Guide for setting up SMTPS or similar?

16 posts / 0 new
Last post
#1 Sun, 02/26/2006 - 12:03
RichardFennell

Guide for setting up SMTPS or similar?

Hi guys Just wondered if there was a guide for setting up smtps (Secure mail relaying). Basically i would like users to be able to send there emails via there account on the Virtualmin server but obviously dont want to open up an open relay for all spammers to have a field day with.

Has anyone got it working? Is it hard to setup?

Thanks

Richy

Mon, 02/27/2006 - 01:26
Joe
Joe's picture

Hi Richy,

There's actually two parts to your question. SMTPS is not the same as authenticated mail relaying--though they can both be used together.

Authenticated mail relaying (using SASL authentication) is configured by default on new installs of Virtualmin Professional as of a week or two ago, and for folks who installed before that, you can follow the steps found in this bug (I should make this a FAQ or something):

http://www.virtualmin.com/bug-tracker/bug?f%5faction%5f20=454&format...

The other part, SMTPS is merely SSL/TLS encrypted SMTP service. This one is tricky in a virtual hosting environment, because users expect to contact the mail server at mail.domain.tld. This will trigger a certificate warning on the client-side. The solution, of course, is to have a mail.hostingco.tld domain and certificate, and have your users contact only that.

Enabling this (after the above SASL authentication is working) is easy. Just uncomment the smtps line in /etc/postfix/master.cf, and configure the following options in /etc/postfix/main.cf (with appropriate changes for your system):

smtpd_tls_cert_file = /etc/postfix/www.virtualmin.com.pem
smtpd_use_tls = yes

So, to answer your questions:

Has anyone got it working? Yep.

Is it hard to setup? Nope. But there are useability issues with SMTPS that are not easy to address. As with SSL websites, you cannot server a different certificate based on the name of the mail server...but worse, mail servers don't support "virtual hosting" at this level, and so you can only have one certificate for SMTPS per running server. Running a separate Postfix instance for every domain with a separate certificate is not a reasonable option in the vast majority of cases. So, you gotta re-train your users to contact your mail server address and not "mail.domain.tld".

--

Check out the forum guidelines!

Tue, 04/24/2007 - 03:13 (Reply to #2)
JohnWolgamot

Hi,

I followed the instructions here and got SMTPS working.

And it seems to be working wonderfully.

I have a question though and I hope this thread is ok to use. If not I'll except a psychic spanking you can send me on my way (-:

Users can now send email though my SMTP server but spammers cannot because you have to authenticate in order to send and the authentication is encrypted so the users passwords cant get intercepted.

This is kind of a private server for my online store customers and a few friends so I don't have to worry to much about getting hacked from within. I worry more about encrypted passwords so they cant get sniffed.

I did a self signed cert for mail.peerlesswebhosting.com and had everyone install it so they would not get the security popup in outlook or other mail clients and told them if they ever get the popup again to let me know right away.

I had everyone set their IMAP or POP and SMTP to the mail.peerlesswebhosting.com

Everything seems great but...

There is one user who gets a lot of mail returned because I'm guessing some of her recipients servers don't allow mail from her soandso@theraggedfence.com if the mail server doesn't say mail.theraggedfence.com.

It appears they get rejected by the recipients server spam software because the mail is coming from her though my hosting domain ?.

Here is what she gets back.

Reporting-MTA: dns; peerlesswebhosting.com
X-Postfix-Queue-ID: 0997B16E2011
X-Postfix-Sender: rfc822; soandso@TheRaggedFence.com
Arrival-Date: Wed, 18 Apr 2007 15:36:35 -0700 (PDT)

Final-Recipient: rfc822; recipient@tampabay.rr.com
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; connect to hrndva-01.mgw.rr.com[[24.28.204.23]]:
server refused to talk to me: 554-hrndva-mx-04.mgw.rr.com 554 #5.5.4
Relaying denied. IP name lookup failed for 64.79.199.144

Am I reading this right that the mail was refused because the ip 64.79.199.144 does not match theraggedfence.com?

Not sure how this can be because her last outgoing server was her cable company mail.insightbb.com

Could it be something in my DNS is misconfigured? It's pretty much a stock VirtualminPro setup. I'm kind of stumped as to where to look next.

Can anyone point me in the right direction?

Thanks

John Wolgamot

Tue, 04/24/2007 - 03:37 (Reply to #3)
Joe
Joe's picture

Hey John,

No, you're reading that error wrong (you're not alone...I answer this question a lot...as long as you promise to believe me when I tell you the answer, there will be no spanking). ;-)

It is not because the IP doesn't match anything in particular. It's because it doesn't match <i>anything</i>:

[[joe@delilah ~]]$ host 64.79.199.144
;; connection timed out; no servers could be reached

The IP of a mail server must reverse resolve, or a large number of mail servers will reject your mail. It's a very spammy characteristic. Note that it does not have to reverse resolve to the domain from which the mail claims to come (otherwise nearly all mail servers worldwide would cease to function)...it just has to reverse resolve.

So, talk to whoever provides that IP to you (your hosting provider or ISP, probably), and get them to do one of two things: Provide reverse resolution for the IP, or delegate that IP to you.

As far as identity goes, there is SPF, which provides some of what you're thinking reverse resolution does (i.e. allows recipient mail servers to determine if a message for a domain is really supposed to originate from your server). This requires adding records to the name server that is authoritative for the domain in question. Virtualmin sets this up for you automatically (if you installed a while back, you may need to turn it on in Server Templates), but for any domains not under Virtualmin's control, it'll have to be done manually. But this is a wholly separate problem from reverse resolution, which is really simple.

--

Check out the forum guidelines!

Tue, 04/24/2007 - 04:31 (Reply to #4)
JohnWolgamot

Thanks Joe for such a fast response,

SPF record enabled?

Should I set SPF record enabled? to yes on ONLY peerlesswebhosting.com

And once it's set to yes should I then list all the domains under:
Allowed sender mail domains

or set SPF to yes for each of the domains on my server and list peerlesswebhosting.com under each virtual server?

I'm trying to have all domains send through peerlesswebhositing.com because that is where the cert is.

And I see I can list the ip's under Allowed sender IP addresses.

Should I list the IP's too?

Also I tried to setup my seondary VirtualminPro test server as a slave following The Virtualmin DNS Slaves Guide but I failed on my first attempt.

By not having the slave would that lead to this issue as well?

I know we all hate spammers but but is it just me or does it seems like overkill to outright reject email.

I just have it mark it as spam and filter it into the junk mail folder so an accidental *****SPAM***** can be retrieved and told never to be spam again.

John Wolgamot

Tue, 04/24/2007 - 04:52 (Reply to #5)
Joe
Joe's picture

<i>I'm trying to have all domains send through peerlesswebhositing.com because that is where the cert is.</i>

You've still got some wrongthink about how SPF works (and you're not alone...it's never explained very well...it took me a good while of coming back to it every few days to grasp just what the heck they were trying to say in the specification).

You cert doesn't matter in this stage of the transfer--nobody uses SMTPS for MTA-to-MTA transmission (no passwords are used), and even if they did, that's not what SPF is saying.

SPF is set per-domain, and it says &quot;This is a server that I allow to send mail on my behalf.&quot; The &quot;server&quot; in this message is an IP address. No hostnames involved, and your clients (mail clients, I mean, like Thunderbird, Usermin and Squirrelmail) don't know or care anything about it.

So, for example, the SPF record on Virtualmin.com is:

virtualmin.com. IN TXT &quot;v=spf1 a mx a:virtualmin.com ip4:70.86.4.226 ?all&quot;

The domain is irrelevant from the angle you're trying to come at it from. SPF is looked up by domain, and returns an IP (and some other crap).

In short, you don't need to include any extraneous domains in each SPF record (peerlesswebhosting.com is extraneous in this case), but you need one for every domain that you want your server to send mail for.

Not having a slave would not lead to the original issue reported. If you've already been delegated authority for your IP, you'll need to setup a reverse zone for it. Webmin can help there...it's not a virtual hosting issue, so Virtualmin doesn't try to address the issue.

Just to be clear: We're talking about two issues. Not having reverse resolution is a bounceable offense on many mail servers. Not having correct SPF records is bounceable on some mail servers (particularly Yahoo Mail).

So, the most pressing issue is getting reverse resolution working. Your IP doesn't appear to be delegated to your nameserver, so your ISP/host will have to provide reverse resolution for you (or delegate it). The name it reverse resolves to DOES NOT MATTER. This is another point that folks want to come at from the wrong angle. As long as reverse resolution works and the name that it returns also resolves back to the IP, you will be fine (unless you force your MTA to claim it isn't that name).

Our mail server is &quot;e2.4.5646.static.theplanet.com.&quot; Because our hosting provider does the reverse resolution for us. Doesn't matter that it isn't &quot;virtualmin.com&quot; or &quot;mail.virtualmin.com&quot;. It resolves when you lookup the name of 70.86.4.226, and when you lookup the hostname and resolves back to that IP. This makes everybody happy. It means I'm not lying about my hostname when I connect somewhere--it provides some level of assurance that I'm not pretending to be someone I'm not. Note that none of these things has any relation at all to the domains on the mail I'm sending. That's at a whole other layer of processing, and will never cause a bounce at this layer (SPF does care what domain is on the mail, but only from the perspective of asking the DNS server that is authoritative for that domain, &quot;Hey, what mail servers do you allow to send mail on your behalf?&quot; Again it doesn't care what those mail servers are named...just so long as they are allowed to send mail for the domain in question, according to the DNS server authoritative for that domain).

In no case does the name of the server matter, as long as resolution works both ways.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:02 (Reply to #6)
JohnWolgamot

How do you have time to get all your work done and still find additional time to help head people like me down the path to enlightenment.

I think I'm now armed with the info I need to resolve this issue.

Thanks so much Joe for all the assistance.

John Wolgamot

Sun, 06/07/2009 - 07:02 (Reply to #7)
JohnWolgamot

How do you have time to get all your work done and still find additional time to help head people like me down the path to enlightenment.

I think I'm now armed with the info I need to resolve this issue.

Thanks so much Joe for all the assistance.

John Wolgamot

Sat, 03/04/2006 - 06:45
RichardFennell

Super, i am however stuck half way through, at this stage.

&quot;
Browse to Servers:Postfix:SMTP Options
Edit the field labeled &quot;Restrictions on recipient addresses&quot;

Somewhere in the list of options (depending on what other stuff you're using, but before reject_unauth_destination and after permit_mynetwork) insert &quot;permit_sasl_authenticated&quot;.

Save it.&quot;

I dont have &quot;SMTP Options&quot; but i do have a SMTP Server Options which im sure you mean. However in my &quot;Restrictions on recipient addresses&quot; field i dont have any settings already in there which does worry me slightly. Although it should be ok on default settings if im reading the help text correctly.

Can anyone confirm this?

Cheers

Richy

Sat, 03/04/2006 - 11:42
Joe
Joe's picture

Hey Richy,

Since you're setting a value for the first time (replacing the default) you'll need to add those two bits yourself. Here's what it ought to look like:

permit_mynetworks permit_sasl_authenticated reject_unauth_destination

The normal default is &quot;permit_mynetworks reject_unauth_destination&quot;, and we're sticking the SASL check in the middle. Just listing the SASL option will lead to an open relay, I suspect, which we want to avoid. I should have made that more clear, but I wrote the bug for my own notes...thought I would have it in the installer sooner so fewer people would run into it. The good news (for others, not for you poor folks who've already installed) is that it is setup automagically in the current installer.

--

Check out the forum guidelines!

Sat, 03/04/2006 - 15:36
RichardFennell

250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5 GSSAPI
250-AUTH=CRAM-MD5 PLAIN LOGIN DIGEST-MD5 GSSAPI
250 8BITMIME

Thats my output, Which i think is groovier than a Burt Bacharac revival.

Thanks for your help with this Joe, Your a star.
:D

Richy

Sat, 03/04/2006 - 16:55
RichardFennell

It seems i still cant send users (on the same system) emails

I think this time the problem is procmail. Having not used a system with procmail on before i have no idea what the problem is. Ive searched the forums but to no avail.
Have i cocked something up?

&quot;Command died with status 127:
&quot;/usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME&quot;. Command output: sh:
/usr/bin/procmail-wrapper: No such file or directory&quot;

Obviously there isnt a procmail-wrapper there, I have found one here &quot;/usr/libexec/webmin/virtual-server/procmail-wrapper&quot;

Do i need to copy it?

Cheers

Richy

Sat, 03/04/2006 - 18:59 (Reply to #12)
Joe
Joe's picture

That's interesting that it wound up in &quot;/usr/libexec/webmin/virtual-server/procmail-wrapper&quot;. What version of virtualmin-base do you have? That's the package that installs that file, and in the version I'm looking at it puts it in /usr/bin. But it might have dropped it somewhere else in earlier versions.

It's not harmful to copy the file, as it doesn't rely on path for anything (except for how it is called).

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:02
Joe
Joe's picture

<i>How do you have time to get all your work done and still find additional time to help head people like me down the path to enlightenment.</i>

I don't sleep. It's 3:47AM. We've got a rather important meeting tomorrow...so I'm in the midst of trying to fix a few quirky bits in our new UI, as well as repair some issues with IE in the old one. Oh, I'm also trying to get the new website finished, so it can launch soon--this one is so ugly and disorganized that I'm quite certain it's not good for business (nor will it make a good impression on the kind of moneyed folks we're meeting with over the next couple of weeks). I can't seem to get anything finished. ;-)

--

Check out the forum guidelines!

Mon, 05/14/2007 - 00:50
himagain

In this interchange Joe said replying to:

How do you have time to get all your work done and still find additional time to help head people like me down the path to enlightenment.

I don't sleep. It's 3:47AM. We've got a rather important meeting tomorrow...so I'm in the midst of trying to fix a few quirky bits in our new UI, as well as repair some issues with IE in the old one. Oh, I'm also trying to get the new website finished, so it can launch soon--this one is so ugly and disorganized that I'm quite certain it's not good for business (nor will it make a good impression on the kind of moneyed folks we're meeting with over the next couple of weeks). I can't seem to get anything finished. ;-)

Posted by Joe Cooper
--------------------------------------------------------
Ha! I wondered what sort of trick you were using! I thought it was probably several backups using the name Joe Cooper .....
but it's simple: you just don't sleep!!!!
(an interesting phenomenon that I as a psychologist/aetiologist have only noticed after becoming involved in this strange world of Server internetting...)
some chemical reaction is triggered in the brain of certain sub-species homo sapiens ludens, similar to cortisol and it becomes addictive. Probably incurable till after marriage...

Sat, 05/26/2007 - 23:26
SteveAcup

Joe,
You rock... great thread. It solved my current question in the freebsd thread. I now have mail working with all combinations of pop3 pop3s smtp smtps and sasl-auth. It is a pleasure dealing with someone who provides good support. Glad I bought a license.

Steve

Topic locked