the server AND want to
read it with software that directly reads the drop
file.
- What operating systems is the DMail
package available on?
It is our
intention to make it available on all common
operating systems. Initially available on
Linux, Solaris, HPUX and Windows NT. Please ask if
you need it for another system soon.
- What is the maximum number of email
clients which can be handled by DPOP?
This
basically depends on the server hardware it is to
run on and the type of license you buy.
It is intended to be very scaleable and to work well
on large and small systems. Because
of its design both large numbers of concurrent users
and large numbers of email user
accounts have relatively little impact on the
process size and performance.
- We have our own special
username/password routines. Can these be used with
DPOP/DSMTP?
Yes, DSMTP and DPOP can be
configured to use an external authentication
process for checking username/passwords.
- Is the source available so that we
can tailor it to our needs?
No,
but this should not be necessary as most aspects of
DSMTP DList and DPOP can be easily
configured. They can also use an external password
checking routine, an external routine
to indicate where drop files are and how the path is
hashed. DPOP can also generate
statistics which can be used by an external routine
for generating charging information.
If there is some other aspect which you need to be
able to tailor please let us know.
- We would like to try DPOP but are
paranoid about upsetting umpty thousand
users. How can we ease into it?
Email is a
vital service so even if the current
popper you are using is slow it is still a scary
step to move to another one. You can't
afford to upset users. So how do you ease into it.
There are a number of strategies which
can be helpful here.
- If you have the luxury of a spare machine
obviously installing DPOP on that first will
help. It at least allows you to check out the
various options you might want to use and
get used to how they work. The DMSetup wizard
will help you to remove it from the test
machine after your testing is complete. The de
install option tries to err on the
conservative side. It tells you where the files
are that you might want to delete. It will only
remove something that is definitely part of DPOP
and not any other popper.
- If you have not got a spare machine or you
have tried that and are now more comfortable
but still cautious: The next easy step is to
install DPOP on the main server BUT get it
running on a different port. This way you can
leave your original popper running. For
example you might set DPOP up on port 1100
instead of 110. To do this, follow the normal
installation procedure but say no to the
question: "Shall I comment out current POP3
entries in inetd.conf". Then edit
dmail.conf file and change pop_port line as
shown
below:
pop_port 110
pop_port 1100
You can then get individual users to try
switching to DPOP use by changing the setting in
their email reading software to read on another
port. This is straightforward in Pegasus
mail, more difficult on some other email
clients. For Eudora on Windows 95 just edit the
Services file in the windows directory to change
POP3 port. You can even allow someone to
connect both ways although if they are going to
do this AND leave unread or undeleted mail
on the server you must put a line in dmail.conf
to tell DPOP to change their bin files
back into a drop file at the end of each
session. This should only be done if they NEED
to
read their mail from Unix command line or some
other non DPOP connection. It will slow
processing down. If Bob,Bill and Bert are Unix
gurus who read their mail from the Unix
command line and using a POP3 client, you might
add one of the following lines to
dmail.conf:
drop_users B*
drop_users Bob,Bill,Bert
Once you have run DPOP in this mode for a while
you can switch back to the real POP3 port
by changing the pop_port line in dmail.conf and
then issuing the Tellpop reload command.
- Alternatively you can take the plunge and
install DPOP directly on your main server in
some off peak time. Test it with a few test
accounts and if there are any problems that
look difficult, revert to the previous popper.
To do that all you need to do is put the
lines in inetd.conf back how they were and get
inet to reload. The DMSetup wizard can do
this for you. If the accounts you have tested
have undeleted or unread mail left on the
server these must be converted back to drop
files. This must be done before stopping DPOP
by using either:
tellpop drop_all
to do all accounts that have used DPOP or
tellpop drop Bert
tellpop drop Bill
etc. to deal with user accounts one at a time.
- Should I use username suffixes or
multiple IP numbers for virtual domain
support?
Multiple IP numbers has the advantage that the
users do not need to change their
username setting in their email client packages.
Username suffixes save you having to
configure your server machine to respond to multiple
ip numbers. The two schemes work as
follows:
If a vdomain setting line has an IP number like
1.2.3.4 in it then DPOP checks what ip
number the user was connecting to and does stuff based
on matching vdomain lines. If the
vdomain setting line has a suffix string rather than
an IP number in the same place ( e.g.
/xusers) then when users connect to DPOP and sends
user fred/xusers DPOP picks up the
/xusers and uses that to match a vdomain line. The
suffix is stripped off and the prefix
is added just as it would be for an ip based vdomain.
From then on the two systems are the
same. The other question is what do we end up with as
a drop file name.
Consider the two vdomain lines:
- vdomain abc 1.2.3.4 xdomain.com
/var/spool/mail/xdomain
- vdomain abc /xdom xdomain.com
/var/spool/mail/xdomain
If a user connects to 1.2.3.4 or uses a username
fred/xdom
Then the Unix username used will be
and the drop file used will be
- /var/spool/mail/xdomain/fred
Some mail transport systems find it easier to
deliver to a drop file
- /var/spool/mail/xdomain/abc_fred
To allow for this another setting has been added
if this setting is true DPOP will use the second
form for the drop file name.
- Can I setup a
'HotMail' like system using DMail or DMailWeb?
(Technical
details on WAdduser)
Yes, we have a Web Based Email system that offers
Auto Account Creation.
For general information on such systems see,
Setting Up Web Based Email System with
Auto Account Creation
Our OLD way of doing this is presented below...
Yes, using wadduser instead of NetAuth you need:
- CWMail (web to mail interface)
- DMail (dsmtp,dpop)
- NWAuth (external authentication module for
dmail)
- wadduser (example web cgi for adding users using
nwauth)
Note: You no longer have to use WAddUser with our new
product
NetAuth.
DMail comes with source and binary examples of
NWAuth and wadduser, you should examine
the source and modify wadduser.htm so that it only
allows the users to automatically
create their own accounts (it has extra functions
which you would not want them to be able
to do)
Technical details:
- Fetch the source for nwauth/wadduser. This should
come with DMail
but if you have an
earlier version you can download it from
ftp:
//ftp.netwinsite.com/pub/netwinsite/dmail/nwauth.zip
- Make any changes to the source that you want (not
required)
See How do I add
extra
fields to wadduser? for some more information on this.
- Building wadduser.cgi and nwauth (only needed
on UNIX)
Unix:
gcc wadduser.c nwauth.c -DNOAUTHMAIN -o
wadduser.cgi
rm nwauth.o (so you can build it without
NOAUTHMAIN defined)
gcc nwauth.c -o NWAuth
Note: if you get crypt errors you may need to add,
-lc -lcrypt to
the end of each gcc line.
Windows:
Create two console (command line) projects,
1 builds nwauth.exe from nwauth.c,
2 builds wadduser.cgi from both wadduser.c and
nwauth.c but
you need to define NOAUTHMAIN as a preprocessor
definition.
NB:In both projects you will probably need to
add
wsock32.lib to the list of standard linked libraries.
- Install the cgi script and the html form
windows:
copy wadduser.cgi \inetpub\scripts (or
wherever
your web server cgi directory is)
copy wadduser.htm \inetpub\wwwroot
Unix platforms:
cp wadduser.cgi /home/httpd/cgi-bin (or
wherever
your web server cgi bin directory is)
cp wadduser.htm /home/httpd/htdocs
- Test the cgi, use netscape and reference your web
site:
http://your.web.server/wadduser.htm
Fill out the form and press one of the buttons, if
it fails,
you will probably need to modify the 'action' in
wadduser.htm
- Tell DMail to use NWAuth for user authentication,
add or change in
dmail.conf (/etc/dmail.conf or
\winnt\system32\dmail.conf)
authent_method external
(unix) authent_process
/usr/local/dmail/nwauth
(NT) authent_process c:
/dmail/nwauth.exe
authent_number 1
- Modify wadduser.htm so it only allows the actions
that you want users to be able to
perform, (e.g. not delete or search)
- On UNIX you will need to set some file
protections:
touch ..../cgi-bin/adduser.log
chown nobody .../cgi-bin/adduser.log
touch /usr/local/dmail/nwauth.txt
chown nobody /usr/local/dmail/nwauth.txt
- If you wish add a bulletin message to DPOP that
welcomes all
new users.
- You can add a file, added.htm, in your cgi directory and
wadduser
will display the contents of the file when a user has been
successfully added - underneath the 'Adding User' title.
-
I want all domain1 email which does not go to a
specific user to go to one designated user.
The setting you want is fallback_address, e.g.
fallback_address domain1 default@domain2
FYI . . .
I gather that you were using forwarding rules to try to do
the same thing
instead
of using the fallback address. I note that from the lines
you had set
up, you
seemed to be expecting DSMTP to stop looking through the
list of forward
rules when it found the first match. So for example you had
something
like,
forward bob@domain1 bob@domain2
forward fred@domain1 bob@domain3
forward *@domain1 default@domain4
and expected DSMTP to only action the bob@domain1 line if a
message
came in for bob@domain1, i.e. you wanted the *@domain1 line
to 'catch'
any messages that did not match the first two forward rules.
The way DSMTP has been written, all
forwarding rules that are
found
to match for an incoming message are applied and forward
rules are also
applied instead of delivering the mail to the original
recipient. So if
a message came in for bob@domain1 given the dmail.conf lines
above,
bob@domain2 would
receive the message AND so would default@domain4 (because
both of the
forward rules can be matched) BUT bob@domain1 would not
receive the message.
Whereas the fallback address setting,
fallback_address domain1 default@domain4
does what you want. I.e. if a message came in for
bob@domain1.com
and it could not be delivered, because the user database did
not have
an entry for bob and there wasn't a setting (forward rule,
alias etc.) sending
the mail to someone else, then DSMTP would deliver it to the
fallback address,
default@domain4,
instead of bouncing the message back to the sender.
Note: DSMTP's action of applying all forward rules is a
nice
feature that you will probably use for other situations.
-
What is Relaying?
Sending mail to non-local users is referred to as
'relaying', as DSMTP must
relay the message to the user's local SMTP server (often
their ISP's SMTP server)
so that it can write the message
to the user's drop file (mail file on the server).
The
message may be relayed several times from server to server
until it reaches the
final SMTP server where the user is a local user - at least
that is the theory.
Because of spammers, most SMTP servers severely restrict
what relaying is allowed to
occur. So the message normally only gets relayed through an
intermediary SMTP server
if the server the email client gives the message to for
sending is setup to gateway
mail to another server, i.e. pass all its mail onto that
server for delivery. An SMTP
server set to gateway
mail
is often used to allow mail to be sent through fire walls.
-
How do I add extra
fields to wadduser?
To add extra fields in wadduser.htm for storing more
information about
the user, you will need to do the following:
- Add the input text boxes and their appropriate variables
in HTML to
wadduser.htm (or the pages that you
want them on)
- Modify the source of the CGI wadduser (wadduser.c) so
that it records
the information given
- Recompile wadduser.c (which requires linking
to nwauth.c)
- Replace wadduser.exe in your cgi or scripts directory
with your new
version
The page that calls the wadduser CGI (wadduser.htm) has a
form on it
that calls the CGI as its action to perform when it is
submitted,
i.e when one of the buttons is pressed. E.g.
action="http://server.com/scripts/wadduser.exe"
calls the
wadduser cgi from the scripts directory on the server.com
web server.
The CGI works out which of the buttons on the page was
pressed and
carries out the appropriate action.
The function below web_add (from wadduser.c) is called
when you
click on
the "add" button on the example wadduser.htm page.
The form also has a number of variables that are passed
to the CGI
as part of the action of submitting the form, e.g. name,
username,
password. To add more fields you need to add more such
input fields to
the web page, in this form,
<input type="text" name="
username" size="20">
So to add a field to get the person's hobby, you could
add to
wadduser.htm
<input type="text" name="hobby"
size="20">
Then you need to decide what you want the CGI to do with
the information
in the fields that you add.
The three lines in the function below,
fprintf(f,"%s|",form_find("phone"));
fprintf(f,"%s|",form_find("fax"));
fprintf(f,"%s|",form_find("comments"));
search the form that is submitted by the wadduser.htm
page for the
fields, phone, fax and comments and if it finds them then it
prints them
into the log file, adduser.log. If it cannot find them, for
example
if there is no such input
field on the web page (this is the case with the example
wadduser.htm -
there are no input boxes for phone, fax and comments) or the
user has
not entered anything in the box, then
it will simply enter an empty string.
So to make wadduser log the person's hobby entry, you
could add
this line below the three above,
fprintf(f,"%s|",form_find("hobby"));
The function below ONLY writes the username, password and
name entries
to the nwauth.txt password file, but it writes to the log
file, adduser.log, a whole bunch of
input fields that don't exist. Note that NWAuth only takes
three fields,
'username', 'password' and 'other'. It is the 'other' field
into
which you can add
your own fields. The function below adds the field 'name'
into the
'other' field in the following format,
name="the person's full name"
The 'other' field can take as many fields as you want
(until the information
reaches the BFSZ definition, when you will get buffer over
flows!)
simply
make sure that each field has the correct format and that
they are separated
by a space.
So to make the CGI write the hobby field onto the end of
the
'other' field
in nwauth.txt you should change the line in the function
below from,
sprintf(bf,"name=\"%s\"",name);
to
sprintf(bf,"name=\"%s\" hobby=\"%
s\"",name,form_find(hobby));
This will result in nwauth.txt lines like,
bob:a234h6:name="Bob Smith" hobby="ping
pong"
for the username bob, which has a password of something
we
cannot read as it is encrypted, and a full name of 'Bob
Smith' and a
hobby of 'ping pong'.
int web_add(void)
{
FILE *f;
char username[BFSZ],password[BFSZ],name[BFSZ];
char bf[BFSZ];
/* Check the user has filled in the required fields
*/
if (!check_value("Name","name","")) return 0;
if (!check_value("Username","username","")) return
0;
if (!check_value("Password","password","")) return
0;
f = fopen("adduser.log","a");
if (f==NULL) { printf("Could not write file\n");
return 0;}
fprintf(f,"%s|Add|",get_date());
fprintf(f,"%s|",mygetenv("REMOTE_ADDR"));
fprintf(f,"%s|",form_find("username"));
fprintf(f,"%s|",form_find("name"));
/* These are optional form elements to record */
fprintf(f,"%s|",form_find("phone"));
fprintf(f,"%s|",form_find("fax"));
fprintf(f,"%s|",form_find("comments"));
fprintf(f,"\n");
fclose(f);
ncpy(username,form_find("username"),BFSZ-1);
ncpy(password,form_find("password"),BFSZ-1);
ncpy(name,form_find("name"),BFSZ-1);
strlwr(username); /* Only allow lower case usernames
*/
do_header("Adding user");
printf("<pre>");
if (auth_exists(username)) {
printf("Sorry, a user by that name already
exists\n");
} else {
sprintf(bf,"name=\"%s\"",name);
auth_set(username,password,bf);
showfile("added.htm");
}
printf("</pre>");
do_footer();
return 0;
}
-
Time Stamp and Time Zone problems (mostly on Linux
platforms).
NB: the Date field is normally added to an email by the
email client. DSMTP
only adds one if the email client has not put one on (e.g.
if the message was
created by DMail's sendmail stub).
NB: In version 2.7l DSMTP was changed to add time stamps
that are in local
time on both the Date header if it adds one and on the
Received lines. Before
this it always stamped GMT on any Received headers that it
added.
If you are running a newer version of Linux (e.g. RedHat
5.2 etc.) then you
may experience problems with the time stamp and timezone in
the DMail servers. This
is because of the difference in C libraries used to compile
DMail. Examples of the problems
are, the timezone being incorrectly specified or all time
stamps being
in GMT.
To fix the timestamp problems, you need to use a version
of DMail compiled with the
newer libc6 libraries or have the below fix applied. There
are other benefits to the new
libraries, e.g. support for shadow passwords etc. and we
have been building versions of
DMail which use them since version 2.4j. So if you are
running a platform that can
support the newer libraries then we recommend that you
download one, marked
'linux_libc6' from the main or beta download directory,
ftp://ftp.netwinsite.com/pub/dmail
The alternative is this fix:
Create the proper link by executing this command.
ln -s /usr/share/zoneinfo /usr/lib/zoneinfo
(Sorry, I'm not sure what version of Unix this answer
works on :-(
Also:
On many platforms the timezone information is incorrect
so in dmail.conf you can define:
timezone xxxx
This controls the time zone string that DSMTP stamps on
outgoing
messages, to give it the form,
hh:mm:ss xxxx
NB: it does not alter the time printed, only the
timezone string following it.
Some Examples:
timezone +1100 would give 11:30:33 +1100
timezone -0800 PST would give 11:30:33 -
0800 PST
timezone -0600 CST would give 11:30:33 -
0600 CST
timezone +0100 CET would give 11:30:33
+0100 CET
timezone +1200 would give 11:30:33 +1200
-
How can I transfer mail accounts (users) from my current
email server?
The best way to answer this is to give you some details
on options
for DMail and hopefully if you are able to tell
DMail support
about
your current system then they can make relevant suggestions.
It is worth noting first off that if the users are simply
members of
the operating system user database then you do not need to
do
anything with them - simply install DMail and it will find
the users
by default.
DMail has two basic authentication options,
a) use the operating system password list
b) use an external authentication module
There is one configuration file, dmail.conf, setting that
sets this,
authent_method
For a this will either be,
authent_method nt_user
or
authent_method unix_user
depending on whether you are on a windows or Unix based
platform.
For b you set,
authent_method external
and
authent_process path_to_program
where path_to_program is the authentication program to
run.
Your options are:
- We provide an example authentication module, called
NWAuth, which
is fully functional and is very efficient with large numbers
of
users.
- You can also write your own to link to any type of user
database (or modify one of ours).
- Our example module for linking into an LDAP server,
LDAPAuth.
- Our example module for linking into DNews's users.dat
file,
DNAuth.
- A customer has provided us with the source to talk to a
mySQL
server, which
DMail support
can pass on to you to use or modify.
- There is a link on the following page to an ODBC
authentication
module provided by another customer,
https://netwinsite.com/dmail/utils.htm
So one of the above might be an option, but it does
depend on how the
user's details are stored. Our NWAuth module can also be
run from
the command line, e.g.
set user password info="details"
so it may be possible to write a script to run that for
all of the
users out of your current user database or from a user list.
See the following sections in the manual for more
details:
External
Authentication
LDAP External Authentication
NWAuth External Authentication
-
Q:I want to have two different types of users. I
want one
group to have both pop and web access to their mail, and I
want the
other group to have web access only. How would I set this
up? Would
I need to run two seperate servers? I plan to authenticate
using
an external authentication module (talking to a MS SQL 6.5
database).
A:Yes, you can run two separate servers or you can
make an external
authentication module flag some users as being only allowed
web
access.
The trick is that DPOP only has the ip_address that the
user
connected from to know if the user has connected from CWMail
or with
another email client direct to the POP server. DPOP passes
this
ipaddress to the external authentication module.
So,
1. If you run two separate servers then you can use the
user_ip_address setting on one of the servers to only allow
connections
to that server from
the ip address of the CWMail machine. Each server then
either needs
its own authentication database or you need an external
authentication routine for each server which cannot 'see'
the other server's
group of users in the database.
2. The nicer way is to make your user database have a
flag for each
user to say whether they are allowed to connect directly to
the POP
server or not, and then make your external authentication
routine
check this flag, and reject the connection if they have not
connected
from the appropriate IP address. The IP address that the
user
connects from is given in the authentication request by
DPOP, e.g.
check username password ipaddress
So your authentication routine needs to check the "direct
DPOP
connection allowed" flag and if it is false, it should check
the
ipaddress passed against your CWMail server(s)'s ip address
and
only allow the connection if it does not match. This is an
example -
you do not necessarily have to do it this way. The fact
that the
connection from IP address is passed to the external
authentication
module is the important point.
If I have not pointed it out before we also have the
source code to
another customer's SQL authentication module which I can
give to
you if it would help.
For more information contact
support-
dmail@netwinsite.com
-
Q:If I send a message to user x, how can I check
what aliases are set up
for that user?
A:To do this you should send a message to that
username and
then check the log file for lines with the word "chain" in
them to
see where it has been forwarded to.
You need to set,
log_chain true
in dmail.conf and then issue the command,
tellsmtp reload
You probably don't want to bother the user with a
message, so you
should make use of the tellsmtp command,
tellsmtp
scriptfile.msc
to initiate a message to the user, but pull out before
sending any data.
E.g. here is a scriptfile, bob.msc, that does this for a
user bob
**************
HELO domain.com
Mail From: <test@domain.com>
Rcpt To: <bob@domain.com>
QUIT
**************
Once you have run the tellsmtp script (on debug
log_level), then you can
'grep' or 'find'
for lines with the word, 'chain' in the log file, dsmtp.log.
The following is a transcript of such an operation -
looking for
aliases and forward rules for the user bob.
C:\dmail>tellsmtp bob.msc
220 domain.com DSMTP ESMTP Server v2.5d
Send (HELO domain.com)
250 domain.com. Hello domain.com (161.29.99.1)
Send (Mail From: <test@domain.com>)
250 Command MAIL OK
Send (Rcpt To: <bob@domain.com>)
251 Command RCPT OK
Send (QUIT)
221 Command QUIT domain.com Service closing transmission
channel to domain.com Send (QUIT)
C:\dmail\log>find "chain" dsmtp.log
---------- DSMTP.LOG
26/04 11:53:40 *** Starting rcpt chain for bob
26/04 11:53:40 *** Adding <|\dmail\drespond.exe
\message.txt -subject
whatever -from "root@domain.com"> to rcpt chain
26/04 11:53:41*** Adding bob to rcpt chain
Which shows that the message is delivered to the robot
'\dmail\drespond.exe . . .'
and to the user, 'bob'
Note: The log lines with the word 'chain' in them were
only added,
in version 2.5d, so if you are using a version of DSMTP
older than that
then you will need to grep for something like, 'process' and
work
a bit harder to interpret the
results :-)
-
Q:Dpop.log is showing the error message 'Read
Failed: 109',
what's that?
A:The 109 error says that a "pipe has broken".
The two things in DPOP
that use pipes are external authentication processes and
dslave processes.
Most likely it is the external authentication process
causing the problem, and it is
probably occurring on the read that DPOP does after sending
the
'exit' command to the external authentication. I.e., DPOP
has told the external authentication
to quit but does not get a response from it. So it checks to
see if the external authentication
has responded every so often (you will see the 109 error in
the log every time that it does)
until the timeout period is reached and DPOP gives up.
So this suggests that the external authentication routine
is either
not returning,
+OK\n
(+OK with a carriage return at the end) when it receives
the exit command, or that
it does not flush the output.
NWAuth has at times done both of these things. So you
should probably
upgrade NWAuth to a version from the 2.5d or higher
distribution set (NWAuth
2.0b).
Note: To upgrade just NWAuth you need to copy the NWAuth
executable file over your
old NWAuth file, e.g. on NT, \dmail\nwauth.exe. You will
need to stop DPOP and DSMTP
first so that they stop all their NWAuth processes.
If you have your own authentication module then you
should check that it does both
of these things. Contact
support-
dmail@netwinsite.com if you
have questions or a problem with this.
The other possibility for the error is that one of the
dslave processes is no longer alive when
DPOP thinks that it should be. If you do a tellpop status
command it will show the number of
slave channels that it thinks are running.
If this happens just once then it is probably not a
problem, but if it continues to happen then
it obviously does become a problem.
If the slave_number setting is above 0 then DPOP should
always be running at least one slave
process. Versions of DPOP before 2.5g had a problem with
the dslave processes finding the dmail.conf
configuration file, so if you cannot start a dslave process
from the command line then this
may be the problem. It will be evident in the log file,
dslave.log (which itself may be being written
to a strange directory on your machine - it is best to use a
search to find it).
- Can I filter messages based
on the attachment name?
There is no direct setting to filter by attachment
filenames, but
I believe that it can be done!.
In the manual on our site(link below) under common
optional settings you
can find a setting
msg_filter <
filename>
This points to a file which you create as just plain text
and into which you can enter very basic filtering rules.
But let's say we wanted to filter emails with the
attachment
filename of 'happy99.exe'
We could have
msg_filter f:\dmail\filter.txt
and in filter.txt
reject body begin 0666 happy99.exe
reject body Content-disposition: attachment; filename=
"happy99.exe"
These two rules should pick up the required messages.
The first
reject rule is for uuencoded attachments and the second
rule is for the more common MIME encoded messages.
The rejection rules are done on simple string searches,
so we
suggest
that you send a test message with an attachment to yourself
and
open up the drop file in a text editor. From this you can
identify
for yourself this text within the body of such messages.
You will
then be able to refine your rules to catch the type of
attachments
your users get.
You will no doubt find the command,
tellsmtp filters
useful as it lists all filters found,and their number which corresponds with the rule number
given in the line logged when a filter is matched by an incoming message.
NB: you cannot use wildcard characters in body filter rules!!!
reject body *.vbs
will not work, you should have,
reject body .vbs
in order to be a little less general we suggest,
reject body .vbs"
You can use wildcards in header processing filters - DSMTP uses a different sort of
processing for them, because they are shorter and therefore do not need to be processed so
efficiently.
There is another problem to the suggestion above. Sometimes an email client might split the,
Content-disposition:...
line on to two lines. In which case the suggested filter will not pick it up.
The suggested filter above is still worth adding, but we are working on a MIME parser which extracts
all the MIME details so that attachment filtering and other filtering will become much easier.
Please contact DMail Support for an update on
when that will become available.
- Tell me about the SMTP protocol?
The SMTP protocol is the way that an email client talks
to an
SMTP server in order to send a message. Note: Often it is
two SMTP servers talking to each other
(relaying), rather than an
email client and a server.
A typical SMTP transaction looks like (this is NOT an RFC
example),
client: (opens TCPIP connection to port 25)
server: 220 tosh.com DSMTP ESMTP Server v2.5f
client: EHLO tosh.com
server: 250-tosh.com. Hello tosh.com (161.29.2.46) <
cr>
250-ETRN<cr>
250-DSN<cr>
250 HELP
client: MAIL FROM:<bob@tosh.com>
server: 250 Command MAIL OK
client: RCPT TO:<tam@tosh.com>
server: 250 Command RCPT User found OK
client: DATA
server: 354 Command DATA Start mail input; end with <
CRLF>.<CRLF>
client: From: bob@tosh.com
client: To: tam@tosh.com
client: Subject: hello
client:
client: this is the message body, line 1
client: line 2
client: .
server: 250 Command DATA Processed mail data Ok
client: quit
(server drops TCPIP connection)
Notes:
To send an email message without a client (and to enable
you to try
out SMTP protocol) you can create script files
(filename.msc) for
DSMTP and run them with
tellsmtp.
Note: For the definite word on SMTP please search for the
SMTP
RFC on the internet (RFC821).
- How do I
add
Multiple IP numbers on a single machine?
Windows NT: (workstation 4)
You need to edit the properties of your TCPIP Protocol to
add the
new ip address to your network card (NIC).
Go to the Network
settings section of the Control Panel, select the Protocol
Tab, and
then select TCP/IP Protocol and click the Properties button.
You will be presented with the Microsoft TCP/IP
Properties dialog
window. On the IP Address tab, click on the Advanced
button.
Select the network card (NIC) to which you wish to add
the ip
address. Then click on the Add button and enter the new IP
address and the
netmask for your network (if you don't know your netmask
copy the one
for the other ip address - a reasonable guess is
255.255.255.0).
Unix based platforms:
It is fairly easy to add multiple IP numbers for a single
machine, up to
255 per interface is fairly straightforward. 1024 is usually
possible with
minor patches. The exact method varies from one form of Unix
to another
see
http://www.nethelp.no/net/vif/readme.html
for more information.
As an example on Linux you would do the following:
su - root
ifconfig eth0:2 999.59.4.31 up
to add a second ip number 999.59.4.31. The number :2 can be
anything between
:1 and :255
- Can I specify a RANGE of IP addresses?
For most settings in dmail.conf that take an ip address,
you
can specify a comma separated list of entries (no spaces
after the
commas as a general rule) and you can also specify a range
or
wildcard.
We DO NOT gaurantee that you can use all of them for
every setting,
but we do try to code with this flexibility. So if you are
wondering
if a setting will take a range for example then try it out,
don't just
expect it to work :-)
NB: If a setting is a 'restrictive setting' then to get
through
the restriction
a value must get through all the restrictions in the comma
separated
list.
Here are some examples:
NB:Some of the examples in this FAQ were incorrect. Fixed 23 May 2000.
NOTES:
'!' indicates NOT
'*' is a wildcard (generally for use at the start or end
of
a string, but with ipaddresses can be useful in the middle)
'?' is a single character/digit wildcard
'x-y' is a range from x to y (including x and y)
NB: you can use, '!*?' OR a range, you can not use both, so this is not allowed,
user_ip_address *,!1.1.1.0-255 (bad)
The examples use the setting user_ip_address which
restricts
what ip addresses can connect to DPOP.
1. user_ip_address *,!161.29.5.24
allows all ip addresses to connect, except 161.29.5.24
2.
user_ip_address *,161.29.3-5.24
allows the following ip addresses to connect,
161.29.3.24
161.29.4.24
161.29.5.24
3.
user_ip_address *,!161.29.5.*
allows all ip addresses to connect, except,
161.29.5.0
...
161.29.5.255
4.
user_ip_address 161.29.3-5.0-255
allows the following ip addresses to connect,
161.29.3.0-255
161.29.4.0-255
161.29.5.0-255
5.
user_ip_address *,!161.29.*.24
allows all ip addresses to connect, except,
161.29.0.24
161.29.1.24
161.29.2.24
...
161.29.255.24
6.
user_ip_address *,!161.29.20?.24
allows all ip addresses to connect, except,
161.29.200.24
161.29.201.24
161.29.202.24
...
161.29.209.24
Note with this last example, if an ip address was,
161.29.009.24 then it would be allowed to connect.
- I want to UPGRADE, ... ?
An upgrade is in general a quick and simple procedure.
The same
utility that you used to install DMail, dmsetup, has an
upgrade
option that does it all for you.
Note: we are always very careful when making changes to
our
programs that we do not 'break' them for existing setups.
Having said that it is an easy thing to do so upgrading is
not something we recommend doing whenever you feel like it
- "don't fix what isn't broken" if you like. You
should take particular care when upgrading from a version
that
is much older than the current beta version (e.g. 6-12
months).
Things to consider when upgrading the
DMail server (or a part of it):
- See the updates page,
http://www.netwinsite.com/dmail/updates.htm
to see which version you wish to upgrade to. If you are
not
sure then contact
DMail support
to confirm the version you
should upgrade to. This applies particularly to versions
out of
the beta directory of the FTP site,
ftp://ftp.netwinsite.com/pub/dmail/beta
Note: you can if you wish only upgrade one of
the servers or utilities from the DMail distribution
set - if you are after a particular feature in a recent
beta release then this is often a good option.
- Download the distribution set from our ftp site,
ftp://ftp.netwinsite.com/pub/dmail
If you are ftping from a command line then login as
the user 'anonymous' and provide your email address as
a password, then cd to pub/dmail.
- Save a copy of your configuration file, dmail.conf
(typically \winnt\system32\dmail.conf or /etc/dmail.conf)
- You may want to revert back to your current version, so
just
in case you should try to save a copy of each of the
executables
that your system uses. If you have your last distribtion
set
then that should be enough. If not then you should save
each
of the server directories, e.g. \dmail (typically
contains DPOP, dsmtp), \dmail\dwatch, \dmail\dlist.
DMSetup will not touch any of your critical data.
For Your Information ...
The critical data for your email server is almost all in
the
mail drop file and bin file directories, (defaults are,
\dmail\in and /var/mail). The upgrade will not touch these
directories, but of course if you wish to back them up
then that is never a bad idea.
The other critical information to think about is:
a) mailing list information (lists.dat and users.dat
for each list) - stored in the DList directory which should
be fairly small to back up.
b) If you run external authentication then your user
data base may be in a directory which dmsetup works in.
NWAuth stores the user database in the DMail directory in
nwauth.txt and on newer versions in nwauth.add as well.
- Shutdown the DMAdmin windows GUI tool if you have it
open
(dmsetup can't upgrade dmadmin.exe if it is running).
- Unpack the distribution set and run the utility dmsetup.
- DMSetup should detect that you already have DMail
installed
and offer the upgrade option (2). DMSetup will stop each of
the servers and then copy the new versions of the
executables
over the old ones. It will also upgrade your manual pages,
*.htm
in the DMail directory. Once it has finished upgrading it
will
ask you if you want it to start the servers again.
- You should now check that the new version is working.
You should at least,
a) send a message through the system and,
b) if you use DList, post a message to a mailing
list.
If you suspect that something has not upgraded, then
you should attempt to manually stop that server or program
and
then run dmsetup again.
If you have problems then please do contact
DMail support
.
- I want to MOVE DMail, ... ?
Moving DMail to another machine is a fairly easy
procedure. Here is a
suggested method to help you remember the most common
things. Each setup will be
different so think if there are any other things that you
need to copy over for your
setup.
Note on License Keys:
Your DMail license key was created for your old machine's
specific machine name, e.g.
server1.your_domain.com (UNIXish machines) or SERVER1
(Windows machines).
If the new machine has the same name as your old one then
simply load your key into the new
machine with the tellpop command,
tellpop key xxxx-xxxx-xxxx-xxxx-xxxx
at the point below where you have started DPOP.
If the new machine has a different name, then you need to
email our Sales department,
sales@netwinsite.com
for a replacement key. You need
to tell them the name of your new machine. They should
email you your new key within 48 hours (usually
only 24 hours).
If you don't yet have your new key, do not worry, when
when you start DSMTP it will create itself a
temporary trial period key. So it should start and work
straight away for you.
Suggest Method for Moving DMail ...
- install the same version of DMail on the new machine but
don't start the server when
the installation utility asks you if you want the servers
started
- copy across to the new machine your dmail.conf file
typically /etc/dmail.conf or \winnt\system32\dmail.conf
- Copy over any other files included into dmail.conf or
referenced
in it, e.g. alias files.
- Edit your host_domain settings in dmail.conf (and your
dpop_host setting) so that your
new machine name is included at the end of the list
of host_domains (also known as
synomyms)
- now if it won't impact on your old server, start the new
server up and try sending
a few test messages through it
Once you are ready to switch completely to the new
machine ...
- Stop all servers on both machines
- Copy over the mail drop files, e.g. /var/spool/mail or
\dmail\in
NB: if your bin_files and _inf files
are in other locations don't forget to copy those as well.
- Copy over the work_path directory, e.g.
/usr/local/dmail/work or \dmail\work
- Check dmail.conf on the new machine to see that all
directory paths exist and that you
have copied over any necessary things
- Start up the new server and monitor it for the next few
hours.
If you have problems then please do contact
DMail support
.
- I want to park mail for a domain (but
mail is rejected as no relaying)
The setting that you need is,
relay_to etrn_domain
so that DSMTP will always accept mail destined for the
domain etrn_domain.
Then DSMTP will accept the mail and park it when it
cannot connect to the server.
It will try to send it every 2 hours and bounce it after
max_retrytime hours
(default is 2 days).
When the connecting email server sends the ETRN command
DSMTP will try to send
all mail addressed to that domain in its queue.
The other setting that you can use to bypass the DNS
record if you have
problems is,
gateway etrn_domain ipaddress
so that DSMTP uses the ipaddress given rather than doing
a dns lookup on etrn_domain.
In versions 2.8e and above, we added a new setting to
DSMTP for that can also help with this. It is
suspend_domain,
e.g.,
suspend_domain fred.com
This setting stops DSMTP from processing any queue files
destined for this domain, unless specifically
requested by an ETRN commmand. So it is a good setting to
use if someone will not be collecting their mail
for a period of time longer than max_retrytime. NB: it can
also be a bit dangerous to use for that same
reason.
In 2.8e we also added the setting, etrn_relay which allows
all servers in a server farm or load sharing arrangement to
receive an ETRN command sent to just one
server.
- Can I run DSMTP (and DPOP) on
another port?
Yes, the setting that you want is,
smtp_port 1025
then restart DSMTP (with DMAdmin or on UNIX platforms
with,
tellsmtp shutdown
/usr/local/dmail/dm_start.sh
)
Similarly for DPOP,
pop_port 1110
(/usr/local/dmail/dpop_start.sh to start DPOP on UNIX).
NB if you are using dmadmin then you will have to select
a new host to
monitor with the following syntax as the ip address,
127.0.0.1:1025:1110:
so that it looks for the servers on the correct ports.
(you may need to set the password for this to work,
with,
tellpop pass xxxx
,where xxxx is the password)
- Can I delete queue files
from the queue?
Yes, you can delete or move them with the result that
that
message is not delivered, however there is a big BUT...
Currently if you move queue files out of the work
directory (work_path)
you cannot easily put them back in. You can copy a queue
file back into
the work_path directory and DSMTP will pick up on it the
next time it
reaches that queue file number. But DSMTP may have created
another
queue file of that same number, so if you overwrite it then
that message
will be lost.
Also note that some queue files will be in use by DSMTP
and so locked.
The tellsmtp status command
gives you
information on what queue files are in use.
More information: See the section on Queue Files in the
Disk Use and Files section.
- What things can I
do to secure my mail system against hackers?
Here is a list of things that we can think of. If anyone
has suggestions
or gets hit by a hacker please let us know so that we can
add to this list.
- In general use ssh when sending root password across
internet
- Use fake_vrfy, so
that DSMTP responds falsely to checks on usernames on
your system
- Use smtp_welcome
(version 2.8a and above only) to hide what SMTP
server you are using, and what version it is.
- Set
manger_ip_address to limit
manager commands to coming from as small a number of ip
addresses
as possible
- Use the tellpop password
command to set
your manager password to something secure
- Use shadow password files, which DMail supports when
authent_method is set to unix_user
(linux users use libc6 download).
- Check what UID your 'robots' run as, see Robots running as root - Security Note
- If a hacker is trying to guess passwords you will see a
lot of the following
messages in dpop.log on info log_level,
Info: Rejected bob, authent said bob password wrong or
not a valid user
So you can search for the keyword, 'Rejected' in
dpop.log
- Does CWMail and DMail
server
support multi-threading?
Yes and No. I will explain.
First DMail:
DMail is made up of an SMTP and a POP server, DSMTP and
DPOP.
Both of these servers are mostly just a single process and
thread, so they would only run on one processor at one time.
They have been written to be extremely efficient, and we
believe
that these servers are more efficient because of their
single
process architecture.
However there are two 'bottle necks' for single process
mail
servers. To overcome these both servers can spawn
subprocesses. Both
DSMTP and DPOP spawn subprocesses for doing the user
authentication,
and DPOP also spawns a subprocess to 'burst' drop files, if
a user's
drop file is bigger than a certain size.
So these subprocesses can be run on different processors
to the
main server processes.
So Yes, DMail can take some advantage from a
multiprocessor
system, but it is not written as a threaded process.
NB: it is worth noting that the biggest 'bottle neck' for
an
email server is the disk access times. Hence we recommend
spending
more money on fast disks rather than a multiprocessor
environment.
RE: CWMail
CWMail is a CGI, as such CWMail runs as a single process
spawned by the web server on practically every click on
the web pages that it displays. So it depends on your
choice of
web server as to how worthwhile it is to run on a
multiprocessor
environment, but in general because each instance of the CGI
running is a separate process in the OS environment, there
should
be no problem.
- Is there a limit to the
length of a username?
Yes, there is. DPOP limits you to 78 characters in the
username (this includes the domain
name if you have set authent_domain true). So if your
domain name was 10 cahracters in length, then
you are limited to usernames of maximum length, of 78-1-l0 =
67 characters for local usernames.
DSMTP does allow longer usernames because it needs to be
able to relay on messages to people with
longer usernames.
NB: if you are using external authentication then the
response that the
module returns
is not allowed to be longer than 1kbytes in total. So you
will have to limit
your length of username to something sensible, so that there
is room to return
long fwd="" fields for mail redirection.
So if you impose your own limit of say 40 characters, you
should not
have any problems.
- Running DMail on your ISP's Server
We are often asked if it is possible to run DMail on an ISP's server.
Basically the answer for DMail is no. The DMail server needs to be run with root
privilege and in most cases a box can only run one Mail server.
You can run DMail on your ISP's machines, if they are not already running a mail server on that
box, or they provide you with a box at their site, for which you have root access.
It may be an option for you to run a 'downstream' server on a local box of yours and have your
ISP relay mail for your domain to you. DMail can send the ESMTP ETRN command to collect mail for
such a domain.
You may also be able to get your ISP to forward all your mail to just one POP mail account. Then
the use of DMail's POPFetch is an option.
Separate to the question of DMail is whether you can use one of our Web Based email CGIs such as
CWMail on your ISP's 'virtual web server'. Please see the following FAQ for information on this,
https://netwinsite.com/dmailweb/faqs.htm#Q18.
- Robots running as root - Security Note
Q:> We have customers who would like to forward e-mail into external programs.
> However, we have had to disallow this because we noted
> that DMail was running these external programs as root.
> How can we tell DMail not to run external programs as a priveledged user
> and will this break auto-responders and mailing lists?
A:If DSMTP can work out a user's uid (e.g. from the /etc/passwd file or from the authentication
module response) then it
will run the 'robot' as that user's uid.
In the case of the question I think that our NWAuth authentication module is being used.
It responds with lines like,
+OK username config 0
where the 0 on the end is the user's id. It returns 0, i.e. root, for ALL users.
Also, up until version 2.8l if DSMTP could not work out a user's uid then it would run the robot
as the same user as itself - i.e. root!
This means that it is important to restrict use of robots, e.g. NetAuth only allows users to
set the text of the autoresponder robot.
On Windows machines it is not as common to allow access to users to create robots, but if it is allowed
then the same issues need to be considered.
Here are some options ...
1. modify your authentication module to return a user id, e.g. that of the 'mail' user.
2. We are adding setting,
robot_defaultuser <userid> <password - NT only>
which defaults to root if not defined.
If set then DSMTP overrides anything returned by the authent module so that all
robots are run as the specified uid. If set to -1 then no robots are run. This should
be available in 2.8l to be built 8 Jun 2000. It will apply to UNIX based and Windows platforms.
The DMSetup utility will add it by default on fresh installation in 2.8l onwards and
prompt users to add it on upgrade.
You should specify a user with this setting that does not have any more privilege than it needs.
On UNIX platforms DMSetup will default this setting to the 'mail' uid, and you will probably want to create a special
robot user with far less privilege. On Windows platforms DMSetup will set the setting to 'ROBOT_USR robot_usr' by
default (i.e. username and password the same) and the sysadmin will need to create this account - probably in the Guest group.
3. Currently we have the domain_chroot setting, e.g.,
domain_chroot domainone.com /usr/local/robots
which makes all robots on the specified domain run with a root directory of, /usr/local/robots. I don't think that the robot can access outside of that with root access, but there may be clever trickery that hackers know.
4. you control what programs the users run via a web gui. E.g. drespond is an example of this.
NetAuth controls who can run drespond and what options it is given.
RE: mailing lists and autoresponder
Mailing lists are not affected as DList handles these and is a separate process.
The Drespond robot is affected, but with all of the options above there is no reason why they cannot keep working. You may simply have to make copies of the executable in the domain_chroot directory etc.
- Can I use DMail for a Remote or Dial Up Mail Server?
Yes, DSMTP can be a remote or dial up mail server.
Options:
- DSMTP sending ETRN command to upstream Mail server (may be using RAS dialup):
Setting the ras_timer makes DSMTP send the command, ETRN domainx.com,
to the upstream server at the specified interval. DSMTP will send ETRN commands for
all of your 'local' domains (as set by your host_domain or vdomain settings).
The upstream server will then send all mail for those domains as soon as it can. Since
your server is online it should be able to send the mail through to your local DMail server.
This is probaly the option to choose if you are retrieving mail for an entire domain or a number
of domains.
See the links in the ETRN section for more information .
- Running POPFetch alongside local DSMTP for retrieving mail:
POPFetch runs on the local mail server machine. It will periodically dial up your upstream server
and collect all mail waiting in specified POP accounts. It will then process those messages and
separate them out for individual users on your domain. It will feed the messages to the local DSMTP
server so that it can deliver them locally.
Often you can get whoever is running your upstream server to collate all mail for you into one
POP mailbox for POPFetch to retrieve, e.g. in DSMTP this is easily done with the dmail.conf setting,
forward *@yourdomain bob@domainx.com
Follow this link for more information on POPFetch.
Note on Dynamic IP addresses:
If the machine where you want to run the Mail server does not have a Static IP address then you
are probably limited to using POPFetch.
Some ISPs can support receiving an ETRN command for your domain when you are on a Dynamic IP address.
It is not typical that they can as it requires specific dynamic DNS support,so you cannot infere
that they are a sub-standard ISP for not offering it:-)
Note on bounces:
Using ETRN is a better option than popfetch if it is important that people sending mail to your local
accounts receive 'bounce messages'. Most mail servers will try to deliver mail every few hours for
a specified period if they cannot reach the final destination (your server) on the first go. At the end of that
period, typically 1-2 days, they will 'bounce' the message back to the sender. With POPFetch (and some
ETRN setups) the upstream mail server will consider the mail delivered once it recieves it (because it
wrote the mail to a POP account). So if your server does not collect the mail for a long time (and
nobody notices) then the sender would not be notified. ETRN can suffer from the same problem - so
you should check with the upstream provider if it is a worry to you.
- Can I use DMail from behind a firewall or proxy server?
In most circumstances yes, but there are some circumstances where you may need to rely on an 'outside world'
SMTP server.
NB: we are using the term 'firewall' loosely. We will mostly talk as if you are running a Proxy Server
on your firewall box, rather than a router.
There are two main things that you need to provide,
1. DSMTP needs some way to connect to a DNS server to resolve domain names to IP addresses.
2. DSMTP needs some way to connect directly to the outside world SMTP servers for non-local
mail delivery.
Here are some options, (Option 4 will soon be our recommended solution)
- Run DMail on the firewall box itself (so not really behind the proxy at all)
For some firewalls you won't be compromising security greatly to run the proxy server on the
firewall box so that mail bypasses the proxy. In most cases if doing this you would store all
mail on the firewall box until it was collected by the local email clients. You could store the mail
on a network drive if you had a file server for example, but in most cases you would probably not do
this because setting up the network drive connection would lessen the security of the firewall box.
- Relay via a DSMTP Server on your firewall box (bypass the proxy server)
The idea here is that the two DSMTP servers, one on the firewall box lets call it A, and one
behind the firewall box (B), can pass on to each other the messages that each can not deal with. In
this way the DSMTP server on the firewall allows mail to bypass the proxy server but no mail is stored
on the firewall box.
Outgoing mail will be 'gatewayed' from B to the firewall DSMTP server A which has access to the
non-local SMTP servers and the DNS server(s) for non-local mail delivery. So A 'relays' mail for
B.
Incoming mail will arrive at DSMTP server A which will 'gateway' all local mail to DSMTP server B.
To do this you need to,
- Tell server B to gateway ALL outgoing mail to server A
- Tell the firewall server A to accept outgoing mail for 'relay' from server B
- Tell the firewall server A to accept incoming mail addressed to local domains on B
- Tell the firewall server A to gateway incoming mail addressed to 'local domains' on to B
So if a.a.a.a is the ip address of server A and b.b.b.b is the ip address of server B...
On server B add to dmail.conf,
gateway * a.a.a.a
On server A add to dmail.conf,
forward_from_ip b.b.b.b
relay_to domain1.com
relay_to domain2.com
gateway domain1.com b.b.b.b
gateway domain2.com b.b.b.b
(keep adding relay_to and gateway settings for all local domains)
See also, Routing.
- Gateway all outgoing mail to an Outside world SMTP server (via the proxy server)
You can avoid most problems by 'gatewaying' all outgoing mail to
an SMTP server in the outside world, that provides you with 'relay' access.
This is similar to the option above in that outgoing mail is relayed via an SMTP server with
'outside world access', but with this option, mail goes through the proxy server, and incoming
mail comes direct to your proxy server.
To do this you add a setting to dmail.conf like,
gateway * x.x.x.x
where x.x.x.x is the ip address of your firewall server.
The possible problem with this is that you need to set up the proxy so that,
A. anything connecting to port 25 from the DMail server address is mapped
to port 25 at your ISP's SMTP server IP address.
B. anything connecting to port 25 from other addresses (e.g. outside world
ones) is mapped to port 25 on your DMail server's IP address.
Some proxy servers are not capable of this type of setup on the single port (25), and some
will do it 'automatically' with a 'SMTP proxy' feature. If you are using a router then it
will probably have no problems with this.
If your proxy cannot do that sort of setup, then note that in version 2.8n we have altered the
gateway setting so that you can specify the port on the proxy,
gateway * x.x.x.x:1025
This allows you set up up two port mappings on the proxy,
1025 -> ISP_IP_Address:25 (for outgoing mail)
25 -> DMail_IP_Address:25 (for incoming mail)
You also must get whoever is running the outside world server to accept mail from your
server for relaying. ISPs by default will stop you from relaying through their box unless you
have their permission (it is to stop them being abused by spammers). They will probably do this
based on the ip address of your proxy server - as that is the
address that mail from your DSMTP server will appear to them to have originated from. If they
are running
DSMTP then they would add the forward_from_ip setting for your ip address.
- Proxy DNS Access AND use telnet proxy to reach non-local SMTP servers
Sometimes people have their own DNS server behind or on the firewall, but for most people they
don't so you have to,
Set up a proxy server to relay all DNS lookups:
Doing this varies between proxy servers. It is important to note that DNS lookups can be done
on a TCPIP port and/or a UDP port. So you need to set up your proxy server to at least relay TCPIP
connections on port 53 to port 53 on the DNS server. On most proxy servers you can setup a
TCPIP 'port mapping' or 'link' to do this.
You also need to tell DSMTP which DNS server to use by adding the dmail.conf setting,
dns_host y.y.y.y
where y.y.y.y is the ip address of the DNS server to use. You must restart DSMTP after
changing or adding this setting.
Using telnet proxy to reach non-local SMTP server:
You cannot simply add a 'port mapping' for port 25 on most proxy servers and expect them to
'proxy' all incoming and outgoing connections on port 25 to/from the DSMTP server.
When the DSMTP server tries to reach a non-local server it is trying to connect to that server
directly on port 25. Even if we added a setting to DSMTP to make it connect to your proxy server, there
is no way for the proxy server to map an incoming connection on port 25 to the required server which could
be anywhere in the world!
So we have recently added a new setting to DSMTP (in version 2.8n) which makes it
open all non-local connections via your proxy server's telnet port.
Because there is no fixed syntax for proxy telnet ports the new setting allows you to specify the
connection string to be given to the telnet server, e.g.
destination_ip:25
The setting is,
proxy_domain <wildcard_domain_name> ip[:<port>] <proxy_request_string [optional macro $IP]>
where $IP is the resolved IP address of the destination domain, E.g.,
proxy_domain * 1.2.3.4:23 $IP:25
where 1.2.3.4 is the ip address of your proxy server. This example results in all outgoing mail
being sent to the telnet proxy at 1.2.3.4, where the proxy server takes a request string of, x.x.x.x:25.
DSMTP will replace x.x.x.x with the DNS resolved IP Address of the the destination domain.
|