OK . I got past the eval license problem on my proxy server, loaded Wingate 5.2.2 and have a proper Wingate 5 license.
Now I want to set up email services .. I've read the screens and the online help .... but I'm not sure what i read is intuitive enough for me to properly understand it and I'd like to kow if anyone can give me the Cliff Notes version. Here's the deal:
I have an In House Unix system with a version of Sendmail that is too old and stupid to know not to be an open relay. It can NOT be easily upgraded, and that's the reason I'm trying to use Wingate Email as a spam blocker.
So here's what I'd like to do:
For OUTBOUND mail: Accept connections on 192.168.0.2 and deliver the mail directly, without the need for an ISP to relay it.
INBOUND mail: Accept connections on {outside IP} verify that the receipient is ACTUALLY for {domainname.com} and if so, forward the mail to 192.168.0.2
On Wingate 4 .. there was a version of email address scanning, where I could put in a list of domains for which I would accept mail, and if I tried to send it mail TO another domain, it would reject it ... but if the sendmail dialog used "" (null) for a recipient, Wingate would still send the mail on to my mail server which would detect an actual recipient in the message body and if it was another address, would forward it .. and this got us black-holed.
Can I force Wingate to reject ALL mail unless the recipient is one of my actual domains? And if so, what do I need to set up to make the above happen?
Email help, please
Moderator: Qbik Staff
11 posts
• Page 1 of 1
yes
by Don » Feb 04 04 5:16 am
Yes, the sendmail on the internal server at IP (192.168.0.2) has to remain in place ..
so the mail Proxy needs to accept INCOMING mail on the external interface, filter the mail not addressed to {domain.com} and then forward it to the internal interface.
Outbound mail is accepted on the internal (192.168.0.2) interface and deliver it directly.
Just to be clear ... they've been using Wingate 4.2 for mail for years, and there were only two problems:
1) Outbound mail HAD to be relayed via an external ISP (which most ISP's will not do) and
2) The mail filter did filter mail incoming that was NOT addressed to the domain name in the mail filter, but it DID allow "" (null) recipients, which allowed Sendmail to read the recipient from the body text and that would allow spammers to get the old version sendmail to relay it.
The way I made this work (on 4.2) was to have TWO SMTP proxies running, one that accepted ONLY on the internal and sent on the external, and the otehr in reverse.
Anyway .. the setup boxes on the 'email' tab doesn't have a dialog box that says (as 4.2 did) accept mail ONLY for the following domains ... it's been replaced by a more complicated dialog box that isn't as intuitive as they think it is.
so the mail Proxy needs to accept INCOMING mail on the external interface, filter the mail not addressed to {domain.com} and then forward it to the internal interface.
Outbound mail is accepted on the internal (192.168.0.2) interface and deliver it directly.
Just to be clear ... they've been using Wingate 4.2 for mail for years, and there were only two problems:
1) Outbound mail HAD to be relayed via an external ISP (which most ISP's will not do) and
2) The mail filter did filter mail incoming that was NOT addressed to the domain name in the mail filter, but it DID allow "" (null) recipients, which allowed Sendmail to read the recipient from the body text and that would allow spammers to get the old version sendmail to relay it.
The way I made this work (on 4.2) was to have TWO SMTP proxies running, one that accepted ONLY on the internal and sent on the external, and the otehr in reverse.
Anyway .. the setup boxes on the 'email' tab doesn't have a dialog box that says (as 4.2 did) accept mail ONLY for the following domains ... it's been replaced by a more complicated dialog box that isn't as intuitive as they think it is.
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
by labull » Feb 04 04 7:03 am
Don,
Is WinGate to run on the same server as SendMail?
The SMTP Server (not Proxy) in 5.2.2 has the ability to do all the work of receiving, scanning, blocking, etc. Inbound mail and then passing it to the SendMail server.
For Outbound mail, SendMail would send everything to WinGate and WinGate would handle the delivery.
Does this sound like what you need?
Larry
Is WinGate to run on the same server as SendMail?
The SMTP Server (not Proxy) in 5.2.2 has the ability to do all the work of receiving, scanning, blocking, etc. Inbound mail and then passing it to the SendMail server.
For Outbound mail, SendMail would send everything to WinGate and WinGate would handle the delivery.
Does this sound like what you need?
Larry
WinGate Lurker
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
Well, yes and no
by Don » Feb 04 04 2:11 pm
The STMP proxy that I can set up in 5.2.2 looks a lot like the one in 4.3 ... and the problem with 4.3 was:
A) it would NOT send outbound mail directly .... but rather had to send it to an ISP. In other words, if you didn't check the 'relay outbound mail via ISP" the proxy would REJECT outbound mail. Is that different in 5.2?
B) Inbound mail filtering had a bug in 4.3: If you had, say "myworld.com" as a domain ... yes, it would reject mail where the RCPT TO: was "otherdomain.com" but if the RCPT TO: was NULL, it would pass them message on to the internal sendmail (it's a different machine) that would see in the BODY TEXT that the mail was for "rudy@Ilikespam.com" and forward the mail outward. bingo ... an open Spam Relay! THAT was it's problem!!!
If these two things have been corrected in 5.2.2 .. then yes, I don't need the EMAIL OR the SMTP services other than ones I can create
A) it would NOT send outbound mail directly .... but rather had to send it to an ISP. In other words, if you didn't check the 'relay outbound mail via ISP" the proxy would REJECT outbound mail. Is that different in 5.2?
B) Inbound mail filtering had a bug in 4.3: If you had, say "myworld.com" as a domain ... yes, it would reject mail where the RCPT TO: was "otherdomain.com" but if the RCPT TO: was NULL, it would pass them message on to the internal sendmail (it's a different machine) that would see in the BODY TEXT that the mail was for "rudy@Ilikespam.com" and forward the mail outward. bingo ... an open Spam Relay! THAT was it's problem!!!
If these two things have been corrected in 5.2.2 .. then yes, I don't need the EMAIL OR the SMTP services other than ones I can create
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
More ....
by Don » Feb 04 04 2:15 pm
In thinking about it maybe I can do this:
1) set up an SMTP service that accepts ONLY on the internal IP and forwards it to localhost:2546
2) Configure EMAIL to accept connections ONLY on localhost:2546 and then 'deliver mail directly via the outside IP
3) Set up a second SMTP service to accept connections ONLY on the outside interface, scan for domain name ... and forward to a predertermined server (sendmail) on the inside IP
This would work ... (IF it works) only if the SMTP service recognizes a NULL RCPT TO: as an invalid domain
I'll try it tomorrow or tonite
1) set up an SMTP service that accepts ONLY on the internal IP and forwards it to localhost:2546
2) Configure EMAIL to accept connections ONLY on localhost:2546 and then 'deliver mail directly via the outside IP
3) Set up a second SMTP service to accept connections ONLY on the outside interface, scan for domain name ... and forward to a predertermined server (sendmail) on the inside IP
This would work ... (IF it works) only if the SMTP service recognizes a NULL RCPT TO: as an invalid domain
I'll try it tomorrow or tonite
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
by adrien » Feb 04 04 8:25 pm
Hi
This is very similar to our setup here at Qbik, for which we use WinGate.
Basically by defining local domains in WinGate mail, you are specifying the mail domains that WinGate will accept mail for from the untrusted networks (Internet).
WinGate allows you to specify whether to relay or not. Relaying being defined as delivery of a mail where neither the source nor destination address are local.
By default you can relay from any trusted machine, this being any of:
a) a machine that connects on a trusted interface (as defined in Options->Advanced Options->Network Interfaces in GateKeeper), or
b) a machine who you have an IP assumption set up for
c) a machine that authenticates.
This way you can have external users relay through you if you trust them.
So basically you set WinGate up to receive mail, and you specify that it will deliver all inbound mail to another server ("another server on my lan handles inbound mail" in the Delivery tab).
You add the local domains to WinGate, then WinGate will reject mail that is not destined for you, and deliver all your mail to your sendmail server.
Because the sendmail server is on a trusted interface, it can send mail to whoever it likes... this completes the picture
Adrien
This is very similar to our setup here at Qbik, for which we use WinGate.
Basically by defining local domains in WinGate mail, you are specifying the mail domains that WinGate will accept mail for from the untrusted networks (Internet).
WinGate allows you to specify whether to relay or not. Relaying being defined as delivery of a mail where neither the source nor destination address are local.
By default you can relay from any trusted machine, this being any of:
a) a machine that connects on a trusted interface (as defined in Options->Advanced Options->Network Interfaces in GateKeeper), or
b) a machine who you have an IP assumption set up for
c) a machine that authenticates.
This way you can have external users relay through you if you trust them.
So basically you set WinGate up to receive mail, and you specify that it will deliver all inbound mail to another server ("another server on my lan handles inbound mail" in the Delivery tab).
You add the local domains to WinGate, then WinGate will reject mail that is not destined for you, and deliver all your mail to your sendmail server.
Because the sendmail server is on a trusted interface, it can send mail to whoever it likes... this completes the picture
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
OK ....
by Don » Feb 05 04 7:45 am
Please forgive me for appearing as dense as a neutron star .... but the Email service is NOT as intuitive as you all seem to think it is.
The Email service doesn't allow me to specifiy what interfaces/ports I want it to use ... it just "exists" At Install time, it decided that a 'default domain' was "proxy1" (the name of the PC upon which Wingate is installed.
I attempted to add the ACTUAL domain (ex: mycompany.com) and my options were "this domain is hosted locally" when I'm thinking that "local" means THIS VERY PC, which is not the case, or "this domain points to (where my ONLY listed option is PROXY1) or "relay for this domain"
That may make sense to YOU ... but it's a basic HASH of anything intuitive.
Which option means "My mail is hosted by another system that is on the trusted interface" ? I'm assuming it's "relay"
The addresses tab then SORT OF clarified that question, because it offers a "translation table" where "name@domain.com" equals "name on local system" indicating that yes, "local" does mean "this PC" Meaning that my only option for the "domains" tab is "relay" Correct?
The SECURITY tab asked me for this machine's fully qualified name, so it is "proxy1.mycompany.com" correct ?
So .. this leaves me with the question on the SMTP service on the services tab. Disabled? Point it to .... where ?
The Email service doesn't allow me to specifiy what interfaces/ports I want it to use ... it just "exists" At Install time, it decided that a 'default domain' was "proxy1" (the name of the PC upon which Wingate is installed.
I attempted to add the ACTUAL domain (ex: mycompany.com) and my options were "this domain is hosted locally" when I'm thinking that "local" means THIS VERY PC, which is not the case, or "this domain points to (where my ONLY listed option is PROXY1) or "relay for this domain"
That may make sense to YOU ... but it's a basic HASH of anything intuitive.
Which option means "My mail is hosted by another system that is on the trusted interface" ? I'm assuming it's "relay"
The addresses tab then SORT OF clarified that question, because it offers a "translation table" where "name@domain.com" equals "name on local system" indicating that yes, "local" does mean "this PC" Meaning that my only option for the "domains" tab is "relay" Correct?
The SECURITY tab asked me for this machine's fully qualified name, so it is "proxy1.mycompany.com" correct ?
So .. this leaves me with the question on the SMTP service on the services tab. Disabled? Point it to .... where ?
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
by labull » Feb 05 04 7:59 am
Don,
Email Service works in conjuction with the SMTP Service. The SMTP Service is where you describe the "physical" connections - Bindings, Interfaces, etc.
In Email, Local may be thought of as "at this site".
If you describe a domain as Local and then in the Delivery tab check -Another server on my network is handling local mail - and put the IP address and port of you SendMail server - this will cause email for domains listed as local to be automatically passed to you SendMail server for final processing.
Larry
Email Service works in conjuction with the SMTP Service. The SMTP Service is where you describe the "physical" connections - Bindings, Interfaces, etc.
In Email, Local may be thought of as "at this site".
If you describe a domain as Local and then in the Delivery tab check -Another server on my network is handling local mail - and put the IP address and port of you SendMail server - this will cause email for domains listed as local to be automatically passed to you SendMail server for final processing.
Larry
WinGate Lurker
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
Still no joy
by Don » Feb 11 04 6:47 am
I took a few days to configure the outside domain addresses and let things bubble through the world of DNS. All aspects of Wingate working except mail delivery.
1) I have SMTP configured to accept mail in/out on ANY INTERFACE
2) I have EMAIL set up to deliver OUTBOUND mail directly and
3) To send INBOUND mail to 192.168.0.2 (which runs Sendmail)
Sending mail to the address, I see Wingate mail taking the connection.
Log file shows the event handled and debug dialog shows no errors.
But the receiving system (192.168.0.2) doesn't recieve the mail and logs NO errors or exceptions! I have one remaing LITTLE thing wrong and damn if I can find it!
suggestions?
1) I have SMTP configured to accept mail in/out on ANY INTERFACE
2) I have EMAIL set up to deliver OUTBOUND mail directly and
3) To send INBOUND mail to 192.168.0.2 (which runs Sendmail)
Sending mail to the address, I see Wingate mail taking the connection.
Log file shows the event handled and debug dialog shows no errors.
But the receiving system (192.168.0.2) doesn't recieve the mail and logs NO errors or exceptions! I have one remaing LITTLE thing wrong and damn if I can find it!
suggestions?
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
One last thing ...
by Don » Feb 11 04 7:21 am
The SMTP log file shows the dialog between Wingate and the outside world ... but I can't find any dialog anywhere that details the dialog with the internal server and I think that Wingate Email is simply not relaying the mail
- Don
- Posts: 22
- Joined: Oct 01 03 6:30 am
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 10 guests