Mailing List Archive

Thus said Emilio Perea on Mon, 26 Aug 2013 22:32:27 -0700:

> Since most of the outgoing mail is people sending copies to their
> hotmail or gemail or yahoo personal mail accounts I've dealt with it
> by faking MX records pointing to our QMQT servers. But it really
> should be the other way around: SMTP for our three internal domains
> and QMQP for anything else. Is there a simple way of doing this that
> I'm overlooking?

I'm a little confused as to what the topology looks like. Perhaps a
better description of what is going where would be useful? And what is
being blocked/allowed from where?

Is the firewalled SMTP server inbound? Outbound? Is the internal (now
firewalled) SMTP server a mail relay for clients? Is this why you've had
to add faux MX records?

Andy
--
TAI64 timestamp: 40000000521d7392

Hi,

Am 27.08.2013 um 07:32 schrieb Emilio Perea:

> I've run into what I hope is a temporary situation in which an internal
> mail server is being placed behind a firewall blocking SMTP traffic. In
> this application almost all mail is mail is internal SMTP, with less
> than 1% going out of the network, so mini-qmail is not good option.
>
> Since most of the outgoing mail is people sending copies to their
> hotmail or gemail or yahoo personal mail accounts I've dealt with it by
> faking MX records pointing to our QMQT servers. But it really should be
> the other way around: SMTP for our three internal domains and QMQP for
> anything else. Is there a simple way of doing this that I'm
> overlooking?


Give my Spamcontrol patch a try. qmail-remote comes with an QMTP client you can customize my means of 'qmtprouts' comparable to 'smtproutes'.

http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html#Qmail-remote

regards.
--eh.


--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

I'm sorry I missed your reply and did not respond in time. I appreciate
your trying to help!

On Tue, Aug 27, 2013 at 09:50:07PM -0600, Andy Bradford wrote:
> Thus said Emilio Perea on Mon, 26 Aug 2013 22:32:27 -0700:
>
> > Since most of the outgoing mail is people sending copies to their
> > hotmail or gemail or yahoo personal mail accounts I've dealt with it
> > by faking MX records pointing to our QMQT servers. But it really
> > should be the other way around: SMTP for our three internal domains
> > and QMQP for anything else. Is there a simple way of doing this that
> > I'm overlooking?
>
> I'm a little confused as to what the topology looks like. Perhaps a
> better description of what is going where would be useful? And what is
> being blocked/allowed from where?

In response to a Spamhaus report that there was suspicious activity from
our default gateway to one of their sinkhole addresses *(specifically
"NOT on port 25")* it was decided to block all outgoing port 25 traffic
except between one Microsoft Exchange server and an ISP's spam filter.

Of course, this makes no sense, but we have to live with it.

> Is the firewalled SMTP server inbound? Outbound? Is the internal (now
> firewalled) SMTP server a mail relay for clients? Is this why you've had
> to add faux MX records?

Outbound SMTP traffic is being blocked. The server does not actually
relay mail for clients, but does mail a few reports. And a couple of us
old farts who prefer mutt to Outlook use it for that purpose. However,
the amount of outgoing mail is so small that I had forgotten about the
problem until now.

On Thu, Aug 29, 2013 at 11:24:33AM +0200, Erwin Hoffmann wrote:
> Give my Spamcontrol patch a try. qmail-remote comes with an QMTP client
> you can customize my means of 'qmtprouts' comparable to 'smtproutes'.
>
> http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html#Qmail-remote

I'm sure that will help thanks! (I apologize for the delay in replying;
I had forgotten that I had asked for help...)

Thus said Emilio Perea on Thu, 05 Sep 2013 14:55:51 -0700:

> In response to a Spamhaus report that there was suspicious activity
> from our default gateway to one of their sinkhole addresses
> *(specifically "NOT on port 25")* it was decided to block all outgoing
> port 25 traffic except between one Microsoft Exchange server and an
> ISP's spam filter.

I see. So before, your SMTP server would send outbound, but not receive
inbound. Now, it is only possible to send email to the Microsoft
Exchange server via SMTP?

Are you looking for a way that doesn't involve relaying through the
Exchange server (e.g. QMTP to another qmail host)?

If so, you might want to look at the serialmail package. It has a
maildirqmtp client that could be used to serialize deliveries of email
to your QMTP servers and maildirsmtp for SMTP.

I believe this would allow you to do it ``the other way around''.

First setup your 3 internal domains in virtualdomains and an entry that
will handle all the rest:

domain1.dom:serial-smtp
domain2.dom:serial-smtp
domain3.dom:serial-smtp
:serial-qmtp

Setup the ``serial'' account with appropriate aliases that deliver the
messages into a Maildir:

echo './smtp/Maildir/' > ~serial/.qmail-smtp-default
echo './qmtp/Maildir/' > ~serial/.qmail-qmtp-default

Then setup maildirsmtp to deliver emails from ~serial/smtp/Maildir to
the Exchange server via SMTP (or whatever is needed). And setup
maildirqmtp to to deliver emails from ~serial/qmtp/Maildir to your QMTP
servers.

This is clearly not an ideal setup...

Andy
--
TAI64 timestamp: 4000000052294ee2

On Thu, Sep 05, 2013 at 09:40:47PM -0600, Andy Bradford wrote:
> Thus said Emilio Perea on Thu, 05 Sep 2013 14:55:51 -0700:
>
> > In response to a Spamhaus report that there was suspicious activity
> > from our default gateway to one of their sinkhole addresses
> > *(specifically "NOT on port 25")* it was decided to block all outgoing
> > port 25 traffic except between one Microsoft Exchange server and an
> > ISP's spam filter.
>
> I see. So before, your SMTP server would send outbound, but not receive
> inbound. Now, it is only possible to send email to the Microsoft
> Exchange server via SMTP?

That is correct.

> Are you looking for a way that doesn't involve relaying through the
> Exchange server (e.g. QMTP to another qmail host)?

Yes. The problem is not so much Exchange as a paranoid spam filter, but
the effect is the same.

> If so, you might want to look at the serialmail package. It has a
> maildirqmtp client that could be used to serialize deliveries of email
> to your QMTP servers and maildirsmtp for SMTP.
>
> I believe this would allow you to do it ``the other way around''.
>
> First setup your 3 internal domains in virtualdomains and an entry that
> will handle all the rest:
>
> domain1.dom:serial-smtp
> domain2.dom:serial-smtp
> domain3.dom:serial-smtp
> :serial-qmtp
>
> Setup the ``serial'' account with appropriate aliases that deliver the
> messages into a Maildir:
>
> echo './smtp/Maildir/' > ~serial/.qmail-smtp-default
> echo './qmtp/Maildir/' > ~serial/.qmail-qmtp-default
>
> Then setup maildirsmtp to deliver emails from ~serial/smtp/Maildir to
> the Exchange server via SMTP (or whatever is needed). And setup
> maildirqmtp to to deliver emails from ~serial/qmtp/Maildir to your QMTP
> servers.

Thanks! I appreciate your help.

> This is clearly not an ideal setup...

Agree 100%!