DMail Frequently Asked
Questions:
No. 1 question:
How do I set up a 'HotMail' type
system?
Questions:
- I like DPOP but I
have half a dozen
users who leave mail on the server and need to read
email direct from Unix drop files.
- What operating
systems is DMail available on?
- What is the
maximum number of email clients
that can be handled by DPOP?
- We have our own
special username/password
routines. Can these be used with DPOP?
- Is the source for
DPOP, DSMTP and DList available
so that we can tailor it to our needs?
- We would like to
try DPOP, but are paranoid about
upsetting umpteen thousand users. How can we ease into
it?
- Should I use
username suffixes or multiple IP
numbers for virtual domain support?
- Can I setup a 'HotMail' like
system using DMail or DMailWeb?
- I want all domain1 email which
does not go to a specific user to go to one designated
user.
- What is Relaying?
- How do I add extra
fields to wadduser?
- Time Stamp and
Time Zone problems (mostly on Linux platforms).
- How can I transfer mail
accounts (users) from my current email server?
- How can I have some users who can connect
direct to DPOP but others who can only connect with
DMailWeb/CWMail?
- How can I check what aliases
I have set up for a user?
- I'm getting a Read Failed 109 error
message. What's that?
- Can I filter messages
based on the attachment name?
- Tell me about the SMTP
protocol?
- How do I add
Multiple IP numbers on a single machine?
- Can I specify a RANGE of IP addresses?
- I want to UPGRADE, ... ?
- I want to MOVE DMail, ... ?
- I want to park mail for a domain (but
mail is rejected as no relaying)
- Can I run DSMTP (and DPOP) on
another port?
- Can I delete queue files
from the queue?
- Security Note What things can I do
to secure my mail system against hackers?
- Do CWMail and DMail servers
support multi-threading?
- Is there a limit to the length
of a username?
- Running DMail on your ISP's Server
- Security Note Robots running as root
- Can I use DMail for a Remote or Dial Up Mail Server?
- Can I use DMail from behind a firewall or proxy server?
- Does DMail support CDONTS?
- My Users are not appearing in the NWAuth database file...
- Authentication for DMail and NetAuth on Clustered machines and Network Drives
- Changing hash_spool, what needs to happen?, how do I test fixhash?
- I need to send a message to all users on my system, is there anything more than bulletins?
- How can I use the @ character for suffix based vdomains with netscape?
Answers:
- Drop users:
You have a few users who check their mail using
a normal POP client but leave the mail on the server
and want to be able to access the
drop files directly, with pine for example. But DPOP
converts the drop files to it's own
format for more efficient manipulation, so once the
mail has been checked, there is nothing
left in the drop files and the users can't see their
mail. This is easily remedied by
adding a line to your dmail.conf configuration file.
It should look like this:
drop_users ralph,bill,*smith
This would force DPOP to leave all the email
messages for ralph, bill and anyone with a
usercode finishing with the word smith, in drop
files. Be careful not to put spaces in the
list and avoid making it too general as there is a
performance hit in keeping messages in
drop files. That's why DPOP avoids it in the first
place. This setting is only needed for
users who check their mail with a POP3 connection
AND leave it on the server AND want to
read it with software that directly reads the drop
file.
- What operating systems is the DMail
package available on?
It is our
intention to make it available on all common
operating systems. It is initially available on
Linux, Solaris, HPUX and Windows NT. Please ask if
you need it for another system soon.
- What is the maximum number of email
clients which can be handled by DPOP?
This
basically depends on the server hardware it is to
run on, and the type of license you buy.
It is intended to be very scaleable and to work well
on large and small systems. Because
of it's design, both large numbers of concurrent users
and large numbers of email user
accounts have relatively little impact on the
process size and performance.
- We have our own special
username/password routines. Can these be used with
DPOP/DSMTP?
Yes, DSMTP and DPOP can be
configured to use an external authentication
process for checking username/passwords.
- Is the source available so that we
can tailor it to our needs?
No,
but this should not be necessary, as most aspects of
DSMTP, DList and DPOP can be easily
configured. They can also use an external password
checking routine and an external routine
to indicate where drop files are and how the path is
hashed. DPOP can also generate
statistics which can be used by an external routine
for generating charging information.
If there is some other aspect which you need to be
able to tailor, please let us know.
- We would like to try DPOP, but are
paranoid about upsetting umpteen thousand
users. How can we ease into it?
Email is a
vital service, so even if the current
popper you are using is slow it is still a scary
step to move to another one. You can't
afford to upset users. So how do you ease into it?
There are a number of strategies which
can be helpful here.
- If you have the luxury of a spare machine,
obviously installing DPOP onto that first will
help. This at least allows you to check out the
various options which you might want to use and
get used to how they work. The DMSetup wizard
will help you to remove it from the test
machine after your testing is complete. The de
install option tries to err on the
conservative side. It tells you where the files
are that you might want to delete. It will only
remove something that is definitely part of DPOP
and not any other popper.
- If you have not got a spare machine, or you
have tried that and are now more comfortable
but still cautious: The next easy step is to
install DPOP on the main server BUT get it
running on a different port. This way you can
leave your original popper running. For
example, you might set DPOP up on port 1100
instead of 110. In order o do this, follow the normal
installation procedure, but say no to the
question: "Shall I comment out current POP3
entries in inetd.conf". Then edit
dmail.conf file and change pop_port line as
shown
below:
pop_port 110
pop_port 1100
You can then get individual users to try
switching to DPOP use by changing the setting in
their email reading software to read on another
port. This is straightforward in Pegasus
mail and more difficult on some other email
clients. For Eudora on Windows 95 just edit the
Services file in the windows directory to change
POP3 port. You can even allow someone to
connect both ways although if they are going to
do this AND leave unread or undeleted mail
on the server you must put a line in dmail.conf
to tell DPOP to change their bin files
back into a drop file at the end of each
session. This should only be done if they NEED
to
read their mail from Unix command line or some
other non DPOP connection. It will slow down
processing. If Bob,Bill and Bert are Unix
gurus who read their mail from the Unix
command line and using a POP3 client, you might
add one of the following lines to
dmail.conf:
drop_users B*
drop_users Bob,Bill,Bert
Once you have run DPOP in this mode for a while
you can switch back to the real POP3 port
by changing the pop_port line in dmail.conf and
then issuing the Tellpop reload command.
- Alternatively, you can take the plunge and
install DPOP directly on your main server in
some off peak time. Test it with a few test
accounts and if there are any problems that
look difficult, revert to the previous popper.
To do that, all you need to do is put the
lines in inetd.conf back how they were and get
inet to reload. The DMSetup wizard can do
this for you. If the accounts you have tested
have undeleted or unread mail left on the
server, these must be converted back to drop
files. This must be done before stopping DPOP
by using either:
tellpop drop_all
to do all accounts that have used DPOP or
tellpop drop Bert
tellpop drop Bill
etc. to deal with user accounts one at a time.
- Should I use username suffixes or
multiple IP numbers for virtual domain
support?
Multiple IP numbers has the advantage that the
users do not need to change their
username setting in their email client packages.
Username suffixes save you having to
configure your server machine to respond to multiple
ip numbers. The two schemes work as
follows:
If a vdomain setting line has an IP number like
1.2.3.4 in it then DPOP checks what ip
number the user was connecting to and does stuff based
on matching vdomain lines. If the
vdomain setting line has a suffix string rather than
an IP number in the same place ( e.g.
/xusers) then when users connect to DPOP and sends
user fred/xusers DPOP picks up the
/xusers and uses that to match a vdomain line. The
suffix is stripped off and the prefix
is added just as it would be for an ip based vdomain.
From then on the two systems are the
same. The other question is what do we end up with as
a drop file name.
Consider the two vdomain lines:
- vdomain abc 1.2.3.4 xdomain.com
/var/spool/mail/xdomain
- vdomain abc /xdom xdomain.com
/var/spool/mail/xdomain
If a user connects to 1.2.3.4 or uses a username
fred/xdom
Then the Unix username used will be
and the drop file used will be
- /var/spool/mail/xdomain/fred
Some mail transport systems find it easier to
deliver to a drop file
- /var/spool/mail/xdomain/abc_fred
To allow for this, another setting has been added
if this setting is true, DPOP will use the second
form for the drop file name.
- Can I setup a
'HotMail' like system using DMail or DMailWeb?
(Technical
details on WAdduser)
Yes, we have a Web Based Email system that offers
Auto Account Creation.
For general information on such systems, see...
Setting Up Web Based Email System with
Auto Account Creation
Our OLD way of doing this is presented below...
Yes, using wadduser instead of NetAuth you need:
- CWMail (web to mail interface)
- DMail (dsmtp,dpop)
- NWAuth (external authentication module for
dmail)
- wadduser (example web cgi for adding users using
nwauth)
Note: You no longer have to use WAddUser with our new
product
NetAuth.
DMail comes with source and binary examples of
NWAuth and wadduser. You should examine
the source and modify wadduser.htm so that it only
allows the users to automatically
create their own accounts (it has extra functions
which you would not want them to be able
to do)
Technical details:
- Fetch the source for nwauth/wadduser. This should
come with DMail,
but if you have an
earlier version you can download it from...
ftp:
//ftp.netwinsite.com/pub/netwinsite/dmail/nwauth.zip
- Make any changes to the source that you want (not
required)
See How do I add
extra
fields to wadduser? for some more information on this...
- Building wadduser.cgi and nwauth (only needed
on UNIX)
Unix:
gcc wadduser.c nwauth.c -DNOAUTHMAIN -o
wadduser.cgi
rm nwauth.o (so you can build it without
NOAUTHMAIN defined)
gcc nwauth.c -o NWAuth
Note: if you get crypt errors you may need to add,
-lc -lcrypt to
the end of each gcc line.
Windows:
Create two console (command line) projects,
1 builds nwauth.exe from nwauth.c,
2 builds wadduser.cgi from both wadduser.c and
nwauth.c but
you need to define NOAUTHMAIN as a preprocessor
definition.
NB:In both projects you will probably need to
add
wsock32.lib to the list of standard linked libraries.
- Install the cgi script and the html form
windows:
copy wadduser.cgi \inetpub\scripts (or
wherever
your web server cgi directory is)
copy wadduser.htm \inetpub\wwwroot
Unix platforms:
cp wadduser.cgi /home/httpd/cgi-bin (or
wherever
your web server cgi bin directory is)
cp wadduser.htm /home/httpd/htdocs
- Test the cgi, use netscape and reference your web
site:
http://your.web.server/wadduser.htm
Fill out the form and press one of the buttons, if
it fails,
you will probably need to modify the 'action' in
wadduser.htm
- Tell DMail to use NWAuth for user authentication,
add or change in
dmail.conf (/etc/dmail.conf or
\winnt\system32\dmail.conf)
authent_method external
(unix) authent_process
/usr/local/dmail/nwauth
(NT) authent_process c:
/dmail/nwauth.exe
authent_number 1
- Modify wadduser.htm so that it only allows the actions
that you want users to be able to
perform, (e.g. not delete or search)
- On UNIX, you will need to set some file
protections:
touch ..../cgi-bin/adduser.log
chown nobody .../cgi-bin/adduser.log
touch /usr/local/dmail/nwauth.txt
chown nobody /usr/local/dmail/nwauth.txt
- If you wish add a bulletin message to DPOP that
welcomes all
new users,
- You can add a file, added.htm, in your cgi directory and
wadduser
will display the contents of the file when a user has been
successfully added - underneath the 'Adding User' title.
-
I want all domain1 email which does not go to a
specific user to go to one designated user.
The setting you want is fallback_address, e.g.
fallback_address domain1 default@domain2
FYI . . .
I gather that you were using forwarding rules in order to try to do
the same thing
instead
of using the fallback address. I note that from the lines
you had set
up, you
seemed to be expecting DSMTP to stop looking through the
list of forward
rules when it found the first match. So, for example, you had
something
like,
forward bob@domain1 bob@domain2
forward fred@domain1 bob@domain3
forward *@domain1 default@domain4
and expected DSMTP to only action the bob@domain1 line if a
message
came in for bob@domain1, i.e. you wanted the *@domain1 line
to 'catch'
any messages that did not match the first two forward rules.
The way DSMTP has been written, all
forwarding rules that are
found
to match for an incoming message are applied and forward
rules are also
applied instead of delivering the mail to the original
recipient. So if
a message came in for bob@domain1, given the dmail.conf lines
above,
bob@domain2 would
receive the message AND so would default@domain4 (because
both of the
forward rules can be matched) BUT bob@domain1 would not
receive the message.
Whereas the fallback address setting,
fallback_address domain1 default@domain4
does what you want. i.e. if a message came in for
bob@domain1.com
and it could not be delivered, because the user database did
not have
an entry for bob and there wasn't a setting (forward rule,
alias etc.) sending
the mail to someone else, then DSMTP would deliver it to the
fallback address,
default@domain4,
instead of bouncing the message back to the sender.
Note: DSMTP's action of applying all forward rules is a
nice
feature that you will probably use for other situations.
-
What is Relaying?
Sending mail to non-local users is referred to as
'relaying', as DSMTP must
relay the message to the user's local SMTP server (often
their ISP's SMTP server)
so that it can write the message
to the user's drop file (mail file on the server).
The
message may be relayed several times from server to server
until it reaches the
final SMTP server where the user is a local user - at least
that is the theory.
Because of spammers, most SMTP servers severely restrict
the relaying that is allowed to
occur. So the message normally only gets relayed through an
intermediary SMTP server
if the server the email client gives the message to for
sending is setup to gateway
mail to another server, i.e. pass all it's mail onto that
server for delivery. An SMTP
server set to gateway
mail
is often used to allow mail to be sent through fire walls.
-
How do I add extra
fields to wadduser?
In order to add extra fields in wadduser.htm for storing more
information about
the user, you will need to do the following:
- Add the input text boxes and their appropriate variables
in HTML to
wadduser.htm (or the pages that you
want them on)
- Modify the source of the CGI wadduser (wadduser.c) so
that it records
the information given
- Recompile wadduser.c (which requires linking
to nwauth.c)
- Replace wadduser.exe in your cgi or scripts directory
with your new
version
The page that calls the wadduser CGI (wadduser.htm) has a
form on it
that calls the CGI as it's action to perform when it is
submitted,
i.e when one of the buttons is pressed. E.g.
action="http://server.com/scripts/wadduser.exe"
calls the
wadduser cgi from the scripts directory on the server.com
web server.
The CGI works out which of the buttons on the page was
pressed and
carries out the appropriate action.
The function below web_add (from wadduser.c) is called
when you
click on
the "add" button on the example wadduser.htm page.
The form also has a number of variables that are passed
to the CGI
as part of the action of submitting the form, e.g. name,
username,
password. To add more fields, you need to add more such
input fields to
the web page, in this form,
<input type="text" name="
username" size="20">
So, in order to add a field to get the person's hobby, you could
add to
wadduser.htm
<input type="text" name="hobby"
size="20">
Then you need to decide what you want the CGI to do with
the information
in the fields that you add.
The three lines in the function below,
fprintf(f,"%s|",form_find("phone"));
fprintf(f,"%s|",form_find("fax"));
fprintf(f,"%s|",form_find("comments"));
search the form that is submitted by the wadduser.htm
page for the
fields, phone, fax and comments, and if it finds them, it
prints them
into the log file, adduser.log. If it cannot find them, for
example
if there is no such input
field on the web page (this is the case with the example
wadduser.htm -
there are no input boxes for phone, fax and comments) or the
user has
not entered anything in the box, then
it will simply enter an empty string.
Therefore, in order to make wadduser log the person's hobby entry, you
could add
this line below the three above,
fprintf(f,"%s|",form_find("hobby"));
The function below ONLY writes the username, password and
name entries
to the nwauth.txt password file, but it writes to the log
file, adduser.log, a whole bunch of
input fields that don't exist. Note that NWAuth only takes
three fields,
'username', 'password' and 'other'. It is the 'other' field
into
which you can add
your own fields. The function below adds the field 'name'
into the
'other' field in the following format,
name="the person's full name"
The 'other' field can take as many fields as you want
(until the information
reaches the BFSZ definition, when you will get buffer over
flows!)
simply
make sure that each field has the correct format and that
they are separated
by a space.
So, to make the CGI write the hobby field onto the end of
the
'other' field
in nwauth.txt you should change the line in the function
below from,
sprintf(bf,"name=\"%s\"",name);
to
sprintf(bf,"name=\"%s\" hobby=\"%
s\"",name,form_find(hobby));
This will result in nwauth.txt lines like,
bob:a234h6:name="Bob Smith" hobby="ping
pong"
for the username bob, which has a password of something
we
cannot read as it is encrypted, and a full name of 'Bob
Smith' and a
hobby of 'ping pong'.
int web_add(void)
{
FILE *f;
char username[BFSZ],password[BFSZ],name[BFSZ];
char bf[BFSZ];
/* Check the user has filled in the required fields
*/
if (!check_value("Name","name","")) return 0;
if (!check_value("Username","username","")) return
0;
if (!check_value("Password","password","")) return
0;
f = fopen("adduser.log","a");
if (f==NULL) { printf("Could not write file\n");
return 0;}
fprintf(f,"%s|Add|",get_date());
fprintf(f,"%s|",mygetenv("REMOTE_ADDR"));
fprintf(f,"%s|",form_find("username"));
fprintf(f,"%s|",form_find("name"));
/* These are optional form elements to record */
fprintf(f,"%s|",form_find("phone"));
fprintf(f,"%s|",form_find("fax"));
fprintf(f,"%s|",form_find("comments"));
fprintf(f,"\n");
fclose(f);
ncpy(username,form_find("username"),BFSZ-1);
ncpy(password,form_find("password"),BFSZ-1);
ncpy(name,form_find("name"),BFSZ-1);
strlwr(username); /* Only allow lower case usernames
*/
do_header("Adding user");
printf("<pre>");
if (auth_exists(username)) {
printf("Sorry, a user by that name already
exists\n");
} else {
sprintf(bf,"name=\"%s\"",name);
auth_set(username,password,bf);
showfile("added.htm");
}
printf("</pre>");
do_footer();
return 0;
}
-
Time Stamp and Time Zone problems (mostly on Linux
platforms).
NB: the Date field is normally added to an email by the
email client. DSMTP
only adds one if the email client has not put one on (e.g.
if the message was
created by DMail's sendmail stub).
NB: In version 2.7l DSMTP was changed to add time stamps
that are in local
time on both the Date header, if it adds one, and on the
Received lines. Before
this, it always stamped GMT on any Received headers that it
added.
If you are running a newer version of Linux (e.g. RedHat
5.2 etc.), then you
may experience problems with the time stamp and timezone in
the DMail servers. This
is because of the difference in C libraries used to compile
DMail. Examples of the problems
are the timezone being incorrectly specified, or all time
stamps being
in GMT.
In order to fix the timestamp problems, you need to use a version
of DMail compiled with the
newer libc6 libraries, or have the below fix applied. There
are other benefits to the new
libraries, e.g. support for shadow passwords etc. and we
have been building versions of
DMail which use them since version 2.4j. So if you are
running a platform that can
support the newer libraries, we recommend that you
download one marked
'linux_libc6' from the main or beta download directory,
ftp://ftp.netwinsite.com/pub/dmail
The alternative is this fix:
Create the proper link by executing this command.
ln -s /usr/share/zoneinfo /usr/lib/zoneinfo
(Sorry, I'm not sure which version of Unix this answer
works on :-(
Also:
On many platforms the timezone information is incorrect,
so in dmail.conf you can define:
timezone xxxx
This controls the time zone string which DSMTP stamps on
outgoing
messages, to give it the form
hh:mm:ss xxxx
NB: it does not alter the time printed, only the
timezone string following it.
Some Examples:
timezone +1100 would give 11:30:33 +1100
timezone -0800 PST would give 11:30:33 -
0800 PST
timezone -0600 CST would give 11:30:33 -
0600 CST
timezone +0100 CET would give 11:30:33
+0100 CET
timezone +1200 would give 11:30:33 +1200
-
How can I transfer mail accounts (users) from my current
email server?
The best way to answer this is to give you some details
on options
for DMail, and hopefully if you are able to tell
DMail support
about
your current system then they can make relevant suggestions.
It is worth noting first off that if the users are simply
members of
the operating system user database, you do not need to
do
anything with them - simply install DMail and it will find
the users
by default.
DMail has two basic authentication options,
(a) use the operating system password list
(b) use an external authentication module
There is one configuration file, dmail.conf, setting which
sets this,
authent_method
For (a) this will either be,
authent_method nt_user
or
authent_method unix_user
depending on whether you are on a windows or Unix based
platform.
For (b) you set,
authent_method external
and
authent_process path_to_program
where path_to_program is the authentication program to
run.
Your options are:
- We provide an example authentication module, called
NWAuth, which
is fully functional and is very efficient with large numbers
of
users.
- You can also write your own to link to any type of user
database (or modify one of ours).
- Our example module for linking into an LDAP server,
LDAPAuth.
- Our example module for linking into DNews's users.dat
file,
DNAuth.
- A customer has provided us with the source to talk to a
mySQL
server, which
DMail support
can pass on to you to use or modify.
- There is a link on the following page to an ODBC
authentication
module provided by another customer,
https://netwinsite.com/dmail/utils.htm
So one of the above might be an option, but it does
depend on how the
user's details are stored. Our NWAuth module can also be
run from
the command line, e.g.
set user password info="details"
so it may be possible to write a script to run that for
all of the
users out of your current user database or from a user list.
See the following section in the manual for more
details:
External
Authentication
-
Q:I want to have two different types of users. I
want one
group to have both pop and web access to their mail, and I
want the
other group to have web access only. How would I set this
up? Would
I need to run two seperate servers? I plan to authenticate
using
an external authentication module (talking to a MS SQL 6.5
database).
A:Yes, you can run two separate servers or you can
make an external
authentication module flag which allows some users only
web
access.
The trick is that DPOP only has the ip_address which the
user
connected from to know if the user has connected from CWMail
or with
another email client direct to the POP server. DPOP passes
this
ipaddress to the external authentication module.
So,
1. If you run two separate servers then you can use the
user_ip_address setting on one of the servers to only allow
connections
to that server from
the ip address of the CWMail machine. Each server then
either needs
its own authentication database or you need an external
authentication routine for each server which cannot 'see'
the other server's
group of users in the database.
2. The nicer way is to make your user database have a
flag for each
user to say whether or not they are allowed to connect directly to
the POP
server, and then make your external authentication
routine
check this flag, and reject the connection if they have not
connected
from the appropriate IP address. The IP address that the
user
connects from is given in the authentication request by
DPOP, e.g.
check username password ipaddress
So your authentication routine needs to check the "direct
DPOP
connection allowed" flag and if it is false, it should check
the
ipaddress passed against your CWMail server(s)'s ip address
and
only allow the connection if it does not match. This is an
example -
you do not necessarily have to do it this way. The fact
that the
connection from IP address is passed to the external
authentication
module is the important point.
If I have not pointed it out before, we also have the
source code to
another customer's SQL authentication module which I can
give to
you if it would help.
For more information contact
support-
dmail@netwinsite.com
-
Q:If I send a message to user x, how can I check
what aliases are set up
for that user?
A:In order to do this, you should send a message to that
username and
then check the log file for lines with the word "chain" in
them to
see where it has been forwarded to.
You need to set,
log_chain true
in dmail.conf and then issue the command,
tellsmtp reload
You probably don't want to bother the user with a
message, so you
should make use of the tellsmtp command,
tellsmtp
scriptfile.msc
to initiate a message to the user, but pull out before
sending any data.
E.g. here is a scriptfile, bob.msc, that does this for a
user bob
**************
HELO domain.com
Mail From: <test@domain.com>
Rcpt To: <bob@domain.com>
QUIT
**************
Once you have run the tellsmtp script (on debug
log_level), then you can
'grep' or 'find'
for lines with the word, 'chain' in the log file, dsmtp.log.
The following is a transcript of such an operation -
looking for
aliases and forward rules for the user bob.
C:\dmail>tellsmtp bob.msc
220 domain.com DSMTP ESMTP Server v2.5d
Send (HELO domain.com)
250 domain.com. Hello domain.com (161.29.99.1)
Send (Mail From: <test@domain.com>)
250 Command MAIL OK
Send (Rcpt To: <bob@domain.com>)
251 Command RCPT OK
Send (QUIT)
221 Command QUIT domain.com Service closing transmission
channel to domain.com Send (QUIT)
C:\dmail\log>find "chain" dsmtp.log
---------- DSMTP.LOG
26/04 11:53:40 *** Starting rcpt chain for bob
26/04 11:53:40 *** Adding <|\dmail\drespond.exe
\message.txt -subject
whatever -from "root@domain.com"> to rcpt chain
26/04 11:53:41*** Adding bob to rcpt chain
Which shows that the message is delivered to the robot
'\dmail\drespond.exe . . .'
and to the user, 'bob'
Note: The log lines with the word 'chain' in them were
only added,
in version 2.5d, so if you are using a version of DSMTP
older than that
then you will need to grep for something like, 'process' and
work
a bit harder to interpret the
results :-)
-
Q:Dpop.log is showing the error message 'Read
Failed: 109',
what's that?
A:The 109 error says that a "pipe has broken".
The two things in DPOP
that use pipes are external authentication processes and
dslave processes.
It is most likely that it is the external authentication process
causing the problem, and it is
probably occurring on the read that DPOP does after sending
the
'exit' command to the external authentication. i.e., DPOP
has told the external authentication
to quit, but does not get a response from it. So it checks to
see whether the external authentication
has responded every so often (you will see the 109 error in
the log every time that it does)
until the timeout period is reached and DPOP gives up.
So this suggests that the external authentication routine
is either
not returning,
+OK\n
(+OK with a carriage return at the end) when it receives
the exit command, or that
it does not flush the output.
NWAuth has, at times, done both of these things. So you
should probably
upgrade NWAuth to a version from the 2.5d or higher
distribution set (NWAuth
2.0b).
Note: in order to upgrade only NWAuth, you need to copy the NWAuth
executable file over your
old NWAuth file, e.g. on NT, \dmail\nwauth.exe. You will
need to stop DPOP and DSMTP
first so that they stop all their NWAuth processes.
If you have your own authentication module, you
should check that it does both
of these things. Contact
support-
dmail@netwinsite.com if you
have questions or a problem with this.
The other possibility for the error is that one of the
dslave processes is no longer alive when
DPOP thinks that it should be. If you do a tellpop status
command it will show the number of
slave channels that it thinks are running.
If this happens just once then it is probably not a
problem, but if it continues to happen then
it obviously does become a problem.
If the slave_number setting is above 0 then DPOP should
always be running at least one slave
process. Versions of DPOP before 2.5g had a problem with
the dslave processes finding the dmail.conf
configuration file, so if you cannot start a dslave process
from the command line then this
may be the problem. It will be evident in the log file,
dslave.log (which itself may be being written
to a strange directory on your machine - it is best to use a
search to find it).
- Can I filter messages based
on the attachment name?
There is no direct setting to filter by attachment
filenames, but
I believe that it can be done!.
In the manual on our site(link below) under common
optional settings you
can find a setting
msg_filter <
filename>
This points to a file which you create as just plain text
and into which you can enter very basic filtering rules.
But let's say we wanted to filter emails with the
attachment
filename of 'happy99.exe'
We could have
msg_filter f:\dmail\filter.txt
and in filter.txt
reject body begin 0666 happy99.exe
reject body Content-disposition: attachment; filename=
"happy99.exe"
These two rules should pick up the required messages.
The first
reject rule is for uuencoded attachments and the second
rule is for the more common MIME encoded messages.
The rejection rules are done on simple string searches,
so we
suggest
that you send a test message with an attachment to yourself,
and
open up the drop file in a text editor. From this you can
identify
for yourself this text within the body of such messages.
You will
then be able to refine your rules to catch the type of
attachments
your users get.
You will no doubt find the command,
tellsmtp filters
this is useful, as it lists all filters found,and their number which corresponds with the rule number
given in the line logged when a filter is matched by an incoming message.
NB: you cannot use wildcard characters in body filter rules!!!
reject body *.vbs
will not work, you should have,
reject body .vbs
in order to be a little less general, we suggest
reject body .vbs"
You can use wildcards in header processing filters - DSMTP uses a different sort of
processing for them, because they are shorter, and therefore do not need to be processed so
efficiently.
There is another problem with the suggestion above. Sometimes an email client might split the,
Content-disposition:...
line into two lines, in which case the suggested filter will not pick it up.
The suggested filter above is still worth adding, but we are working on a MIME parser which extracts
all the MIME details so that attachment filtering and other filtering will become much easier.
Please contact DMail Support for an update on
when that will become available.
- Tell me about the SMTP protocol?
The SMTP protocol is the way that an email client talks
to an
SMTP server in order to send a message. Note: Often it is
two SMTP servers talking to each other
(relaying), rather than an
email client and a server.
A typical SMTP transaction looks like (this is NOT an RFC
example),
client: (opens TCPIP connection to port 25)
server: 220 tosh.com DSMTP ESMTP Server v2.5f
client: EHLO tosh.com
server: 250-tosh.com. Hello tosh.com (161.29.2.46) <
cr>
250-ETRN<cr>
250-DSN<cr>
250 HELP
client: MAIL FROM:<bob@tosh.com>
server: 250 Command MAIL OK
client: RCPT TO:<tam@tosh.com>
server: 250 Command RCPT User found OK
client: DATA
server: 354 Command DATA Start mail input; end with <
CRLF>.<CRLF>
client: From: bob@tosh.com
client: To: tam@tosh.com
client: Subject: hello
client:
client: this is the message body, line 1
client: line 2
client: .
server: 250 Command DATA Processed mail data Ok
client: quit
(server drops TCPIP connection)
Notes:
In order to send an email message without a client (and to enable
you to try
out SMTP protocol), you can create script files
(filename.msc) for
DSMTP and run them with
tellsmtp.
Note: For the definite word on SMTP please search for the
SMTP
RFC on the internet (RFC821).
- How do I
add
Multiple IP numbers on a single machine?
Windows NT: (workstation 4)
You need to edit the properties of your TCPIP Protocol to
add the
new ip address to your network card (NIC).
Go to the Network
settings section of the Control Panel, select the Protocol
Tab,
then select TCP/IP Protocol and click the Properties button.
You will be presented with the Microsoft TCP/IP
Properties dialog
window. On the IP Address tab, click on the Advanced
button.
Select the network card (NIC) to which you wish to add
the ip
address. Then click on the Add button and enter the new IP
address and the
netmask for your network (if you don't know your netmask,
copy the one
for the other ip address - a reasonable guess is
255.255.255.0).
Unix based platforms:
It is fairly easy to add multiple IP numbers for a single
machine, up to
255 per interface is fairly straightforward. 1024 is usually
possible with
minor patches. The exact method varies from one form of Unix
to another,
see
http://www.nethelp.no/net/vif/readme.html
for more information.
As an example on Linux, you would do the following:
su - root
ifconfig eth0:2 999.59.4.31 up
to add a second ip number 999.59.4.31. The number :2 can be
anything between
:1 and :255
- Can I specify a RANGE of IP addresses?
For most settings in dmail.conf that take an ip address,
you
can specify a comma separated list of entries (no spaces
after the
commas as a general rule) and you can also specify a range
or
wildcard.
We DO NOT guarantee that you can use all of them for
every setting,
but we do try to code with this flexibility. So if you are
wondering
whether a setting will take a range, for example, then try it out,
don't just
expect it to work :-)
NB: If a setting is a 'restrictive setting' then in order to get
through
the restriction,
a value must get through all the restrictions in the comma
separated
list.
Here are some examples:
NB:Some of the examples in this FAQ were incorrect. Fixed 23 May 2000.
NOTES:
'!' indicates NOT
'*' is a wildcard (generally for use at the start or end
of
a string, but with ipaddresses can be useful in the middle)
'?' is a single character/digit wildcard
'x-y' is a range from x to y (including x and y)
NB: you can use, '!*?' OR a range, you can not use both, so this is not allowed,
user_ip_address *,!1.1.1.0-255 (bad)
The examples use the setting user_ip_address, which
restricts
which ip addresses can connect to DPOP.
1. user_ip_address *,!161.29.5.24
allows all ip addresses to connect, except 161.29.5.24
2.
user_ip_address *,161.29.3-5.24
allows the following ip addresses to connect,
161.29.3.24
161.29.4.24
161.29.5.24
3.
user_ip_address *,!161.29.5.*
allows all ip addresses to connect, except,
161.29.5.0
...
161.29.5.255
4.
user_ip_address 161.29.3-5.0-255
allows the following ip addresses to connect,
161.29.3.0-255
161.29.4.0-255
161.29.5.0-255
5.
user_ip_address *,!161.29.*.24
allows all ip addresses to connect, except,
161.29.0.24
161.29.1.24
161.29.2.24
...
161.29.255.24
6.
user_ip_address *,!161.29.20?.24
allows all ip addresses to connect, except,
161.29.200.24
161.29.201.24
161.29.202.24
...
161.29.209.24
Note: with this last example, if an ip address was,
161.29.009.24 then it would be allowed to connect.
- I want to UPGRADE, ... ?
An upgrade is, in general, a quick and simple procedure.
The same
utility that you used to install DMail - dmsetup - has an
upgrade
option that does it all for you.
Note: we are always very careful when making changes to
our
programs that we do not 'break' them for existing setups.
Having said that, it is an easy thing to do, so upgrading is
not something that we recommend doing whenever you feel like it
- "don't fix what isn't broken" if you like. You
should take particular care when upgrading from a version
that
is much older than the current beta version (e.g. 6-12
months).
Things to consider when upgrading the
DMail server (or a part of it):
- See the updates page,
http://www.netwinsite.com/dmail/updates.htm
to see which version you wish to upgrade to. If you are
not
sure, contact
DMail support
to confirm which version you
should upgrade to. This applies particularly to versions
out of
the beta directory of the FTP site,
ftp://ftp.netwinsite.com/pub/dmail/beta
Note: you can, if you wish, only upgrade one of
the servers or utilities from the DMail distribution
set - if you are after a particular feature in a recent
beta release then this is often a good option.
- Download the distribution set from our ftp site,
ftp://ftp.netwinsite.com/pub/dmail
If you are ftping from a command line, login as
the user 'anonymous' and provide your email address as
a password, then cd to pub/dmail.
- Save a copy of your configuration file, dmail.conf
(typically \winnt\system32\dmail.conf or /etc/dmail.conf)
- You may want to revert back to your current version, so
just
in case you should try to save a copy of each of the
executables
that your system uses. If you have your last distribtion
set
then that should be enough. If not, you should save
each
of the server directories, e.g. \dmail (typically
contains DPOP, dsmtp), \dmail\dwatch, \dmail\dlist.
DMSetup will not touch any of your critical data.
For Your Information ...
The critical data for your email server is almost all in
the
mail drop file and bin file directories, (defaults are,
\dmail\in and /var/mail). The upgrade will not touch these
directories, but of course if you wish to back them up
then that is never a bad idea.
The other critical information to think about is:
(a) mailing list information (lists.dat and users.dat
for each list) - stored in the DList directory which should
be fairly small to back up.
(b) If you run external authentication, your user
data base may be in a directory which dmsetup works in.
NWAuth stores the user database in the DMail directory in
nwauth.txt and on newer versions in nwauth.add as well.
- Set up some mail to look for after the upgrade (see the last step).
(a) Send a test email to one user,
and be careful not to POP that mail before the upgrade.
(b) Send a test email to another user, and then login as that user but set your
email client (or do it manually) so that the mail is left on the POP server. This is
so that you can check for that mail after the upgrade in order to ensure that the bin directory is the same.
- Shutdown the DMAdmin windows GUI tool if you have it
open
(dmsetup can't upgrade dmadmin.exe if it is running).
- Unpack the distribution set and run the utility dmsetup.
- DMSetup should detect that you already have DMail
installed
and offer the upgrade option (2). DMSetup will stop each of
the servers and then copy the new versions of the
executables
over the old ones. It will also upgrade your manual pages,
*.htm
in the DMail directory. Once it has finished upgrading, it
will
ask you whether you want it to start the servers again.
- You should now check that the new version is working.
You should at least,
(a) send a message through the system and,
(b) if you use DList, post a message to a mailing
list.
(c) send a message to a user, and manually find that message in their drop file
to check that the drop file is in the same location. An easy way to test this is by sending
an email to a user both before and after the upgrade. Both emails should be in the user's drop
file so long as that user has not logged on to the POP server.
(d) check that when a user logs in, the DPOP server is using the same user.bin directory
as it was before the upgrade. An easy way to check this is that mail left on the POP server
before the upgrade should still be visisble after the upgrade.
If you suspect that something has not upgraded, then
you should attempt to manually stop that server or program
and
then run dmsetup again.
If you have problems, please do contact
DMail support
.
- I want to MOVE DMail, ... ?
Moving DMail to another machine is a fairly easy
procedure. Here is a
suggested method to help you remember the most common
things. Each setup will be
different, so think about whether there are any other things that you
need to copy over for your
setup.
Note on License Keys:
Your DMail license key was created for your old machine's
specific machine name, e.g.
server1.your_domain.com (UNIXish machines) or SERVER1
(Windows machines).
If the new machine has the same name as your old one then
simply load your key into the new
machine with the tellpop command,
tellpop key xxxx-xxxx-xxxx-xxxx-xxxx
at the point below where you have started DPOP.
If the new machine has a different name, you will need to
email our Sales department,
sales@netwinsite.com
for a replacement key. You need
to tell them the name of your new machine. They should
email you your new key within 48 hours (usually
only 24 hours).
If you don't yet have your new key, do not worry,
when you start DSMTP it will create itself a
temporary trial period key. So it should start and work
straight away for you.
Suggest Method for Moving DMail ...
- install the same version of DMail on the new machine, but
don't start the server when
the installation utility asks you whether you want the servers
started
- copy across to the new machine your dmail.conf file
typically /etc/dmail.conf or \winnt\system32\dmail.conf
- Copy over any other files included into dmail.conf or
referenced
in it, e.g. alias files.
- Edit your host_domain settings in dmail.conf (and your
dpop_host setting) so that your
new machine name is included at the end of the list
of host_domains (also known as
synomyms)
- now, if it won't impact on your old server, start the new
server up and try sending
a few test messages through it
Once you are ready to switch completely to the new
machine ...
- Stop all servers on both machines
- Copy over the mail drop files, e.g. /var/spool/mail or
\dmail\in
NB: if your bin_files and _inf files
are in other locations, don't forget to copy those as well.
- Copy over the work_path directory, e.g.
/usr/local/dmail/work or \dmail\work
- Check dmail.conf on the new machine to see that all
directory paths exist and that you
have copied over any necessary things
- Start up the new server and monitor it for the next few
hours.
If you have problems, please contact
DMail support
.
- I want to park mail for a domain (but
mail is rejected as no relaying)
The setting that you need is,
relay_to etrn_domain
so that DSMTP will always accept mail destined for the
domain etrn_domain.
Then DSMTP will accept the mail and park it when it
cannot connect to the server.
It will try to send it every 2 hours, and bounce it after
max_retrytime hours
(default is 2 days).
When the connecting email server sends the ETRN command,
DSMTP will try to send
all mail addressed to that domain in its queue.
The other setting that you can use to bypass the DNS
record if you have
problems is,
gateway etrn_domain ipaddress
so that DSMTP uses the ipaddress given rather than doing
a dns lookup on etrn_domain.
In versions 2.8e and above, we added a new setting to
DSMTP for that can also help with this. It is
suspend_domain,
e.g.,
suspend_domain fred.com
This setting stops DSMTP from processing any queue files
destined for this domain, unless specifically
requested by an ETRN commmand. So it is a good setting to
use if someone will not be collecting their mail
for a period of time longer than max_retrytime. NB: it can
also be a bit dangerous to use for that same
reason.
In 2.8e we also added the setting, etrn_relay which allows
all servers in a server farm or load sharing arrangement to
receive an ETRN command sent to just one
server.
- Can I run DSMTP (and DPOP) on
another port?
Yes, the setting that you want is,
smtp_port 1025
then restart DSMTP (with DMAdmin or on UNIX platforms
with,
tellsmtp shutdown
/usr/local/dmail/dm_start.sh
)
Similarly for DPOP,
pop_port 1110
(/usr/local/dmail/dpop_start.sh to start DPOP on UNIX).
NB if you are using dmadmin then you will have to select
a new host to
monitor with the following syntax as the ip address,
127.0.0.1:1025:1110:
so that it looks for the servers on the correct ports.
(you may need to set the password for this to work,
with,
tellpop pass xxxx
,where xxxx is the password)
- Can I delete queue files
from the queue?
Yes, you can delete or move them with the result that
that
message is not delivered. However, there is a big BUT...
Currently, if you move queue files out of the work
directory (work_path)
you cannot easily put them back in. You can copy a queue
file back into
the work_path directory and DSMTP will pick up on it the
next time it
reaches that queue file number, but DSMTP may have created
another
queue file of that same number, so if you overwrite it then
that message
will be lost.
Also, note that some queue files will be in use by DSMTP
and so locked.
The tellsmtp status command
gives you
information on which queue files are in use.
More information: See the section on Queue Files in the
Disk Use and Files section.
- What things can I
do in order to secure my mail system against hackers?
Here is a list of things that we can think of. If anyone
has suggestions
or gets hit by a hacker, please let us know so that we can
add to this list.
- In general, use ssh when sending root password across
internet
- Use fake_vrfy, so
that DSMTP responds falsely to checks on usernames on
your system
- Use smtp_welcome
(version 2.8a and above only) in order to hide which SMTP
server you are using, and what version it is.
- Set
manger_ip_address in order to limit
manager commands to coming from as small a number of ip
addresses
as possible
- Use the tellpop password
command to set
your manager password to something secure
- Use shadow password files, which DMail supports when
authent_method is set to unix_user
(linux users use libc6 download).
- Check which UID your 'robots' run as, see Robots running as root - Security Note
- If a hacker is trying to guess passwords, you will see a
lot of the following
messages in dpop.log on info log_level,
Info: Rejected bob, authent said bob password wrong or
not a valid user
So you can search for the keyword, 'Rejected' in
dpop.log
- Does CWMail and DMail
server
support multi-threading?
Yes and No. I will explain.
First DMail:
DMail is made up of an SMTP and a POP server, DSMTP and
DPOP.
Both of these servers are mostly just a single process and
thread, so they would only run on one processor at one time.
They have been written to be extremely efficient, and we
believe
that these servers are more efficient because of their
single
process architecture.
However, there are two 'bottle necks' for single process
mail
servers. In order to overcome these, both servers can spawn
subprocesses. Both
DSMTP and DPOP spawn subprocesses for doing the user
authentication,
and DPOP also spawns a subprocess to 'burst' drop files, if
a user's
drop file is bigger than a certain size.
So, these subprocesses can be run on different processors
to the
main server processes.
So Yes, DMail can take some advantage from a
multiprocessor
system, but it is not written as a threaded process.
NB: it is worth noting that the biggest 'bottle neck' for
an
email server is the disk access times. Hence, we recommend
spending
more money on fast disks rather than a multiprocessor
environment.
RE: CWMail
CWMail is a CGI. As such, CWMail runs as a single process
spawned by the web server on practically every click on
the web pages that it displays. So it depends on your
choice of
web server as to how worthwhile it is to run on a
multiprocessor
environment. In general, however, because each instance of the CGI
running is a separate process in the OS environment, there
should
be no problem.
- Is there a limit to the
length of a username?
Yes, there is. DPOP limits you to 78 characters in the
username (this includes the domain
name if you have set authent_domain true). So if your
domain name was 10 cahracters in length, then
you are limited to usernames with a maximum length of 78-1-l0 =
67 characters for local usernames.
DSMTP does allow longer usernames because it needs to be
able to relay on messages to people with
longer usernames.
NB: if you are using external authentication, the
response that the
module returns
is not allowed to be longer than 1kbytes in total. So you
will have to limit
your length of username to something sensible, so that there
is room to return
long fwd="" fields for mail redirection.
So if you impose your own limit of say 40 characters, you
should not
have any problems.
- Running DMail on your ISP's Server
We are often asked whether it is possible to run DMail on an ISP's server.
Basically, the answer for DMail is no. The DMail server needs to be run with root
privilege and, in most cases, a box can only run one Mail server.
You can run DMail on your ISP's machines, if they are not already running a mail server on that
box, or they provide you with a box at their site, for which you have root access.
It may be an option for you to run a 'downstream' server on a local box of yours, and have your
ISP relay mail for your domain to you. DMail can send the ESMTP ETRN command to collect mail for
such a domain.
You may also be able to get your ISP to forward all your mail to just one POP mail account. Then
the use of DMail's POPFetch is an option.
Separate to the question of DMail is whether you can use one of our Web Based email CGIs such as
CWMail on your ISP's 'virtual web server'. Please see the following FAQ for information on this,
https://netwinsite.com/dmailweb/faqs.htm#Q18.
- Robots running as root - Security Note
Q:> We have customers who would like to forward e-mail into external programs,
> however, we have had to disallow this because we noted
> that DMail was running these external programs as root.
> How can we tell DMail not to run external programs as a privileged user,
> and will this break auto-responders and mailing lists?
A:If DSMTP can work out a user's uid (e.g. from the /etc/passwd file or from the authentication
module response) then it
will run the 'robot' as that user's uid.
In the case of the question, I think that our NWAuth authentication module is being used.
It responds with lines like,
+OK username config 0
where the 0 on the end is the user's id. It returns 0, i.e. root, for ALL users.
Also, up until version 2.8l, if DSMTP could not work out a user's uid, it would run the robot
as the same user as itself - i.e. root!
This means that it is important to restrict the use of robots, e.g. NetAuth only allows users to
set the text of the autoresponder robot.
On Windows machines, it is not as common to allow access for users to create robots, but if it is allowed
then the same issues need to be considered.
Here are some options ...
1. modify your authentication module to return a user id, e.g. that of the 'mail' user.
2. We are adding setting,
robot_defaultuser <userid> <password - NT only>
which defaults to root if not defined.
If set, DSMTP overrides anything returned by the authent module, so that all
robots are run as the specified uid. If set to -1 then no robots are run. This should
be available in 2.8l to be built 8 Jun 2000. It will apply to UNIX based and Windows platforms.
The DMSetup utility will add it by default on fresh installation in 2.8l onwards and
prompt users to add it on upgrade.
You should specify a user with this setting that does not have any more privilege than it needs.
On UNIX platforms, DMSetup will default this setting to the 'mail' uid, and you will probably want to create a special
robot user with far less privilege. On Windows platforms, DMSetup will set the setting to 'ROBOT_USR robot_usr' by
default (i.e. username and password the same) and the sysadmin will need to create this account - probably in the Guest group.
3. Currently we have the domain_chroot setting, e.g.,
domain_chroot domainone.com /usr/local/robots
which makes all robots on the specified domain run with a root directory of, /usr/local/robots. I don't think that the robot can access outside of that with root access, but there may be clever trickery that hackers know.
4. you control what programs the users run via a web gui. E.g. drespond is an example of this.
NetAuth controls who can run drespond and what options it is given.
RE: mailing lists and autoresponder
Mailing lists are not affected, as DList handles these and is a separate process.
The Drespond robot is affected, but with all of the options above there is no reason why they cannot keep working. You may simply have to make copies of the executable in the domain_chroot directory etc.
- Can I use DMail for a Remote or Dial Up Mail Server?
Yes, DSMTP can be a remote or dial up mail server.
Options:
- DSMTP sending ETRN command to upstream Mail server (may be using RAS dialup):
Setting the ras_timer makes DSMTP send the command, ETRN domainx.com,
to the upstream server at the specified interval. DSMTP will send ETRN commands for
all of your 'local' domains (as set by your host_domain or vdomain settings).
The upstream server will then send all mail for those domains as soon as it can. Since
your server is online it should be able to send the mail through to your local DMail server.
This is probably the option to choose if you are retrieving mail for an entire domain or a number
of domains.
See the links in the ETRN section for more information .
- Running POPFetch alongside local DSMTP for retrieving mail:
POPFetch runs on the local mail server machine. It will periodically dial up your upstream server
and collect all mail waiting in specified POP accounts. It will then process those messages and
separate them out for individual users on your domain. It will feed the messages to the local DSMTP
server so that it can deliver them locally.
Often you can get whoever is running your upstream server to collate all mail for you into one
POP mailbox for POPFetch to retrieve, e.g. in DSMTP this is easily done with the dmail.conf setting,
forward *@yourdomain bob@domainx.com
Follow this link for more information on POPFetch.
Note on Dynamic IP addresses:
If the machine where you want to run the Mail server does not have a Static IP address, you
are probably limited to using POPFetch.
Some ISPs can support receiving an ETRN command for your domain when you are on a Dynamic IP address.
It is not typical that they can, as it requires specific dynamic DNS support,so you cannot infere
that they are a sub-standard ISP for not offering it:-)
Note on bounces:
Using ETRN is a better option than popfetch if it is important that people sending mail to your local
accounts receive 'bounce messages'. Most mail servers will try to deliver mail every few hours for
a specified period if they cannot reach the final destination (your server) on the first go. At the end of that
period, typically 1-2 days, they will 'bounce' the message back to the sender. With POPFetch (and some
ETRN setups) the upstream mail server will consider the mail delivered once it recieves it (because it
wrote the mail to a POP account). So if your server does not collect the mail for a long time (and
nobody notices) then the sender would not be notified. ETRN can suffer from the same problem, so
you should check with the upstream provider if it is a worry to you.
- Can I use DMail from behind a firewall or proxy server?
In most circumstances yes, but there are some circumstances where you may need to rely on an 'outside world'
SMTP server.
NB: we are using the term 'firewall' loosely. We will mostly talk as if you are running a Proxy Server
on your firewall box, rather than a router.
There are two main things that you need to provide,
1. DSMTP needs some way to connect to a DNS server in order to resolve domain names to IP addresses.
2. DSMTP needs some way to connect directly to the outside world SMTP servers for non-local
mail delivery.
Here are some options, (Option 4 will soon be our recommended solution)
- Run DMail on the firewall box itself (so not really behind the proxy at all)
For some firewalls you won't be compromising security greatly to run the proxy server on the
firewall box, so that mail bypasses the proxy. In most cases, if doing this, you would store all
mail on the firewall box until it was collected by the local email clients. You could store the mail
on a network drive if you had a file server, for example, but in most cases you would probably not do
this, because setting up the network drive connection would lessen the security of the firewall box.
- Relay via a DSMTP Server on your firewall box (bypass the proxy server)
The idea here is that the two DSMTP servers - one on the firewall box, let's call it A, and one
behind the firewall box (B) - can pass on to each other the messages that each can not deal with. In
this way, the DSMTP server on the firewall allows mail to bypass the proxy server, but no mail is stored
on the firewall box.
Outgoing mail will be 'gatewayed' from B to the firewall DSMTP server A, which has access to the
non-local SMTP servers and the DNS server(s) for non-local mail delivery. So A 'relays' mail for B.
Incoming mail will arrive at DSMTP server A, which will 'gateway' all local mail to DSMTP server B.
In order to do this, you will need to...
- Tell server B to gateway ALL outgoing mail to server A
- Tell the firewall server A to accept outgoing mail for 'relay' from server B
- Tell the firewall server A to accept incoming mail addressed to local domains on B
- Tell the firewall server A to gateway incoming mail addressed to 'local domains' on to B
So if a.a.a.a is the ip address of server A, and b.b.b.b is the ip address of server B...
On server B add to dmail.conf,
gateway * a.a.a.a
On server A add to dmail.conf,
forward_from_ip b.b.b.b
relay_to domain1.com
relay_to domain2.com
gateway domain1.com b.b.b.b
gateway domain2.com b.b.b.b
(keep adding relay_to and gateway settings for all local domains)
See also, Routing.
Gateway all outgoing mail to an Outside world SMTP server (via the proxy server)
You can avoid most problems by 'gatewaying' all outgoing mail to
an SMTP server in the outside world, that provides you with 'relay' access.
This is similar to the option above in that outgoing mail is relayed via an SMTP server with
'outside world access', but with this option, mail goes through the proxy server and incoming
mail comes direct to your proxy server.
In order to do this, you add a setting to dmail.conf like,
gateway * x.x.x.x
where x.x.x.x is the ip address of your firewall server.
The possible problem with this is that you need to set up the proxy so that,
(a) anything connecting to port 25 from the DMail server address is mapped
to port 25 at your ISP's SMTP server IP address.
(b) anything connecting to port 25 from other addresses (e.g. outside world
ones) is mapped to port 25 on your DMail server's IP address.
Some proxy servers are not capable of this type of setup on the single port (25), and some
will do it 'automatically' with a 'SMTP proxy' feature. If you are using a router, then it
will probably have no problems with this.
If your proxy cannot do that sort of setup, note that in version 2.8n we have altered the
gateway setting so that you can specify the port on the proxy,
gateway * x.x.x.x:1025
This allows you set up up two port mappings on the proxy,
1025 -> ISP_IP_Address:25 (for outgoing mail)
25 -> DMail_IP_Address:25 (for incoming mail)
You also must get whomever is running the outside world server to accept mail from your
server for relaying. ISPs, by default, will stop you from relaying through their box unless you
have their permission (this is to stop them from being abused by spammers). They will probably do this
based on the ip address of your proxy server, as that is the
address that mail from your DSMTP server will appear to them to have originated from. If they
are running
DSMTP, they would add the forward_from_ip setting for your ip address.
Proxy DNS Access AND use telnet proxy in order to reach non-local SMTP servers
Sometimes people have their own DNS server behind or on the firewall, but most people
don't, so you will need to...
Set up a proxy server to relay all DNS lookups:
Doing this varies between proxy servers. It is important to note that DNS lookups can be done
on a TCPIP port and/or a UDP port. So you need to set up your proxy server to at least relay TCPIP
connections on port 53 to port 53 on the DNS server. On most proxy servers you can setup a
TCPIP 'port mapping' or 'link' to do this.
You also need to tell DSMTP which DNS server to use by adding the dmail.conf setting,
dns_host y.y.y.y
where y.y.y.y is the ip address of the DNS server to use. You must restart DSMTP after
changing or adding this setting.
Using telnet proxy to reach non-local SMTP server:
You cannot simply add a 'port mapping' for port 25 on most proxy servers and expect them to
'proxy' all incoming and outgoing connections on port 25 to/from the DSMTP server.
When the DSMTP server tries to reach a non-local server it is trying to connect to that server
directly on port 25. Even if we added a setting to DSMTP to make it connect to your proxy server, there
is no way for the proxy server to map an incoming connection on port 25 to the required server which could
be anywhere in the world!
So we have recently added a new setting to DSMTP (in version 2.8n) which makes it
open all non-local connections via your proxy server's telnet port.
Because there is no fixed syntax for proxy telnet ports the new setting allows you to specify the
connection string to be given to the telnet server, e.g.
destination_ip:25
The setting is,
proxy_domain <wildcard_domain_name> ip[:<port>] <proxy_request_string [optional macro $IP]>
where $IP is the resolved IP address of the destination domain, E.g.,
proxy_domain * 1.2.3.4:23 $IP:25
where 1.2.3.4 is the ip address of your proxy server. This example results in all outgoing mail
being sent to the telnet proxy at 1.2.3.4, where the proxy server takes a request string of, x.x.x.x:25.
DSMTP will replace x.x.x.x with the DNS resolved IP Address of the the destination domain.
Does DMail support CDONTS?
No, but there is now an option in DMail to deliver mesages written to file.
I am afraid that CDONTS were created too much as part of the
web server/email server combination, and do not use the standard
SMTP protocol that they 'should' for sending mail. So as far as I
know there is no way for CDONTS emailing calls to get the mail
message to the SMTP server.
However it would seem that it is an option (possibly the default) for CDONTS calls to
write email messages to a given directory.
We have recently added a feature whereby DSMTP will 'pick up' messages written to file in a
directory, and deliver them to the destination address specified in the message headers in the file.
So given that you can somehow make your system create such files on the server's local drives, DSMTP can deliver them.
For information on the setting needed and the message file format, see the DSMTP Settings List,
spool_dir.
NB: you need a 2.8 version of DSMTP, so I suggest that you download the
latest 2.8 build (probably 2.8v) from the directory,
ftp://ftp.netwinsite.com/pub/dmail
NB: This new feature has not been thoroughly tested yet, and we can not be sure that it will
handle the file format created by CDONTS. So contact
DMail Support if you strike any
problems or need us to make changes to the system.
My Users are not appearing in the NWAuth database file.
Often people are mistaken about the way that NWAuth stores usernames and
other data, so here is an explanation.
When you add a user to NWAuth, e.g. by running it at the command line
NWAuth
set bob secret
quit
NWAuth will write the username and the details to the file,
nwauth.add
in this format,
username:password:blah
where 'blah' is any other information that you store for the user.
When you modify a user's details, NWAuth simply adds another line for the same user to nwauth.add
with the new password or other details.
When you delete a user, NWAuth adds a line like,
username:(DELETE):(DELETE)
to the nwauth.add file.
When the nwauth.add file reaches a certain size, NWAuth will delete that file and update
the main database file, nwauth.txt. When it updates nwauth.txt, it processes it in order, so in general it
uses the last entry for a user found in the nwauth.add file and deletes the user if it finds a line for a user with
the '(DELETE)' password. It does this so that all of its operations are
instantaneous no matter what size the user database is.
Often you will only have an nwauth.add file, and the nwauth.txt file will not appear for
several days.
If usernames are not being added to the file, here are some helpful hints:
- Look in the nwauth.add file, not the nwauth.txt file
- Try NWAuth from the command line. See EAP definition for details of the
commands.
If it works from the command line, then you probably have the incorrect setting in
dmail.conf or netauth.ini. This is now, authent_process for both dmail.conf and netauth.ini. (On NT, use
a drive letter or UNC name when specifying the process, e.g. c:\dmail or \\machineA\cdrive\dmail rather
than just, \dmail, which is ambiguous).
If it still fails, see the next suggestion below.
- Is NWAuth modifying the NWAuth file in the directory which you think it is?
This might be the problem if you are running NWAuth across a network or on an NFS drive.
If you are suspicious of this, search your machine for any copies of nwauth.txt or nwauth.add.
NWAuth decides where to find/create the nwauth.add and nwauth.txt files in one of two ways.
1. It looks at the local dmail.conf file and uses the value of the dsmtp_path setting, typcially
c:\dmail\
2. You run it with the command line argument, -path, to specify the path to use, e.g. at the command prompt,
c:\dmail\nwauth -path c:\dmail
or in dmail.conf or netauth.ini,
authent_process c:\dmail\nwauth -path c:\dmail
NB: you should not need to set the path unless you are running in a
server cluster. We don't recommend that you use the -path option unless you need to - i.e. be careful of
using it as a quick fix without understanding why it is not working without it. Talk to DMail Support
if you want help working out why it is not working.
- There could be a file permission problem:
(See also, Authentication for DMail and NetAuth on Clustered machines and Network Drives )
On NT:
NWAuth is spawned by DSMTP and DPOP, which are spawned by dwatch service which is typically running as
the 'System Account', so check that the directory which NWAuth is running in, and the NWAuth files, give
full access to that user.
If using NetAuth, note that it is generally being run as a specific user by the web server. You need
to work out what the user is (typically IUSER_XXXX, where xxxx is you machine name). Then ensure that that user is created on the
box, and has the permissions needed in order to run NWAuth and create/access the nwauth.add and nwauth.txt files
in the dsmtp_path directory.
On UNIX:
NWAuth is spawned by DSMTP and DPOP, which may be spawned by the dwatch process. All of these
will be running as root, so in general you should not get a problem. If you are
running NWAuth on an NFS, you will probably need to set root access on the file share so that these
programs can access it.
During installation, the NetAuth binary should have had its s bit (sticky bit) set. It's ownership
should also have been set to the root user. This is so that the web server will always run it as root.
Unless the permissions are set as such, NetAuth will not be able to function properly.
So,
ls -l netauth.cgi
should show something like this,
-rwsrwsr-x root:root netauth.cgi
If not, set these permissions with the commands...
chown root:root netauth.cgi
chmod 6775 netauth.cgi
NB: with file permission problems, it is often a good idea to give all access to the user in order to get it working,
and then work backwards, restricting the access to the level you are happy with.
Authentication for DMail and NetAuth on Clustered machines and Network Drives
(AKA: Running NWAuth on a shared network drive )
Most of the following is for the authentication module NWAuth, but much of it applies when using
any authentication module.
When you have a cluster of DMail servers or a DMail server and NetAuth running on a
web server, you need to allow them to all access the same user database.
For authent modules like MySQLAuth this is not a problem, because the database is accessible via TCPIP
from any machine on the network.
For NWAuth and some other modules which use local database files, this is a problem.
Here are 3 solutions for NWAuth:
1. make all of the servers run the same copy of NWAuth on a shared network drive.
2. run a separate NWAuth on each server, and set the -path option so that they all work on
the same nwauth.add and nwauth.txt files on a shared network drive.
3. run a TCPIP daemon that spawns NWAuth on one machine and then run a 'client' for that
daemon on each of the servers.
Option 3 has some good benefits, so we are creating a new module called, TCPAuth (with TCPAuth_client) to do that. Contact
DMail Support for more information.
Option 1 is the current option being used by customers and so is known to work on UNIX and NT. Setup for
option 1 is described below.
Option 2 is pretty similar to option 1, so if you want to do that, read the suggestions below and
you will probably be able to work out what to do.
So, to recap, the information below is how to
Run NWAuth on a shared network drive.
- For those on UNIX and using NFS drives:
NWAuth is spawned by DSMTP and DPOP, which may be spawned by the dwatch process. All of these
will be running as root, so in general you should not get a problem.
During installation the NetAuth binary should have had its s bit (sticky bit) set. It's ownership
should also have been set to the root user. This is so that the web server will always run it as root.
Unless the permissions are set as such, NetAuth will not be able to function properly.
So,
ls -l netauth.cgi
should show something like this,
-rwsrwsr-x root:root netauth.cgi
If not, set these permissions with the commands...
chown root:root netauth.cgi
chmod 6775 netauth.cgi
You will probably need to set root access on the file share, so that these
programs can access it.
In both dmail.conf and netauth.ini, use the authent_process setting to specify the full path to the
NWAuth process, and pass it the command line argument, -path, e.g.
authent_process /shared/dmail/nwauth -path /shared/dmail/
(in dmail.conf the authent_method setting should also be set to, 'authent_method external')
Remember to restart both DSMTP and DPOP after changing the authent_process setting,
tellpop shutdown
tellsmtp shutdown
/usr/local/dmail/dm_start.sh
/usr/local/dmail/dpop_start.sh
If authentication fails, look in the dpop.log file to see why. You will see at the start of the
dpop.log file, after restarting DPOP, whether it has had difficulty in spawning the authentication process.
- For those on NT and using network drives:
- Run the dwatch service as a specific user, e.g. IUSER_DMAIL, which you must create on ALL boxes, i.e. the mail server
box, the web server box and the box that holds the network drive (it will depend on your setup how many boxes this is,
it may be just 2 boxes or many more).
Set this in Control Panel, Services. Select 'dwatch monitor for DMail servers' and click on Startup and
change the check the 'Log on as this account:' button and enter the account (IUSER_DMAIL) to be used and any details.
You will have to stop and restart the dwatch service in the Services dialog in order to make this change take effect.
- Similary, you will need to ensure that the Web Server spawns NetAuth as the same user, IUSER_DMAIL, so
that it can access NWAuth on the network drive.
Most web servers allow you to set the username used for
spawning CGIs (that is what NetAuth is). Often they are spawned as the anonymous user login account,
IUSER_XXXX where XXXX is your machine name - look in your NT system user database for such a user.
You won't know what the password for that user is, so you won't be able to add that user to the
other boxes in your cluster. This is why we suggest creating the new user, IUSER_DMAIL, on all of the
boxes.
If you have the IIS server, see the specific note below.
- Use UNC names for the paths rather than mapped network drives, e.g.,
authent_process \\machineA\Cdrive\dmail\nwauth.exe
UNC names allow the dwatch service which will start automatically after a reboot to reach
NWAuth on the other box, even if no one is logged in yet. Whereas mapped
drives are only accessible once someone has logged in to the box, so won't be accessible to dwatch (and hence,
DSMTP and DPOP) after a reboot until someone logs in to the mail server box.
In both dmail.conf (c:\winnt\system32\dmail.conf) and netauth.ini (c:\inetpub\scripts\netauth.ini) use
the authent_process setting to specify the full path to the
nwauth.exe file and pass it the command line argument, -path, e.g.
authent_process \\machineA\Cdrive\dmail\nwauth.exe -path \\machineA\Cdrive\dmail\
(in dmail.conf the authent_method setting should also be set to, 'authent_method external')
Remember to restart both DSMTP and DPOP after changing the authent_process setting. The best way to
do this is either with DMAdmin or using the Control Panel Services dialog.
If authentication fails, then look in the dpop.log file to see why. You will see at the start of the
dpop.log file, after restarting DPOP, whether it has had difficulty in spawning the authentication process.
- Special note on the IIS web server:
Follow all the suggestions above. If they do not work, check the following magic setting as this
sysadmin did:
I just tried changing the settings in IIS.
Under Web Site properties->Directory Security->Anonymous
Access...->Allow
Anonymous Access[edit]
I have "IUSER_DMAIL" as the username and have set up all permissions for that user on
both mail server boxes. I had ticked,
'Enable Automatic Password Synchronization'.
I unticked this, and NOW IT WORKS!
Changing hash_spool, what needs to happen?, how do I test fixhash?
(The administrator is talking about the fixhash utility and he wants to convert
the mail for his single domain from hash_spool 0, to hash_spool 2)
> the hash thingie ...
> Im thinking of doing it late on saturday night ..
> I will take the server offline
> backup the mail directory
> then try hashing . .sound like a plan ?
yes. I suggest that you have a play with the hashing utility before then so that you are familiar with it and have tested it with your settings - e.g. just get it to move a couple of accounts using a copy of those accounts as the starting point.
Some details ...
If mail for a user 'shaun' is in,
/var/spool/mail/shaun
(assuming hash_spool 0, drop_path /var/spool/mail)
then shaun will have a bin directory,
/var/spool/mail/shaun.bin
(with just one level of files below that)
(assuming bin_path = drop_path)
and an _inf file,
/var/spool/mail/shaun_inf
So make sure you back up all of those. I suppose that is simply, /var/spool/mail and anything lower.
If you want to move to,
hash_spool 2
then those files and directory need to move to,
/var/spool/mail/s/h/shaun
/var/spool/mail/s/h/shaun.bin
/var/spool/mail/s/h/shaun_inf
(NB: hash_spool 2 says 'first new directory level = first letter of username' and 'second new directory level = second letter of username', hash_spool 1 creates just one directory and is not easily worked out by a human what letter to use).
So you could copy a couple of accounts from,
/var/spool/mail
to say,
/var/spool/test
Then run fixhash on them in order to hash them to the same base, e.g. fixhash should change,
/var/spool/test/shaun
/var/spool/test/shaun.bin
/var/spool/test/shaun_inf
into,
/var/spool/test/s/h/shaun
/var/spool/test/s/h/shaun.bin
/var/spool/test/s/h/shaun_inf
You should be able to do that testing while online. Note that fixhash will show you what it is going to do by default, but you must add the command line option to make it actually do anything.
NB: I am not sure if fixhash moves the _inf files. They don't need to be moved unless you actually manually edit them. If you do manually edit them, it would be to put an individual quota line in, e.g.,
quota 10000000
(for 10 Mbytes quota for that user). I don't think you do that on your system. The only other line in there is,
used xxxxx
which is filled in by DPOP when a user logs out and you have user_quota set in dmail.conf (it is the amount of space which the user is using in the bin files). SO, if the files were deleted, then the quota checking might underestimate until the user next logged in to DPOP. If you do not have user_quota set then you may not even have _inf files.
On newer 2.9 versions, we store the bulletin number in the _inf file, so it will be important that they are moved in order to save the users from receiving the same old bulletins again. ( I am just telling you this for completeness) So if fixhash does not move the _inf files, please let me know as we would need to fix that.
If you had vdomain lines, you would run fixhash on each of the domains separately (again, telling you this just for completeness).
Note: fixhash can work in reverse in order to unhash if you need it.
Let me know if you want any of the above explained further, or if you have any problems with fixhash.
I need to send a message to all users on my system, but many of them do not login locally. Is there anything more than bulletins?
Yes, there is. In version 2.9g we have added the tellpop command,
tellpop list_users_addresses <wildcard-domain> <filename>
which allows you to list all local email addresses on your system to the specified file by using * as the domain
parameter.
See tellpop commands for general details of the setting.
So, if you create a DList mailing list (see Creating a mailing list) called, say, 'allusers', then you
can point the output of the tellpop command at the users.lst file for that mailing list, e.g. for a list located at,
c:\dmail\dlist\allusers
you could enter at a command prompt,
tellpop list_users_addresses * c:\dmail\dlist\allusers\users.lst
to refresh the list of users on the 'allusers' mailing list.
You could set up a cron job or AT command in order to refresh this list at regular intervals, say every hour.
Then if you sent an email to,
allusers@host_domain.com
DList would deliver your message to all 50,000 users on your system!
Creating system wide mailing lists has the advantage that all users will get the message whether they collect their mail locally, or on another server due to a
forward setting.
You should, of course, restrict access to the list in order to stop spammers from posting to the mailing list!
Similarly, you could set up mailing lists for each domain or groups of domains.
NB: PLEASE, PLEASE, PLEASE DON'T use a system wide mailing list unless the bulletin feature does not
meet your need. Bulletin messages are far more efficient than sending a message to every user on the system.
So, if bulletins do not meet your needs, talk to us about improving them.
We have greatly improved the bulletin service recently so that you can do things like only sending
bulletins to certain domains, and stopping new users from seeing old bulletins.
How can I use the @ character for suffix based vdomains with netscape?
To use the "@" symbol using Netscape Mail:
1. Close Netscape
2. Edit /program files/netscape/user/prefs.js (right click - open with notepad)
3. Add new line:
user_pref("mail.allow_at_sign_in_user_name", true);
4. Save file
5. Open Netscape
|