Solved

how to setup postfix or qmail to go through a email proxy

Posted on 2010-09-09
5
1,535 Views
Last Modified: 2013-12-02
Hello,

I am looking to setup a email proxy server. The "scheme" I am using is;

Internet  >> ASSP(proxy) >> Email Server

Email Server >>>> ASSP(proxy) >>> Internet

I am wanting to use ASSP (http://sourceforge.net/apps/mediawiki/assp/index.php)

ASSP and the Email server are on different severs so the port's shouldn't have an issue. What I am needing to know if possible is how to setup the email server to talk through the proxy server? What I have gather is with a "smarthost". Can you give me a step by step guide on this? If you are needing anything let me know.


Thank You,
Chris
0
Comment
Question by:tdog89
  • 2
  • 2
5 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 33644151
on the qmail side: you would add the entry in /var/qmail/control/smtproutes
:<replace_all_this_with_the_assp_proxy_ip>[:port] #(if the ASSP proxy is not listening on port 25.

In postfix, in /etc/postfix/main.cf define the
$relay_host=SMTP:<replace_all_this_with_the_assp_proxy_ip>

You may need to alter the port (SMTP) in the postfix example above if assp proxy is not listening on port 25.
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
ID: 33649222
Hehe... QMail could reasonably be setup to act as EITHER role (or, two QMail servers could EACH be one of them)... the email server OR the ASSP proxy! Unfortunately, you haven't made it clear which (or both) will be using QMail...

In any case, all you really need to fool with are the files:
  /var/qmail/control/smtproutes
  /var/qmail/control/rcpthosts
Plus, the MX server records in your DNS.

Since you want step-by-step instructions, I'm going to ASSUME that separate QMail servers are filling EACH role:
 - The "local" e-mail server is at localmail.mydomain.com (or WAN IP address 1.1.1.1, and LAN IP 10.0.0.1)
 - the ASSP server is at asspmail.mydomain.com (or WAN IP address 2.2.2.2)
 - The domain you're serving (could be one of many) is mydomain.com
 - Optionally (to make things easier later):
    smtp.mydomain.com points to the ASSP server (2.2.2.2)
    imap.mydomain.com (and, if need be pop.mydomain.com) points to the "real" mail server (1.1.1.1)

So - here are the configuration items to note:
 1 - The MX records for mydomain.com should point exclusively to the ASSP server:
       asspmail.mydomain.com, or specifically 2.2.2.2
 2 - The ASSP server (running QMail) will list the domain(s) being filtered in the /var/qmail/control/rcpthosts file
      The rcpthosts file is just a list of domains you accept mail for that aren't going to be processed locally
      So, entering your domain(s) here means you'll accept mail for those domain(s), even though they're not local
      The format of the rcpthosts file is simply a list of domain names, one per line... that's it!
 3 - The ASSP server (running QMail) also needs to identify the REAL mail server to deliver the filtered mail to:
      The operative file is /var/qmail/control/smtproutes
      The smtproutes file tells your system where to deliver mail for domains that are NOT controlled by DNS MX records
      The format is of the general form:
          domain:server[:port] [username] [password]
      So, in it's simplest form let's assume:
        - the Real Mail Server is localmail.mydomain.com
        - there are no "rules" on that server about accepting mail from the ASSP server
        - the Real Mail Server accepts connections on port 25 ONLY from the ASSP server
          (either in a firewall setting, or in a tcp.rules setting)
        - No authentication or different port or SSL setting is required (not a problem is the above rule is in place)
      ... then the smtproutes entry (line) would look like:
          mydomain.com:localmail.mydomain.com

So, that takes care of getting mail INBOUND through your ASSP server.... what about the other 2 cases? (outbound messages and internal messages)

 4 - The EASIEST thing to do is to let the ASSP server act as the MX server for your "real" domain -- even for internal users (that is, tell your users to use the IMAP server at imap.mydomain.com and the SMTP server at smtp.mydomain.com

To "do this RIGHT", you'd also have them use IMAPS and SMTPS -- furthermore, you'd make SMTPS connect on port 465 (to keep it separate from the inbound "filtered" email).... and the use of IMAPS and SMTPS takes you to the use of SSL certificates, which if unsigned, causes a "certificate warning" message until you force the client systems to accept the unsigned certificate. The cost to "sign" a certificate varies WILDLY -- from about $10/year to about $80/year!)

BUT -- if for some reason you REALLY want users to send their messages through localmail.mydomain.com, then you'll need to force it (localmail) to send all of it's outbound mail through the ASSP (aka: smarthost). Fortunately, this is exceptionally simple... just use a "wildcard" in your smtproutes file.... something like
  :asspmail.mydomain.com

That is, put NOTHING in front of the first colon in the smtproutes file, and it assumes you mean ALL mail.

That's about it... if YOUR QMail server is only playing one role or the other, just skip the steps for the server that's NOT QMail...

For example, if you're using Verizon's smarthost, and they want you to send outbound mail on port 26, you'd just make the smtprouts entry look like:
  :mailhost.verizon.net:26

And if they wanted you to LOGIN to the smarthost on port 26 with a username of user@verizon.net with a password of "password1234", the line would look like:

  :mailhost.verizon.net:26 "user@verizon.net" "password1234"


That should about cover it... reply with questions!!!

Dan
IT4SOHO
0
 

Author Comment

by:tdog89
ID: 33649761
The actual proxy will have nothing. I am looking at either setting up postfix or qmail. Only 1 email server and 1 proxy server both being on 2 separate servers
0
 
LVL 76

Expert Comment

by:arnold
ID: 33650301
There are ways to configure both qmail and postfix to handle/process the incoming message to check that it is not spam. using spamassin, etc.
You could use qmtp to transfer messages from the proxy to the local delivery qmail setup which will significantly speed things up as compared to having the proxy transmit a message at a time.

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 33657810
Since you appear to be implementing BOTH servers, I think it is reasonable to ask WHY two servers?

As has been mentioned, both PostFix and QMail (heck, even Sendmail) can reasonably block most SPAM without the use of another server. The use of an ASSP (SPAM blocker Proxy) is USUALLY done by a "Service Provider" who wants to offer the services of their SPAM blocking technology (and subscriptions to additional SPAM blocking tools) to their own subscribers as a for-profit exercise. ASSP providers usually have a STAFF of E-Mail EXPERTS available on-call 24/7 -- after all, if the ASSP server goes down, all of its client systems E-Mail servers will be down too!

My point is this: If you're implementing your own Mail service for the first time, you should probably SUBSCRIBE to an ASSP service, while at the same time learn how to do most of the SPAM blocking on your own server. When you're comfortable implementing SPAM blocking tools on your own server, you can remove the ASSP system (and the expense)... but to implement an in-house PAIR of servers -- one an ASSP and the other a standard E-Mail Server is a waste of time and resources. For a single set of domains (serviced by a single E-Mail server), the functions of the ASSP could be far (FAR) more easily integrated directly into the E-Mail server itself.

Just my thoughts... they can't be worth LESS than what you paid for them! :-)

Dan
IT4SOHO
0

Featured Post

Do email signature updates give you a headache?

Do you spend too much time managing email signatures? Hate visiting every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Well, let Exclaimer give your company the email signature it deserves!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now