DMail Frequently Asked Questions:

No. 1 question:
How do I set up a 'HotMail' type system?

Questions:

  1. I like DPOP but I have half a dozen users who leave mail on the server and need to read email direct from Unix drop files.
  2. What operating systems is DMail available on?
  3. What is the maximum number of email clients that can be handled by DPOP?
  4. We have our own special username/password routines. Can these be used with DPOP?
  5. Is the source for DPOP, DSMTP and DList available so that we can tailor it to our needs?
  6. We would like to try DPOP, but are paranoid about upsetting umpteen thousand users. How can we ease into it?
  7. Should I use username suffixes or multiple IP numbers for virtual domain support?
  8. Can I setup a 'HotMail' like system using DMail or DMailWeb?
  9. I want all domain1 email which does not go to a specific user to go to one designated user.
  10. What is Relaying?
  11. How do I add extra fields to wadduser?
  12. Time Stamp and Time Zone problems (mostly on Linux platforms).
  13. How can I transfer mail accounts (users) from my current email server?
  14. How can I have some users who can connect direct to DPOP but others who can only connect with DMailWeb/CWMail?
  15. How can I check what aliases I have set up for a user?
  16. I'm getting a Read Failed 109 error message. What's that?
  17. Can I filter messages based on the attachment name?
  18. Tell me about the SMTP protocol?
  19. How do I add Multiple IP numbers on a single machine?
  20. Can I specify a RANGE of IP addresses?
  21. I want to UPGRADE, ... ?
  22. I want to MOVE DMail, ... ?
  23. I want to park mail for a domain (but mail is rejected as no relaying)
  24. Can I run DSMTP (and DPOP) on another port?
  25. Can I delete queue files from the queue?
  26. Security Note What things can I do to secure my mail system against hackers?
  27. Do CWMail and DMail servers support multi-threading?
  28. Is there a limit to the length of a username?
  29. Running DMail on your ISP's Server
  30. Security Note Robots running as root
  31. Can I use DMail for a Remote or Dial Up Mail Server?
  32. Can I use DMail from behind a firewall or proxy server?
  33. Does DMail support CDONTS?
  34. My Users are not appearing in the NWAuth database file...
  35. Authentication for DMail and NetAuth on Clustered machines and Network Drives
  36. Changing hash_spool, what needs to happen?, how do I test fixhash?
  37. I need to send a message to all users on my system, is there anything more than bulletins?
  38. How can I use the @ character for suffix based vdomains with netscape?

Answers:

  1. Drop users:

    You have a few users who check their mail using a normal POP client but leave the mail on the server and want to be able to access the drop files directly, with pine for example. But DPOP converts the drop files to it's own format for more efficient manipulation, so once the mail has been checked, there is nothing left in the drop files and the users can't see their mail. This is easily remedied by adding a line to your dmail.conf configuration file. It should look like this:

    drop_users ralph,bill,*smith

    This would force DPOP to leave all the email messages for ralph, bill and anyone with a usercode finishing with the word smith, in drop files. Be careful not to put spaces in the list and avoid making it too general as there is a performance hit in keeping messages in drop files. That's why DPOP avoids it in the first place. This setting is only needed for users who check their mail with a POP3 connection AND leave it on the server AND want to read it with software that directly reads the drop file.


  2. What operating systems is the DMail package available on?

    It is our intention to make it available on all common operating systems. It is initially available on Linux, Solaris, HPUX and Windows NT. Please ask if you need it for another system soon.


  3. What is the maximum number of email clients which can be handled by DPOP?

    This basically depends on the server hardware it is to run on, and the type of license you buy. It is intended to be very scaleable and to work well on large and small systems. Because of it's design, both large numbers of concurrent users and large numbers of email user accounts have relatively little impact on the process size and performance.


  4. We have our own special username/password routines. Can these be used with DPOP/DSMTP?

    Yes, DSMTP and DPOP can be configured to use an external authentication process for checking username/passwords.


  1. Is the source available so that we can tailor it to our needs?

    No, but this should not be necessary, as most aspects of DSMTP, DList and DPOP can be easily configured. They can also use an external password checking routine and an external routine to indicate where drop files are and how the path is hashed. DPOP can also generate statistics which can be used by an external routine for generating charging information. If there is some other aspect which you need to be able to tailor, please let us know.


  2. We would like to try DPOP, but are paranoid about upsetting umpteen thousand users. How can we ease into it?

    Email is a vital service, so even if the current popper you are using is slow it is still a scary step to move to another one. You can't afford to upset users. So how do you ease into it? There are a number of strategies which can be helpful here.

    • If you have the luxury of a spare machine, obviously installing DPOP onto that first will help. This at least allows you to check out the various options which you might want to use and get used to how they work. The DMSetup wizard will help you to remove it from the test machine after your testing is complete. The de install option tries to err on the conservative side. It tells you where the files are that you might want to delete. It will only remove something that is definitely part of DPOP and not any other popper.
    • If you have not got a spare machine, or you have tried that and are now more comfortable but still cautious: The next easy step is to install DPOP on the main server BUT get it running on a different port. This way you can leave your original popper running. For example, you might set DPOP up on port 1100 instead of 110. In order o do this, follow the normal installation procedure, but say no to the question: "Shall I comment out current POP3 entries in inetd.conf". Then edit dmail.conf file and change pop_port line as shown below:
      pop_port 110
      pop_port 1100
      You can then get individual users to try switching to DPOP use by changing the setting in their email reading software to read on another port. This is straightforward in Pegasus mail and more difficult on some other email clients. For Eudora on Windows 95 just edit the Services file in the windows directory to change POP3 port. You can even allow someone to connect both ways although if they are going to do this AND leave unread or undeleted mail on the server you must put a line in dmail.conf to tell DPOP to change their bin files back into a drop file at the end of each session. This should only be done if they NEED to read their mail from Unix command line or some other non DPOP connection. It will slow down processing. If Bob,Bill and Bert are Unix gurus who read their mail from the Unix command line and using a POP3 client, you might add one of the following lines to dmail.conf:
      drop_users B*
      drop_users Bob,Bill,Bert
      Once you have run DPOP in this mode for a while you can switch back to the real POP3 port by changing the pop_port line in dmail.conf and then issuing the Tellpop reload command.
    • Alternatively, you can take the plunge and install DPOP directly on your main server in some off peak time. Test it with a few test accounts and if there are any problems that look difficult, revert to the previous popper. To do that, all you need to do is put the lines in inetd.conf back how they were and get inet to reload. The DMSetup wizard can do this for you. If the accounts you have tested have undeleted or unread mail left on the server, these must be converted back to drop files. This must be done before stopping DPOP by using either:
      tellpop drop_all
      to do all accounts that have used DPOP or
      tellpop drop Bert
      tellpop drop Bill
      etc. to deal with user accounts one at a time.

  3. Should I use username suffixes or multiple IP numbers for virtual domain support?

Multiple IP numbers has the advantage that the users do not need to change their username setting in their email client packages. Username suffixes save you having to configure your server machine to respond to multiple ip numbers. The two schemes work as follows:

If a vdomain setting line has an IP number like 1.2.3.4 in it then DPOP checks what ip number the user was connecting to and does stuff based on matching vdomain lines. If the vdomain setting line has a suffix string rather than an IP number in the same place ( e.g. /xusers) then when users connect to DPOP and sends user fred/xusers DPOP picks up the /xusers and uses that to match a vdomain line. The suffix is stripped off and the prefix is added just as it would be for an ip based vdomain. From then on the two systems are the same. The other question is what do we end up with as a drop file name.

Consider the two vdomain lines:

  • vdomain abc 1.2.3.4 xdomain.com /var/spool/mail/xdomain
  • vdomain abc /xdom xdomain.com /var/spool/mail/xdomain

If a user connects to 1.2.3.4 or uses a username fred/xdom
Then the Unix username used will be

  • abc_fred

and the drop file used will be

  • /var/spool/mail/xdomain/fred

Some mail transport systems find it easier to deliver to a drop file

  • /var/spool/mail/xdomain/abc_fred

To allow for this, another setting has been added

  • drop_prefixes true/false

if this setting is true, DPOP will use the second form for the drop file name.


  1. Can I setup a 'HotMail' like system using DMail or DMailWeb? (Technical details on WAdduser)

    Yes, we have a Web Based Email system that offers Auto Account Creation. For general information on such systems, see... Setting Up Web Based Email System with Auto Account Creation
    Our OLD way of doing this is presented below...

    Yes, using wadduser instead of NetAuth you need:

    • CWMail (web to mail interface)
    • DMail (dsmtp,dpop)
    • NWAuth (external authentication module for dmail)
    • wadduser (example web cgi for adding users using nwauth)

    Note: You no longer have to use WAddUser with our new product NetAuth.

    DMail comes with source and binary examples of NWAuth and wadduser. You should examine the source and modify wadduser.htm so that it only allows the users to automatically create their own accounts (it has extra functions which you would not want them to be able to do)

    Technical details:

    1. Fetch the source for nwauth/wadduser. This should come with DMail, but if you have an earlier version you can download it from...
      ftp: //ftp.netwinsite.com/pub/netwinsite/dmail/nwauth.zip
    2. Make any changes to the source that you want (not required)
      See How do I add extra fields to wadduser? for some more information on this...
    3. Building wadduser.cgi and nwauth  (only needed on UNIX)

      Unix:
      gcc wadduser.c nwauth.c -DNOAUTHMAIN -o wadduser.cgi
      rm nwauth.o (so you can build it without NOAUTHMAIN defined)
      gcc nwauth.c -o NWAuth
      Note: if you get crypt errors you may need to add, -lc -lcrypt to the end of each gcc line.

      Windows:
      Create two console (command line) projects,
      1 builds nwauth.exe from nwauth.c,
      2 builds wadduser.cgi from both wadduser.c and nwauth.c but you need to define NOAUTHMAIN as a preprocessor definition.
      NB:In both projects you will probably need to add wsock32.lib to the list of standard linked libraries.

    4. Install the cgi script and the html form

      windows:
      copy wadduser.cgi \inetpub\scripts    (or wherever your web server cgi directory is)
      copy wadduser.htm \inetpub\wwwroot

      Unix platforms:
      cp wadduser.cgi /home/httpd/cgi-bin    (or wherever your web server cgi bin directory is)
      cp wadduser.htm /home/httpd/htdocs

    5. Test the cgi, use netscape and reference your web site:
      http://your.web.server/wadduser.htm
      Fill out the form and press one of the buttons, if it fails, you will probably need to modify the 'action' in wadduser.htm

    6. Tell DMail to use NWAuth for user authentication, add or change in dmail.conf (/etc/dmail.conf or \winnt\system32\dmail.conf)

      authent_method external
      (unix)   authent_process /usr/local/dmail/nwauth
      (NT)   authent_process c: /dmail/nwauth.exe
      authent_number 1

    7. Modify wadduser.htm so that it only allows the actions that you want users to be able to perform, (e.g. not delete or search)

    8. On UNIX, you will need to set some file protections:

      touch ..../cgi-bin/adduser.log
      chown nobody .../cgi-bin/adduser.log
      touch /usr/local/dmail/nwauth.txt
      chown nobody /usr/local/dmail/nwauth.txt

    9. If you wish add a bulletin message to DPOP that welcomes all new users,

    10. You can add a file, added.htm, in your cgi directory and wadduser will display the contents of the file when a user has been successfully added - underneath the 'Adding User' title.



  1. I want all domain1 email which does not go to a specific user to go to one designated user.

    The setting you want is fallback_address, e.g.
    fallback_address domain1 default@domain2

    FYI . . .
    I gather that you were using forwarding rules in order to try to do the same thing instead of using the fallback address. I note that from the lines you had set up, you seemed to be expecting DSMTP to stop looking through the list of forward rules when it found the first match. So, for example, you had something like,

    forward bob@domain1 bob@domain2
    forward fred@domain1 bob@domain3
    forward *@domain1 default@domain4

    and expected DSMTP to only action the bob@domain1 line if a message came in for bob@domain1, i.e. you wanted the *@domain1 line to 'catch' any messages that did not match the first two forward rules.

    The way DSMTP has been written, all forwarding rules that are found to match for an incoming message are applied and forward rules are also applied instead of delivering the mail to the original recipient. So if a message came in for bob@domain1, given the dmail.conf lines above, bob@domain2 would receive the message AND so would default@domain4 (because both of the forward rules can be matched) BUT bob@domain1 would not receive the message.

    Whereas the fallback address setting,
    fallback_address domain1 default@domain4
    does what you want. i.e. if a message came in for bob@domain1.com and it could not be delivered, because the user database did not have an entry for bob and there wasn't a setting (forward rule, alias etc.) sending the mail to someone else, then DSMTP would deliver it to the fallback address, default@domain4, instead of bouncing the message back to the sender.

    Note: DSMTP's action of applying all forward rules is a nice feature that you will probably use for other situations.



  2. What is Relaying?

    Sending mail to non-local users is referred to as 'relaying', as DSMTP must relay the message to the user's local SMTP server (often their ISP's SMTP server) so that it can write the message to the user's drop file (mail file on the server).

    The message may be relayed several times from server to server until it reaches the final SMTP server where the user is a local user - at least that is the theory. Because of spammers, most SMTP servers severely restrict the relaying that is allowed to occur. So the message normally only gets relayed through an intermediary SMTP server if the server the email client gives the message to for sending is setup to gateway mail to another server, i.e. pass all it's mail onto that server for delivery. An SMTP server set to gateway mail is often used to allow mail to be sent through fire walls.


  3. How do I add extra fields to wadduser?

    In order to add extra fields in wadduser.htm for storing more information about the user, you will need to do the following:

    • Add the input text boxes and their appropriate variables in HTML to wadduser.htm (or the pages that you want them on)
    • Modify the source of the CGI wadduser (wadduser.c) so that it records the information given
    • Recompile wadduser.c (which requires linking to nwauth.c)
    • Replace wadduser.exe in your cgi or scripts directory with your new version

    The page that calls the wadduser CGI (wadduser.htm) has a form on it that calls the CGI as it's action to perform when it is submitted, i.e when one of the buttons is pressed. E.g. action="http://server.com/scripts/wadduser.exe" calls the wadduser cgi from the scripts directory on the server.com web server. The CGI works out which of the buttons on the page was pressed and carries out the appropriate action.

    The function below web_add (from wadduser.c) is called when you click on the "add" button on the example wadduser.htm page.

    The form also has a number of variables that are passed to the CGI as part of the action of submitting the form, e.g. name, username, password. To add more fields, you need to add more such input fields to the web page, in this form,
    <input type="text" name=" username" size="20">

    So, in order to add a field to get the person's hobby, you could add to wadduser.htm
    <input type="text" name="hobby" size="20">

    Then you need to decide what you want the CGI to do with the information in the fields that you add.

    The three lines in the function below,

    fprintf(f,"%s|",form_find("phone"));
    fprintf(f,"%s|",form_find("fax"));
    fprintf(f,"%s|",form_find("comments"));

    search the form that is submitted by the wadduser.htm page for the fields, phone, fax and comments, and if it finds them, it prints them into the log file, adduser.log. If it cannot find them, for example if there is no such input field on the web page (this is the case with the example wadduser.htm - there are no input boxes for phone, fax and comments) or the user has not entered anything in the box, then it will simply enter an empty string.

    Therefore, in order to make wadduser log the person's hobby entry, you could add this line below the three above,
    fprintf(f,"%s|",form_find("hobby"));

    The function below ONLY writes the username, password and name entries to the nwauth.txt password file, but it writes to the log file, adduser.log, a whole bunch of input fields that don't exist. Note that NWAuth only takes three fields, 'username', 'password' and 'other'. It is the 'other' field into which you can add your own fields. The function below adds the field 'name' into the 'other' field in the following format,
    name="the person's full name"
    The 'other' field can take as many fields as you want (until the information reaches the BFSZ definition, when you will get buffer over flows!) simply make sure that each field has the correct format and that they are separated by a space.

    So, to make the CGI write the hobby field onto the end of the 'other' field in nwauth.txt you should change the line in the function below from,
      sprintf(bf,"name=\"%s\"",name);
    to
      sprintf(bf,"name=\"%s\" hobby=\"% s\"",name,form_find(hobby));

    This will result in nwauth.txt lines like,
    bob:a234h6:name="Bob Smith" hobby="ping pong"
    for the username bob, which has a password of something we cannot read as it is encrypted, and a full name of 'Bob Smith' and a hobby of 'ping pong'.

    int web_add(void)
    {
    FILE *f;
    char username[BFSZ],password[BFSZ],name[BFSZ];
    char bf[BFSZ];
    /* Check the user has filled in the required fields */
    if (!check_value("Name","name","")) return 0;
    if (!check_value("Username","username","")) return 0;
    if (!check_value("Password","password","")) return 0;

    f = fopen("adduser.log","a");
    if (f==NULL) { printf("Could not write file\n"); return 0;}
    fprintf(f,"%s|Add|",get_date());
    fprintf(f,"%s|",mygetenv("REMOTE_ADDR"));
    fprintf(f,"%s|",form_find("username"));
    fprintf(f,"%s|",form_find("name"));
    /* These are optional form elements to record */
    fprintf(f,"%s|",form_find("phone"));
    fprintf(f,"%s|",form_find("fax"));
    fprintf(f,"%s|",form_find("comments"));
    fprintf(f,"\n");
    fclose(f);

    ncpy(username,form_find("username"),BFSZ-1);
    ncpy(password,form_find("password"),BFSZ-1);
    ncpy(name,form_find("name"),BFSZ-1);

    strlwr(username); /* Only allow lower case usernames */
    do_header("Adding user");
    printf("<pre>");
    if (auth_exists(username)) {
      printf("Sorry, a user by that name already exists\n");
    } else {
      sprintf(bf,"name=\"%s\"",name);
      auth_set(username,password,bf);
      showfile("added.htm");
    }
    printf("</pre>");
    do_footer();
    return 0;
    }


  4. Time Stamp and Time Zone problems (mostly on Linux platforms).

    NB: the Date field is normally added to an email by the email client. DSMTP only adds one if the email client has not put one on (e.g. if the message was created by DMail's sendmail stub).

    NB: In version 2.7l DSMTP was changed to add time stamps that are in local time on both the Date header, if it adds one, and on the Received lines. Before this, it always stamped GMT on any Received headers that it added.

    If you are running a newer version of Linux (e.g. RedHat 5.2 etc.), then you may experience problems with the time stamp and timezone in the DMail servers. This is because of the difference in C libraries used to compile DMail. Examples of the problems are the timezone being incorrectly specified, or all time stamps being in GMT.

    In order to fix the timestamp problems, you need to use a version of DMail compiled with the newer libc6 libraries, or have the below fix applied. There are other benefits to the new libraries, e.g. support for shadow passwords etc. and we have been building versions of DMail which use them since version 2.4j. So if you are running a platform that can support the newer libraries, we recommend that you download one marked 'linux_libc6' from the main or beta download directory,
    ftp://ftp.netwinsite.com/pub/dmail

    The alternative is this fix:
    Create the proper link by executing this command.

    ln -s /usr/share/zoneinfo /usr/lib/zoneinfo

    (Sorry, I'm not sure which version of Unix this answer works on :-(

    Also:
    On many platforms the timezone information is incorrect, so in dmail.conf you can define:
    timezone xxxx
    This controls the time zone string which DSMTP stamps on outgoing messages, to give it the form
    hh:mm:ss xxxx
    NB: it does not alter the time printed, only the timezone string following it.

    Some Examples:
    timezone +1100 would give 11:30:33 +1100
    timezone -0800 PST would give 11:30:33 - 0800 PST
    timezone -0600 CST would give 11:30:33 - 0600 CST
    timezone +0100 CET would give 11:30:33 +0100 CET
    timezone +1200 would give 11:30:33 +1200


  5. How can I transfer mail accounts (users) from my current email server?

    The best way to answer this is to give you some details on options for DMail, and hopefully if you are able to tell DMail support about your current system then they can make relevant suggestions.

    It is worth noting first off that if the users are simply members of the operating system user database, you do not need to do anything with them - simply install DMail and it will find the users by default.

    DMail has two basic authentication options,

    (a) use the operating system password list
    (b) use an external authentication module

    There is one configuration file, dmail.conf, setting which sets this,
    authent_method

    For (a) this will either be,
    authent_method nt_user
    or
    authent_method unix_user
    depending on whether you are on a windows or Unix based platform.

    For (b) you set,
    authent_method external
    and
    authent_process path_to_program
    where path_to_program is the authentication program to run.

    Your options are:

    1. We provide an example authentication module, called NWAuth, which is fully functional and is very efficient with large numbers of users.
    2. You can also write your own to link to any type of user database (or modify one of ours).
    3. Our example module for linking into an LDAP server, LDAPAuth.
    4. Our example module for linking into DNews's users.dat file, DNAuth.
    5. A customer has provided us with the source to talk to a mySQL server, which DMail support can pass on to you to use or modify.
    6. There is a link on the following page to an ODBC authentication module provided by another customer,
      https://netwinsite.com/dmail/utils.htm

    So one of the above might be an option, but it does depend on how the user's details are stored. Our NWAuth module can also be run from the command line, e.g.
    set user password info="details"
    so it may be possible to write a script to run that for all of the users out of your current user database or from a user list.

    See the following section in the manual for more details:
    External Authentication

  6. How can I have some users who can connect direct to DPOP, but others who can only connect with DMailWeb/CWMail?

    Q:I want to have two different types of users. I want one group to have both pop and web access to their mail, and I want the other group to have web access only. How would I set this up? Would I need to run two seperate servers? I plan to authenticate using an external authentication module (talking to a MS SQL 6.5 database).

    A:Yes, you can run two separate servers or you can make an external authentication module flag which allows some users only web access.

    The trick is that DPOP only has the ip_address which the user connected from to know if the user has connected from CWMail or with another email client direct to the POP server. DPOP passes this ipaddress to the external authentication module.

    So,
    1. If you run two separate servers then you can use the user_ip_address setting on one of the servers to only allow connections to that server from the ip address of the CWMail machine. Each server then either needs its own authentication database or you need an external authentication routine for each server which cannot 'see' the other server's group of users in the database.

    2. The nicer way is to make your user database have a flag for each user to say whether or not they are allowed to connect directly to the POP server, and then make your external authentication routine check this flag, and reject the connection if they have not connected from the appropriate IP address. The IP address that the user connects from is given in the authentication request by DPOP, e.g.
    check username password ipaddress

    So your authentication routine needs to check the "direct DPOP connection allowed" flag and if it is false, it should check the ipaddress passed against your CWMail server(s)'s ip address and only allow the connection if it does not match. This is an example - you do not necessarily have to do it this way. The fact that the connection from IP address is passed to the external authentication module is the important point.

    If I have not pointed it out before, we also have the source code to another customer's SQL authentication module which I can give to you if it would help.

    For more information contact
    support- dmail@netwinsite.com

  7. How can I check what aliases I have set up for a user?

    Q:If I send a message to user x, how can I check what aliases are set up for that user?

    A:In order to do this, you should send a message to that username and then check the log file for lines with the word "chain" in them to see where it has been forwarded to.

    You need to set,
    log_chain true
    in dmail.conf and then issue the command,
    tellsmtp reload

    You probably don't want to bother the user with a message, so you should make use of the tellsmtp command,
    tellsmtp scriptfile.msc
    to initiate a message to the user, but pull out before sending any data.

    E.g. here is a scriptfile, bob.msc, that does this for a user bob
    **************
    HELO domain.com
    Mail From: <test@domain.com>
    Rcpt To: <bob@domain.com>
    QUIT

    **************

    Once you have run the tellsmtp script (on debug log_level), then you can 'grep' or 'find' for lines with the word, 'chain' in the log file, dsmtp.log.

    The following is a transcript of such an operation - looking for aliases and forward rules for the user bob.

    C:\dmail>tellsmtp bob.msc
    220 domain.com DSMTP ESMTP Server v2.5d
    Send (HELO domain.com)
    250 domain.com. Hello domain.com (161.29.99.1)
    Send (Mail From: <test@domain.com>)
    250 Command MAIL OK
    Send (Rcpt To: <bob@domain.com>)
    251 Command RCPT OK
    Send (QUIT)
    221 Command QUIT domain.com Service closing transmission channel to domain.com Send (QUIT)

    C:\dmail\log>find "chain" dsmtp.log

    ---------- DSMTP.LOG
    26/04 11:53:40 *** Starting rcpt chain for bob
    26/04 11:53:40 *** Adding <|\dmail\drespond.exe \message.txt -subject whatever -from "root@domain.com"> to rcpt chain
    26/04 11:53:41*** Adding bob to rcpt chain

    Which shows that the message is delivered to the robot '\dmail\drespond.exe . . .' and to the user, 'bob'

    Note: The log lines with the word 'chain' in them were only added, in version 2.5d, so if you are using a version of DSMTP older than that then you will need to grep for something like, 'process' and work a bit harder to interpret the results :-)


  8. I'm getting a Read Failed 109 error message, what's that?

    Q:Dpop.log is showing the error message 'Read Failed: 109', what's that?

    A:The 109 error says that a "pipe has broken". The two things in DPOP that use pipes are external authentication processes and dslave processes.

    It is most likely that it is the external authentication process causing the problem, and it is probably occurring on the read that DPOP does after sending the 'exit' command to the external authentication. i.e., DPOP has told the external authentication to quit, but does not get a response from it. So it checks to see whether the external authentication has responded every so often (you will see the 109 error in the log every time that it does) until the timeout period is reached and DPOP gives up.

    So this suggests that the external authentication routine is either not returning,
    +OK\n
    (+OK with a carriage return at the end) when it receives the exit command, or that it does not flush the output.

    NWAuth has, at times, done both of these things. So you should probably upgrade NWAuth to a version from the 2.5d or higher distribution set (NWAuth 2.0b).

    Note: in order to upgrade only NWAuth, you need to copy the NWAuth executable file over your old NWAuth file, e.g. on NT, \dmail\nwauth.exe. You will need to stop DPOP and DSMTP first so that they stop all their NWAuth processes.

    If you have your own authentication module, you should check that it does both of these things. Contact support- dmail@netwinsite.com if you have questions or a problem with this.

    The other possibility for the error is that one of the dslave processes is no longer alive when DPOP thinks that it should be. If you do a tellpop status command it will show the number of slave channels that it thinks are running.

    If this happens just once then it is probably not a problem, but if it continues to happen then it obviously does become a problem.

    If the slave_number setting is above 0 then DPOP should always be running at least one slave process. Versions of DPOP before 2.5g had a problem with the dslave processes finding the dmail.conf configuration file, so if you cannot start a dslave process from the command line then this may be the problem. It will be evident in the log file, dslave.log (which itself may be being written to a strange directory on your machine - it is best to use a search to find it).


  9. Can I filter messages based on the attachment name?
  10. There is no direct setting to filter by attachment filenames, but I believe that it can be done!.

    In the manual on our site(link below) under common optional settings you can find a setting
    msg_filter < filename>

    This points to a file which you create as just plain text and into which you can enter very basic filtering rules.

    But let's say we wanted to filter emails with the attachment filename of 'happy99.exe'

    We could have

    msg_filter f:\dmail\filter.txt

    and in filter.txt

    reject body begin 0666 happy99.exe
    reject body Content-disposition: attachment; filename= "happy99.exe"

    These two rules should pick up the required messages. The first reject rule is for uuencoded attachments and the second rule is for the more common MIME encoded messages.

    The rejection rules are done on simple string searches, so we suggest that you send a test message with an attachment to yourself, and open up the drop file in a text editor. From this you can identify for yourself this text within the body of such messages. You will then be able to refine your rules to catch the type of attachments your users get.

    You will no doubt find the command,
    tellsmtp filters
    this is useful, as it lists all filters found,and their number which corresponds with the rule number given in the line logged when a filter is matched by an incoming message.

    NB: you cannot use wildcard characters in body filter rules!!!

    reject body *.vbs
    will not work, you should have,
    reject body .vbs
    in order to be a little less general, we suggest
    reject body .vbs"

    You can use wildcards in header processing filters - DSMTP uses a different sort of processing for them, because they are shorter, and therefore do not need to be processed so efficiently.

    There is another problem with the suggestion above. Sometimes an email client might split the,
    Content-disposition:...
    line into two lines, in which case the suggested filter will not pick it up.

    The suggested filter above is still worth adding, but we are working on a MIME parser which extracts all the MIME details so that attachment filtering and other filtering will become much easier.

    Please contact DMail Support for an update on when that will become available.


  11. Tell me about the SMTP protocol?

    The SMTP protocol is the way that an email client talks to an SMTP server in order to send a message. Note: Often it is two SMTP servers talking to each other (relaying), rather than an email client and a server.

    A typical SMTP transaction looks like (this is NOT an RFC example),

    client: (opens TCPIP connection to port 25)
    server: 220 tosh.com DSMTP ESMTP Server v2.5f
    client: EHLO tosh.com
    server: 250-tosh.com. Hello tosh.com (161.29.2.46) < cr>
    250-ETRN<cr>
    250-DSN<cr>
    250 HELP
    client: MAIL FROM:<bob@tosh.com>
    server: 250 Command MAIL OK
    client: RCPT TO:<tam@tosh.com>
    server: 250 Command RCPT User found OK
    client: DATA
    server: 354 Command DATA Start mail input; end with < CRLF>.<CRLF>
    client: From: bob@tosh.com
    client: To: tam@tosh.com
    client: Subject: hello
    client:
    client: this is the message body, line 1
    client: line 2
    client: .
    server: 250 Command DATA Processed mail data Ok
    client: quit
    (server drops TCPIP connection)

    Notes:

    • The client sends EHLO, rather than HELO, if it is capable of Extended SMTP (ESMTP) Protocol
    • The server advertises all of its ESMTP capabilities if the client opened with EHLO
    • In the DATA stage, the client sends all of the message headers, then a blank line and then the message body. It sends a dot on a line by itself to indicate that it has finished.
    • If the ESMTP client wants to send a message body line with just one dot on it then it should 'dot stuff' and send two dots and the DMail servers know how to handle this.
    • If the client wants to be notified of the message delivery (not reading confirmation which is handled by the receiving email client) then it can specify a DSN. E.g.
      MAIL FROM:<bob@domain> NOTIFY=FAILURE

      Where FAILURE could be, NEVER, FAILURE, SUCCESS and/or DELAY. See Bounces and DSNs and also RFC1891

    In order to send an email message without a client (and to enable you to try out SMTP protocol), you can create script files (filename.msc) for DSMTP and run them with tellsmtp.

    Note: For the definite word on SMTP please search for the SMTP RFC on the internet (RFC821).


  12. How do I add Multiple IP numbers on a single machine?

    Windows NT: (workstation 4)

    You need to edit the properties of your TCPIP Protocol to add the new ip address to your network card (NIC).

    Go to the Network settings section of the Control Panel, select the Protocol Tab, then select TCP/IP Protocol and click the Properties button.

    You will be presented with the Microsoft TCP/IP Properties dialog window. On the IP Address tab, click on the Advanced button.

    Select the network card (NIC) to which you wish to add the ip address. Then click on the Add button and enter the new IP address and the netmask for your network (if you don't know your netmask, copy the one for the other ip address - a reasonable guess is 255.255.255.0).

    Unix based platforms:

    It is fairly easy to add multiple IP numbers for a single machine, up to 255 per interface is fairly straightforward. 1024 is usually possible with minor patches. The exact method varies from one form of Unix to another, see http://www.nethelp.no/net/vif/readme.html for more information.

    As an example on Linux, you would do the following:

    su - root
    ifconfig eth0:2 999.59.4.31 up
    to add a second ip number 999.59.4.31. The number :2 can be anything between :1 and :255

  13. Can I specify a RANGE of IP addresses?

    For most settings in dmail.conf that take an ip address, you can specify a comma separated list of entries (no spaces after the commas as a general rule) and you can also specify a range or wildcard.

    We DO NOT guarantee that you can use all of them for every setting, but we do try to code with this flexibility. So if you are wondering whether a setting will take a range, for example, then try it out, don't just expect it to work :-)

    NB: If a setting is a 'restrictive setting' then in order to get through the restriction, a value must get through all the restrictions in the comma separated list.

    Here are some examples:

    NB:Some of the examples in this FAQ were incorrect. Fixed 23 May 2000.

    NOTES:
    '!' indicates NOT
    '*' is a wildcard (generally for use at the start or end of a string, but with ipaddresses can be useful in the middle)
    '?' is a single character/digit wildcard
    'x-y' is a range from x to y (including x and y)

    NB: you can use, '!*?' OR a range, you can not use both, so this is not allowed,
    user_ip_address *,!1.1.1.0-255    (bad)

    The examples use the setting user_ip_address, which restricts which ip addresses can connect to DPOP.

    1. user_ip_address *,!161.29.5.24
    allows all ip addresses to connect, except 161.29.5.24

    2.
    user_ip_address *,161.29.3-5.24
    allows the following ip addresses to connect,
    161.29.3.24
    161.29.4.24
    161.29.5.24

    3.
    user_ip_address *,!161.29.5.*
    allows all ip addresses to connect, except,
    161.29.5.0
    ...
    161.29.5.255

    4.
    user_ip_address 161.29.3-5.0-255
    allows the following ip addresses to connect,
    161.29.3.0-255
    161.29.4.0-255
    161.29.5.0-255

    5.
    user_ip_address *,!161.29.*.24
    allows all ip addresses to connect, except,
    161.29.0.24
    161.29.1.24
    161.29.2.24
    ...
    161.29.255.24

    6.
    user_ip_address *,!161.29.20?.24
    allows all ip addresses to connect, except,
    161.29.200.24
    161.29.201.24
    161.29.202.24
    ...
    161.29.209.24

    Note: with this last example, if an ip address was, 161.29.009.24 then it would be allowed to connect.


  14. I want to UPGRADE, ... ?

    An upgrade is, in general, a quick and simple procedure. The same utility that you used to install DMail - dmsetup - has an upgrade option that does it all for you.

    Note: we are always very careful when making changes to our programs that we do not 'break' them for existing setups. Having said that, it is an easy thing to do, so upgrading is not something that we recommend doing whenever you feel like it - "don't fix what isn't broken" if you like. You should take particular care when upgrading from a version that is much older than the current beta version (e.g. 6-12 months).

    Things to consider when upgrading the DMail server (or a part of it):

    1. See the updates page,
      http://www.netwinsite.com/dmail/updates.htm
      to see which version you wish to upgrade to. If you are not sure, contact DMail support to confirm which version you should upgrade to. This applies particularly to versions out of the beta directory of the FTP site,
      ftp://ftp.netwinsite.com/pub/dmail/beta

      Note: you can, if you wish, only upgrade one of the servers or utilities from the DMail distribution set - if you are after a particular feature in a recent beta release then this is often a good option.

    2. Download the distribution set from our ftp site,
      ftp://ftp.netwinsite.com/pub/dmail

      If you are ftping from a command line, login as the user 'anonymous' and provide your email address as a password, then cd to pub/dmail.

    3. Save a copy of your configuration file, dmail.conf (typically \winnt\system32\dmail.conf or /etc/dmail.conf)
    4. You may want to revert back to your current version, so just in case you should try to save a copy of each of the executables that your system uses. If you have your last distribtion set then that should be enough. If not, you should save each of the server directories, e.g. \dmail (typically contains DPOP, dsmtp), \dmail\dwatch, \dmail\dlist.

      DMSetup will not touch any of your critical data.

      For Your Information ...
      The critical data for your email server is almost all in the mail drop file and bin file directories, (defaults are, \dmail\in and /var/mail). The upgrade will not touch these directories, but of course if you wish to back them up then that is never a bad idea.

      The other critical information to think about is:
      (a) mailing list information (lists.dat and users.dat for each list) - stored in the DList directory which should be fairly small to back up.
      (b) If you run external authentication, your user data base may be in a directory which dmsetup works in. NWAuth stores the user database in the DMail directory in nwauth.txt and on newer versions in nwauth.add as well.

    5. Set up some mail to look for after the upgrade (see the last step).
      (a) Send a test email to one user, and be careful not to POP that mail before the upgrade.
      (b) Send a test email to another user, and then login as that user but set your email client (or do it manually) so that the mail is left on the POP server. This is so that you can check for that mail after the upgrade in order to ensure that the bin directory is the same.
    6. Shutdown the DMAdmin windows GUI tool if you have it open (dmsetup can't upgrade dmadmin.exe if it is running).
    7. Unpack the distribution set and run the utility dmsetup.
    8. DMSetup should detect that you already have DMail installed and offer the upgrade option (2). DMSetup will stop each of the servers and then copy the new versions of the executables over the old ones. It will also upgrade your manual pages, *.htm in the DMail directory. Once it has finished upgrading, it will ask you whether you want it to start the servers again.
    9. You should now check that the new version is working. You should at least,
      (a) send a message through the system and,
      (b) if you use DList, post a message to a mailing list.
      (c) send a message to a user, and manually find that message in their drop file to check that the drop file is in the same location. An easy way to test this is by sending an email to a user both before and after the upgrade. Both emails should be in the user's drop file so long as that user has not logged on to the POP server.
      (d) check that when a user logs in, the DPOP server is using the same user.bin directory as it was before the upgrade. An easy way to check this is that mail left on the POP server before the upgrade should still be visisble after the upgrade.

    If you suspect that something has not upgraded, then you should attempt to manually stop that server or program and then run dmsetup again.

    If you have problems, please do contact DMail support .


  15. I want to MOVE DMail, ... ?

    Moving DMail to another machine is a fairly easy procedure. Here is a suggested method to help you remember the most common things. Each setup will be different, so think about whether there are any other things that you need to copy over for your setup.

    Note on License Keys:

    Your DMail license key was created for your old machine's specific machine name, e.g. server1.your_domain.com (UNIXish machines) or SERVER1 (Windows machines).

    If the new machine has the same name as your old one then simply load your key into the new machine with the tellpop command,
    tellpop key xxxx-xxxx-xxxx-xxxx-xxxx
    at the point below where you have started DPOP.

    If the new machine has a different name, you will need to email our Sales department,
    sales@netwinsite.com for a replacement key. You need to tell them the name of your new machine. They should email you your new key within 48 hours (usually only 24 hours).

    If you don't yet have your new key, do not worry, when you start DSMTP it will create itself a temporary trial period key. So it should start and work straight away for you.

    Suggest Method for Moving DMail ...

    1. install the same version of DMail on the new machine, but don't start the server when the installation utility asks you whether you want the servers started
    2. copy across to the new machine your dmail.conf file typically /etc/dmail.conf or \winnt\system32\dmail.conf
    3. Copy over any other files included into dmail.conf or referenced in it, e.g. alias files.
    4. Edit your host_domain settings in dmail.conf (and your dpop_host setting) so that your new machine name is included at the end of the list of host_domains (also known as synomyms)
    5. now, if it won't impact on your old server, start the new server up and try sending a few test messages through it

    Once you are ready to switch completely to the new machine ...

    1. Stop all servers on both machines
    2. Copy over the mail drop files, e.g. /var/spool/mail or \dmail\in

      NB: if your bin_files and _inf files are in other locations, don't forget to copy those as well.

    3. Copy over the work_path directory, e.g. /usr/local/dmail/work or \dmail\work
    4. Check dmail.conf on the new machine to see that all directory paths exist and that you have copied over any necessary things
    5. Start up the new server and monitor it for the next few hours.

    If you have problems, please contact DMail support .


  16. I want to park mail for a domain (but mail is rejected as no relaying)

    The setting that you need is,
    relay_to etrn_domain
    so that DSMTP will always accept mail destined for the domain etrn_domain.

    Then DSMTP will accept the mail and park it when it cannot connect to the server.

    It will try to send it every 2 hours, and bounce it after max_retrytime hours (default is 2 days).

    When the connecting email server sends the ETRN command, DSMTP will try to send all mail addressed to that domain in its queue.

    The other setting that you can use to bypass the DNS record if you have problems is,
    gateway etrn_domain ipaddress
    so that DSMTP uses the ipaddress given rather than doing a dns lookup on etrn_domain.

    In versions 2.8e and above, we added a new setting to DSMTP for that can also help with this. It is suspend_domain, e.g.,
    suspend_domain fred.com
    This setting stops DSMTP from processing any queue files destined for this domain, unless specifically requested by an ETRN commmand. So it is a good setting to use if someone will not be collecting their mail for a period of time longer than max_retrytime. NB: it can also be a bit dangerous to use for that same reason.

    In 2.8e we also added the setting, etrn_relay which allows all servers in a server farm or load sharing arrangement to receive an ETRN command sent to just one server.

  17. Can I run DSMTP (and DPOP) on another port?

    Yes, the setting that you want is,
    smtp_port 1025
    then restart DSMTP (with DMAdmin or on UNIX platforms with,
    tellsmtp shutdown
    /usr/local/dmail/dm_start.sh
    )

    Similarly for DPOP,
    pop_port 1110
    (/usr/local/dmail/dpop_start.sh to start DPOP on UNIX).

    NB if you are using dmadmin then you will have to select a new host to monitor with the following syntax as the ip address,
    127.0.0.1:1025:1110:
    so that it looks for the servers on the correct ports.
    (you may need to set the password for this to work, with,
    tellpop pass xxxx
    ,where xxxx is the password)

  18. Can I delete queue files from the queue?

    Yes, you can delete or move them with the result that that message is not delivered. However, there is a big BUT...

    Currently, if you move queue files out of the work directory (work_path) you cannot easily put them back in. You can copy a queue file back into the work_path directory and DSMTP will pick up on it the next time it reaches that queue file number, but DSMTP may have created another queue file of that same number, so if you overwrite it then that message will be lost.

    Also, note that some queue files will be in use by DSMTP and so locked. The tellsmtp status command gives you information on which queue files are in use.

    More information: See the section on Queue Files in the Disk Use and Files section.



  19. What things can I do in order to secure my mail system against hackers?

    Here is a list of things that we can think of. If anyone has suggestions or gets hit by a hacker, please let us know so that we can add to this list.

    • In general, use ssh when sending root password across internet
    • Use fake_vrfy, so that DSMTP responds falsely to checks on usernames on your system
    • Use smtp_welcome (version 2.8a and above only) in order to hide which SMTP server you are using, and what version it is.
    • Set manger_ip_address in order to limit manager commands to coming from as small a number of ip addresses as possible
    • Use the tellpop password command to set your manager password to something secure
    • Use shadow password files, which DMail supports when authent_method is set to unix_user (linux users use libc6 download).
    • Check which UID your 'robots' run as, see Robots running as root - Security Note
    • If a hacker is trying to guess passwords, you will see a lot of the following messages in dpop.log on info log_level,
      Info: Rejected bob, authent said bob password wrong or not a valid user
      So you can search for the keyword, 'Rejected' in dpop.log


  20. Does CWMail and DMail server support multi-threading?

    Yes and No. I will explain.

    First DMail:

    DMail is made up of an SMTP and a POP server, DSMTP and DPOP. Both of these servers are mostly just a single process and thread, so they would only run on one processor at one time.

    They have been written to be extremely efficient, and we believe that these servers are more efficient because of their single process architecture.

    However, there are two 'bottle necks' for single process mail servers. In order to overcome these, both servers can spawn subprocesses. Both DSMTP and DPOP spawn subprocesses for doing the user authentication, and DPOP also spawns a subprocess to 'burst' drop files, if a user's drop file is bigger than a certain size.

    So, these subprocesses can be run on different processors to the main server processes.

    So Yes, DMail can take some advantage from a multiprocessor system, but it is not written as a threaded process.

    NB: it is worth noting that the biggest 'bottle neck' for an email server is the disk access times. Hence, we recommend spending more money on fast disks rather than a multiprocessor environment.

    RE: CWMail

    CWMail is a CGI. As such, CWMail runs as a single process spawned by the web server on practically every click on the web pages that it displays. So it depends on your choice of web server as to how worthwhile it is to run on a multiprocessor environment. In general, however, because each instance of the CGI running is a separate process in the OS environment, there should be no problem.

  21. Is there a limit to the length of a username?

    Yes, there is. DPOP limits you to 78 characters in the username (this includes the domain name if you have set authent_domain true). So if your domain name was 10 cahracters in length, then you are limited to usernames with a maximum length of 78-1-l0 = 67 characters for local usernames.

    DSMTP does allow longer usernames because it needs to be able to relay on messages to people with longer usernames.

    NB: if you are using external authentication, the response that the module returns is not allowed to be longer than 1kbytes in total. So you will have to limit your length of username to something sensible, so that there is room to return long fwd="" fields for mail redirection.

    So if you impose your own limit of say 40 characters, you should not have any problems.

  22. Running DMail on your ISP's Server

    We are often asked whether it is possible to run DMail on an ISP's server.

    Basically, the answer for DMail is no. The DMail server needs to be run with root privilege and, in most cases, a box can only run one Mail server.

    You can run DMail on your ISP's machines, if they are not already running a mail server on that box, or they provide you with a box at their site, for which you have root access.

    It may be an option for you to run a 'downstream' server on a local box of yours, and have your ISP relay mail for your domain to you. DMail can send the ESMTP ETRN command to collect mail for such a domain.

    You may also be able to get your ISP to forward all your mail to just one POP mail account. Then the use of DMail's POPFetch is an option.

    Separate to the question of DMail is whether you can use one of our Web Based email CGIs such as CWMail on your ISP's 'virtual web server'. Please see the following FAQ for information on this,
    https://netwinsite.com/dmailweb/faqs.htm#Q18.

  23. Robots running as root - Security Note

    Q:> We have customers who would like to forward e-mail into external programs,
    > however, we have had to disallow this because we noted
    > that DMail was running these external programs as root.
    > How can we tell DMail not to run external programs as a privileged user,
    > and will this break auto-responders and mailing lists?

    A:If DSMTP can work out a user's uid (e.g. from the /etc/passwd file or from the authentication module response) then it will run the 'robot' as that user's uid.

    In the case of the question, I think that our NWAuth authentication module is being used. It responds with lines like,
         +OK username config 0
    where the 0 on the end is the user's id. It returns 0, i.e. root, for ALL users.

    Also, up until version 2.8l, if DSMTP could not work out a user's uid, it would run the robot as the same user as itself - i.e. root!

    This means that it is important to restrict the use of robots, e.g. NetAuth only allows users to set the text of the autoresponder robot.

    On Windows machines, it is not as common to allow access for users to create robots, but if it is allowed then the same issues need to be considered.

    Here are some options ...

    1. modify your authentication module to return a user id, e.g. that of the 'mail' user.

    2. We are adding setting,
    robot_defaultuser <userid> <password - NT only>
    which defaults to root if not defined.
    If set, DSMTP overrides anything returned by the authent module, so that all robots are run as the specified uid. If set to -1 then no robots are run. This should be available in 2.8l to be built 8 Jun 2000. It will apply to UNIX based and Windows platforms.

    The DMSetup utility will add it by default on fresh installation in 2.8l onwards and prompt users to add it on upgrade.

    You should specify a user with this setting that does not have any more privilege than it needs.

    On UNIX platforms, DMSetup will default this setting to the 'mail' uid, and you will probably want to create a special robot user with far less privilege. On Windows platforms, DMSetup will set the setting to 'ROBOT_USR robot_usr' by default (i.e. username and password the same) and the sysadmin will need to create this account - probably in the Guest group.

    3. Currently we have the domain_chroot setting, e.g.,
    domain_chroot domainone.com /usr/local/robots
    which makes all robots on the specified domain run with a root directory of, /usr/local/robots. I don't think that the robot can access outside of that with root access, but there may be clever trickery that hackers know.

    4. you control what programs the users run via a web gui. E.g. drespond is an example of this. NetAuth controls who can run drespond and what options it is given.

    RE: mailing lists and autoresponder

    Mailing lists are not affected, as DList handles these and is a separate process.

    The Drespond robot is affected, but with all of the options above there is no reason why they cannot keep working. You may simply have to make copies of the executable in the domain_chroot directory etc.

  24. Can I use DMail for a Remote or Dial Up Mail Server?

    Yes, DSMTP can be a remote or dial up mail server.

    Options:

    • DSMTP sending ETRN command to upstream Mail server (may be using RAS dialup):

      Setting the ras_timer makes DSMTP send the command, ETRN domainx.com, to the upstream server at the specified interval. DSMTP will send ETRN commands for all of your 'local' domains (as set by your host_domain or vdomain settings).

      The upstream server will then send all mail for those domains as soon as it can. Since your server is online it should be able to send the mail through to your local DMail server.

      This is probably the option to choose if you are retrieving mail for an entire domain or a number of domains.

      See the links in the ETRN section for more information .

    • Running POPFetch alongside local DSMTP for retrieving mail:

      POPFetch runs on the local mail server machine. It will periodically dial up your upstream server and collect all mail waiting in specified POP accounts. It will then process those messages and separate them out for individual users on your domain. It will feed the messages to the local DSMTP server so that it can deliver them locally.

      Often you can get whoever is running your upstream server to collate all mail for you into one POP mailbox for POPFetch to retrieve, e.g. in DSMTP this is easily done with the dmail.conf setting,
      forward *@yourdomain bob@domainx.com

      Follow this link for more information on POPFetch.

    Note on Dynamic IP addresses:

    If the machine where you want to run the Mail server does not have a Static IP address, you are probably limited to using POPFetch.

    Some ISPs can support receiving an ETRN command for your domain when you are on a Dynamic IP address. It is not typical that they can, as it requires specific dynamic DNS support,so you cannot infere that they are a sub-standard ISP for not offering it:-)

    Note on bounces:

    Using ETRN is a better option than popfetch if it is important that people sending mail to your local accounts receive 'bounce messages'. Most mail servers will try to deliver mail every few hours for a specified period if they cannot reach the final destination (your server) on the first go. At the end of that period, typically 1-2 days, they will 'bounce' the message back to the sender. With POPFetch (and some ETRN setups) the upstream mail server will consider the mail delivered once it recieves it (because it wrote the mail to a POP account). So if your server does not collect the mail for a long time (and nobody notices) then the sender would not be notified. ETRN can suffer from the same problem, so you should check with the upstream provider if it is a worry to you.

  25. Can I use DMail from behind a firewall or proxy server?

    In most circumstances yes, but there are some circumstances where you may need to rely on an 'outside world' SMTP server.

    NB: we are using the term 'firewall' loosely. We will mostly talk as if you are running a Proxy Server on your firewall box, rather than a router.

    There are two main things that you need to provide,

    1. DSMTP needs some way to connect to a DNS server in order to resolve domain names to IP addresses.

    2. DSMTP needs some way to connect directly to the outside world SMTP servers for non-local mail delivery.

    Here are some options, (Option 4 will soon be our recommended solution)

    1. Run DMail on the firewall box itself (so not really behind the proxy at all)

      For some firewalls you won't be compromising security greatly to run the proxy server on the firewall box, so that mail bypasses the proxy. In most cases, if doing this, you would store all mail on the firewall box until it was collected by the local email clients. You could store the mail on a network drive if you had a file server, for example, but in most cases you would probably not do this, because setting up the network drive connection would lessen the security of the firewall box.

    2. Relay via a DSMTP Server on your firewall box (bypass the proxy server)

      The idea here is that the two DSMTP servers - one on the firewall box, let's call it A, and one behind the firewall box (B) - can pass on to each other the messages that each can not deal with. In this way, the DSMTP server on the firewall allows mail to bypass the proxy server, but no mail is stored on the firewall box.

      Outgoing mail will be 'gatewayed' from B to the firewall DSMTP server A, which has access to the non-local SMTP servers and the DNS server(s) for non-local mail delivery. So A 'relays' mail for B.

      Incoming mail will arrive at DSMTP server A, which will 'gateway' all local mail to DSMTP server B.

      In order to do this, you will need to...

      1. Tell server B to gateway ALL outgoing mail to server A
      2. Tell the firewall server A to accept outgoing mail for 'relay' from server B
      3. Tell the firewall server A to accept incoming mail addressed to local domains on B
      4. Tell the firewall server A to gateway incoming mail addressed to 'local domains' on to B

      So if a.a.a.a is the ip address of server A, and b.b.b.b is the ip address of server B...

      On server B add to dmail.conf,
          gateway * a.a.a.a

      On server A add to dmail.conf,
          forward_from_ip b.b.b.b
          relay_to domain1.com
          relay_to domain2.com
          gateway domain1.com b.b.b.b
          gateway domain2.com b.b.b.b
      (keep adding relay_to and gateway settings for all local domains)

    3. See also, Routing.

  26. Gateway all outgoing mail to an Outside world SMTP server (via the proxy server)

    You can avoid most problems by 'gatewaying' all outgoing mail to an SMTP server in the outside world, that provides you with 'relay' access.

    This is similar to the option above in that outgoing mail is relayed via an SMTP server with 'outside world access', but with this option, mail goes through the proxy server and incoming mail comes direct to your proxy server.

    In order to do this, you add a setting to dmail.conf like,
        gateway * x.x.x.x
    where x.x.x.x is the ip address of your firewall server.

    The possible problem with this is that you need to set up the proxy so that,

    (a) anything connecting to port 25 from the DMail server address is mapped to port 25 at your ISP's SMTP server IP address.

    (b) anything connecting to port 25 from other addresses (e.g. outside world ones) is mapped to port 25 on your DMail server's IP address.

    Some proxy servers are not capable of this type of setup on the single port (25), and some will do it 'automatically' with a 'SMTP proxy' feature. If you are using a router, then it will probably have no problems with this.

    If your proxy cannot do that sort of setup, note that in version 2.8n we have altered the gateway setting so that you can specify the port on the proxy,
        gateway * x.x.x.x:1025
    This allows you set up up two port mappings on the proxy,
        1025 -> ISP_IP_Address:25 (for outgoing mail)
        25 -> DMail_IP_Address:25 (for incoming mail)

    You also must get whomever is running the outside world server to accept mail from your server for relaying. ISPs, by default, will stop you from relaying through their box unless you have their permission (this is to stop them from being abused by spammers). They will probably do this based on the ip address of your proxy server, as that is the address that mail from your DSMTP server will appear to them to have originated from. If they are running DSMTP, they would add the forward_from_ip setting for your ip address.

  27. Proxy DNS Access AND use telnet proxy in order to reach non-local SMTP servers

    Sometimes people have their own DNS server behind or on the firewall, but most people don't, so you will need to...

    Set up a proxy server to relay all DNS lookups:

    Doing this varies between proxy servers. It is important to note that DNS lookups can be done on a TCPIP port and/or a UDP port. So you need to set up your proxy server to at least relay TCPIP connections on port 53 to port 53 on the DNS server. On most proxy servers you can setup a TCPIP 'port mapping' or 'link' to do this.

    You also need to tell DSMTP which DNS server to use by adding the dmail.conf setting,
        dns_host y.y.y.y
    where y.y.y.y is the ip address of the DNS server to use. You must restart DSMTP after changing or adding this setting.

    Using telnet proxy to reach non-local SMTP server:

    You cannot simply add a 'port mapping' for port 25 on most proxy servers and expect them to 'proxy' all incoming and outgoing connections on port 25 to/from the DSMTP server.

    When the DSMTP server tries to reach a non-local server it is trying to connect to that server directly on port 25. Even if we added a setting to DSMTP to make it connect to your proxy server, there is no way for the proxy server to map an incoming connection on port 25 to the required server which could be anywhere in the world!

    So we have recently added a new setting to DSMTP (in version 2.8n) which makes it open all non-local connections via your proxy server's telnet port.

    Because there is no fixed syntax for proxy telnet ports the new setting allows you to specify the connection string to be given to the telnet server, e.g.
    destination_ip:25

    The setting is,
     
    proxy_domain <wildcard_domain_name> ip[:<port>] <proxy_request_string [optional macro $IP]>
     
    where $IP is the resolved IP address of the destination domain, E.g.,
    proxy_domain * 1.2.3.4:23 $IP:25
    where 1.2.3.4 is the ip address of your proxy server. This example results in all outgoing mail being sent to the telnet proxy at 1.2.3.4, where the proxy server takes a request string of, x.x.x.x:25. DSMTP will replace x.x.x.x with the DNS resolved IP Address of the the destination domain.


  28. Does DMail support CDONTS?

    No, but there is now an option in DMail to deliver mesages written to file.

    I am afraid that CDONTS were created too much as part of the web server/email server combination, and do not use the standard SMTP protocol that they 'should' for sending mail. So as far as I know there is no way for CDONTS emailing calls to get the mail message to the SMTP server.

    However it would seem that it is an option (possibly the default) for CDONTS calls to write email messages to a given directory.

    We have recently added a feature whereby DSMTP will 'pick up' messages written to file in a directory, and deliver them to the destination address specified in the message headers in the file.

    So given that you can somehow make your system create such files on the server's local drives, DSMTP can deliver them.

    For information on the setting needed and the message file format, see the DSMTP Settings List,
    spool_dir.

    NB: you need a 2.8 version of DSMTP, so I suggest that you download the latest 2.8 build (probably 2.8v) from the directory,
    ftp://ftp.netwinsite.com/pub/dmail

    NB: This new feature has not been thoroughly tested yet, and we can not be sure that it will handle the file format created by CDONTS. So contact DMail Support if you strike any problems or need us to make changes to the system.


  29. My Users are not appearing in the NWAuth database file.

    Often people are mistaken about the way that NWAuth stores usernames and other data, so here is an explanation.

    When you add a user to NWAuth, e.g. by running it at the command line

    NWAuth
    set bob secret
    quit

    NWAuth will write the username and the details to the file,
    nwauth.add
    in this format,
    username:password:blah
    where 'blah' is any other information that you store for the user.

    When you modify a user's details, NWAuth simply adds another line for the same user to nwauth.add with the new password or other details.

    When you delete a user, NWAuth adds a line like,
    username:(DELETE):(DELETE)
    to the nwauth.add file.

    When the nwauth.add file reaches a certain size, NWAuth will delete that file and update the main database file, nwauth.txt. When it updates nwauth.txt, it processes it in order, so in general it uses the last entry for a user found in the nwauth.add file and deletes the user if it finds a line for a user with the '(DELETE)' password. It does this so that all of its operations are instantaneous no matter what size the user database is.

    Often you will only have an nwauth.add file, and the nwauth.txt file will not appear for several days.

    If usernames are not being added to the file, here are some helpful hints:

    • Look in the nwauth.add file, not the nwauth.txt file
    • Try NWAuth from the command line. See EAP definition for details of the commands.

      If it works from the command line, then you probably have the incorrect setting in dmail.conf or netauth.ini. This is now, authent_process for both dmail.conf and netauth.ini. (On NT, use a drive letter or UNC name when specifying the process, e.g. c:\dmail or \\machineA\cdrive\dmail rather than just, \dmail, which is ambiguous).

      If it still fails, see the next suggestion below.

    • Is NWAuth modifying the NWAuth file in the directory which you think it is?
      This might be the problem if you are running NWAuth across a network or on an NFS drive.

      If you are suspicious of this, search your machine for any copies of nwauth.txt or nwauth.add.

      NWAuth decides where to find/create the nwauth.add and nwauth.txt files in one of two ways.

      1. It looks at the local dmail.conf file and uses the value of the dsmtp_path setting, typcially c:\dmail\

      2. You run it with the command line argument, -path, to specify the path to use, e.g. at the command prompt,
      c:\dmail\nwauth -path c:\dmail
      or in dmail.conf or netauth.ini,
      authent_process c:\dmail\nwauth -path c:\dmail

      NB: you should not need to set the path unless you are running in a server cluster. We don't recommend that you use the -path option unless you need to - i.e. be careful of using it as a quick fix without understanding why it is not working without it. Talk to DMail Support if you want help working out why it is not working.

    • There could be a file permission problem:

      (See also, Authentication for DMail and NetAuth on Clustered machines and Network Drives )

      On NT:
      NWAuth is spawned by DSMTP and DPOP, which are spawned by dwatch service which is typically running as the 'System Account', so check that the directory which NWAuth is running in, and the NWAuth files, give full access to that user.

      If using NetAuth, note that it is generally being run as a specific user by the web server. You need to work out what the user is (typically IUSER_XXXX, where xxxx is you machine name). Then ensure that that user is created on the box, and has the permissions needed in order to run NWAuth and create/access the nwauth.add and nwauth.txt files in the dsmtp_path directory.

      On UNIX:
      NWAuth is spawned by DSMTP and DPOP, which may be spawned by the dwatch process. All of these will be running as root, so in general you should not get a problem. If you are running NWAuth on an NFS, you will probably need to set root access on the file share so that these programs can access it.

      During installation, the NetAuth binary should have had its s bit (sticky bit) set. It's ownership should also have been set to the root user. This is so that the web server will always run it as root.

      Unless the permissions are set as such, NetAuth will not be able to function properly.

      So,
      ls -l netauth.cgi
      should show something like this,
      -rwsrwsr-x root:root netauth.cgi

      If not, set these permissions with the commands...
      chown root:root netauth.cgi
      chmod 6775 netauth.cgi

      NB: with file permission problems, it is often a good idea to give all access to the user in order to get it working, and then work backwards, restricting the access to the level you are happy with.


  30. Authentication for DMail and NetAuth on Clustered machines and Network Drives
    (AKA: Running NWAuth on a shared network drive )

    Most of the following is for the authentication module NWAuth, but much of it applies when using any authentication module.

    When you have a cluster of DMail servers or a DMail server and NetAuth running on a web server, you need to allow them to all access the same user database.

    For authent modules like MySQLAuth this is not a problem, because the database is accessible via TCPIP from any machine on the network.

    For NWAuth and some other modules which use local database files, this is a problem.

    Here are 3 solutions for NWAuth:

    1. make all of the servers run the same copy of NWAuth on a shared network drive.

    2. run a separate NWAuth on each server, and set the -path option so that they all work on the same nwauth.add and nwauth.txt files on a shared network drive.

    3. run a TCPIP daemon that spawns NWAuth on one machine and then run a 'client' for that daemon on each of the servers.

    Option 3 has some good benefits, so we are creating a new module called, TCPAuth (with TCPAuth_client) to do that. Contact DMail Support for more information.

    Option 1 is the current option being used by customers and so is known to work on UNIX and NT. Setup for option 1 is described below.

    Option 2 is pretty similar to option 1, so if you want to do that, read the suggestions below and you will probably be able to work out what to do.

    So, to recap, the information below is how to

    Run NWAuth on a shared network drive.

    • For those on UNIX and using NFS drives:

      NWAuth is spawned by DSMTP and DPOP, which may be spawned by the dwatch process. All of these will be running as root, so in general you should not get a problem.

      During installation the NetAuth binary should have had its s bit (sticky bit) set. It's ownership should also have been set to the root user. This is so that the web server will always run it as root.

      Unless the permissions are set as such, NetAuth will not be able to function properly.

      So,
      ls -l netauth.cgi
      should show something like this,
      -rwsrwsr-x root:root netauth.cgi

      If not, set these permissions with the commands...
      chown root:root netauth.cgi
      chmod 6775 netauth.cgi

      You will probably need to set root access on the file share, so that these programs can access it.

      In both dmail.conf and netauth.ini, use the authent_process setting to specify the full path to the NWAuth process, and pass it the command line argument, -path, e.g.
      authent_process /shared/dmail/nwauth -path /shared/dmail/
      (in dmail.conf the authent_method setting should also be set to, 'authent_method external')

      Remember to restart both DSMTP and DPOP after changing the authent_process setting,

      tellpop shutdown
      tellsmtp shutdown
      /usr/local/dmail/dm_start.sh
      /usr/local/dmail/dpop_start.sh

      If authentication fails, look in the dpop.log file to see why. You will see at the start of the dpop.log file, after restarting DPOP, whether it has had difficulty in spawning the authentication process.

    • For those on NT and using network drives:
      1. Run the dwatch service as a specific user, e.g. IUSER_DMAIL, which you must create on ALL boxes, i.e. the mail server box, the web server box and the box that holds the network drive (it will depend on your setup how many boxes this is, it may be just 2 boxes or many more).

        Set this in Control Panel, Services. Select 'dwatch monitor for DMail servers' and click on Startup and change the check the 'Log on as this account:' button and enter the account (IUSER_DMAIL) to be used and any details.

        You will have to stop and restart the dwatch service in the Services dialog in order to make this change take effect.

      2. Similary, you will need to ensure that the Web Server spawns NetAuth as the same user, IUSER_DMAIL, so that it can access NWAuth on the network drive.

        Most web servers allow you to set the username used for spawning CGIs (that is what NetAuth is). Often they are spawned as the anonymous user login account, IUSER_XXXX where XXXX is your machine name - look in your NT system user database for such a user.

        You won't know what the password for that user is, so you won't be able to add that user to the other boxes in your cluster. This is why we suggest creating the new user, IUSER_DMAIL, on all of the boxes.

        If you have the IIS server, see the specific note below.

      3. Use UNC names for the paths rather than mapped network drives, e.g.,
        authent_process \\machineA\Cdrive\dmail\nwauth.exe

        UNC names allow the dwatch service which will start automatically after a reboot to reach NWAuth on the other box, even if no one is logged in yet. Whereas mapped drives are only accessible once someone has logged in to the box, so won't be accessible to dwatch (and hence, DSMTP and DPOP) after a reboot until someone logs in to the mail server box.

      4. In both dmail.conf (c:\winnt\system32\dmail.conf) and netauth.ini (c:\inetpub\scripts\netauth.ini) use the authent_process setting to specify the full path to the nwauth.exe file and pass it the command line argument, -path, e.g.
        authent_process \\machineA\Cdrive\dmail\nwauth.exe -path \\machineA\Cdrive\dmail\
        (in dmail.conf the authent_method setting should also be set to, 'authent_method external')

        Remember to restart both DSMTP and DPOP after changing the authent_process setting. The best way to do this is either with DMAdmin or using the Control Panel Services dialog.

        If authentication fails, then look in the dpop.log file to see why. You will see at the start of the dpop.log file, after restarting DPOP, whether it has had difficulty in spawning the authentication process.

    • Special note on the IIS web server:

      Follow all the suggestions above. If they do not work, check the following magic setting as this sysadmin did:

      I just tried changing the settings in IIS.
      Under Web Site properties->Directory Security->Anonymous
      Access...->Allow
      Anonymous Access[edit]

      I have "IUSER_DMAIL" as the username and have set up all permissions for that user on both mail server boxes. I had ticked,
      'Enable Automatic Password Synchronization'.
      I unticked this, and NOW IT WORKS!


  31. Changing hash_spool, what needs to happen?, how do I test fixhash?

    (The administrator is talking about the fixhash utility and he wants to convert the mail for his single domain from hash_spool 0, to hash_spool 2)

    > the hash thingie ...
    > Im thinking of doing it late on saturday night ..
    > I will take the server offline
    > backup the mail directory
    > then try hashing . .sound like a plan ?

    yes. I suggest that you have a play with the hashing utility before then so that you are familiar with it and have tested it with your settings - e.g. just get it to move a couple of accounts using a copy of those accounts as the starting point.

    Some details ...
    If mail for a user 'shaun' is in,

    /var/spool/mail/shaun
    (assuming hash_spool 0, drop_path /var/spool/mail)
    then shaun will have a bin directory,
    /var/spool/mail/shaun.bin
    (with just one level of files below that)
    (assuming bin_path = drop_path)
    and an _inf file,
    /var/spool/mail/shaun_inf

    So make sure you back up all of those. I suppose that is simply, /var/spool/mail and anything lower.

    If you want to move to,

    hash_spool 2
    then those files and directory need to move to,
    /var/spool/mail/s/h/shaun
    /var/spool/mail/s/h/shaun.bin
    /var/spool/mail/s/h/shaun_inf

    (NB: hash_spool 2 says 'first new directory level = first letter of username' and 'second new directory level = second letter of username', hash_spool 1 creates just one directory and is not easily worked out by a human what letter to use).

    So you could copy a couple of accounts from,

    /var/spool/mail
    to say,
    /var/spool/test

    Then run fixhash on them in order to hash them to the same base, e.g. fixhash should change,

    /var/spool/test/shaun
    /var/spool/test/shaun.bin
    /var/spool/test/shaun_inf
    into,
    /var/spool/test/s/h/shaun /var/spool/test/s/h/shaun.bin /var/spool/test/s/h/shaun_inf

    You should be able to do that testing while online. Note that fixhash will show you what it is going to do by default, but you must add the command line option to make it actually do anything.

    NB: I am not sure if fixhash moves the _inf files. They don't need to be moved unless you actually manually edit them. If you do manually edit them, it would be to put an individual quota line in, e.g.,

    quota 10000000
    (for 10 Mbytes quota for that user). I don't think you do that on your system. The only other line in there is,
    used xxxxx
    which is filled in by DPOP when a user logs out and you have user_quota set in dmail.conf (it is the amount of space which the user is using in the bin files). SO, if the files were deleted, then the quota checking might underestimate until the user next logged in to DPOP. If you do not have user_quota set then you may not even have _inf files.

    On newer 2.9 versions, we store the bulletin number in the _inf file, so it will be important that they are moved in order to save the users from receiving the same old bulletins again. ( I am just telling you this for completeness) So if fixhash does not move the _inf files, please let me know as we would need to fix that.

    If you had vdomain lines, you would run fixhash on each of the domains separately (again, telling you this just for completeness).

    Note: fixhash can work in reverse in order to unhash if you need it.

    Let me know if you want any of the above explained further, or if you have any problems with fixhash.

  32. I need to send a message to all users on my system, but many of them do not login locally. Is there anything more than bulletins?

    Yes, there is. In version 2.9g we have added the tellpop command,

    tellpop list_users_addresses <wildcard-domain> <filename>
    which allows you to list all local email addresses on your system to the specified file by using * as the domain parameter.

    See tellpop commands for general details of the setting.

    So, if you create a DList mailing list (see Creating a mailing list) called, say, 'allusers', then you can point the output of the tellpop command at the users.lst file for that mailing list, e.g. for a list located at,

    c:\dmail\dlist\allusers
    you could enter at a command prompt,
    tellpop list_users_addresses * c:\dmail\dlist\allusers\users.lst
    to refresh the list of users on the 'allusers' mailing list.

    You could set up a cron job or AT command in order to refresh this list at regular intervals, say every hour.

    Then if you sent an email to,

    allusers@host_domain.com
    DList would deliver your message to all 50,000 users on your system!

    Creating system wide mailing lists has the advantage that all users will get the message whether they collect their mail locally, or on another server due to a forward setting.

    You should, of course, restrict access to the list in order to stop spammers from posting to the mailing list!

    Similarly, you could set up mailing lists for each domain or groups of domains.

    NB: PLEASE, PLEASE, PLEASE DON'T use a system wide mailing list unless the bulletin feature does not meet your need. Bulletin messages are far more efficient than sending a message to every user on the system.

    So, if bulletins do not meet your needs, talk to us about improving them.

    We have greatly improved the bulletin service recently so that you can do things like only sending bulletins to certain domains, and stopping new users from seeing old bulletins.

  33. How can I use the @ character for suffix based vdomains with netscape?
    To use the "@" symbol using Netscape Mail:

    1. Close Netscape
    2. Edit /program files/netscape/user/prefs.js (right click - open with notepad)
    3. Add new line:
    user_pref("mail.allow_at_sign_in_user_name", true);
    4. Save file
    5. Open Netscape