Limiting outbound smtp rate

Similar Messages

• No outbound smtp traffic via CSC SSM.

  Hallo
  I have a Problem with my ASA CSC-SSM Module (Version 6.1).
  The inspection of http and POP works fine, but i have a problem with the outbound smtp traffic.
  If i direct the SMTP Traffic via an Service Policy to my CSC Module no Mail will be send outbound.
  If i remove the ACE from my SP smtp works fine again.
  The reason why i want to inspect my outbound mailtraffic is that i want to add a disclamer to my outgoing mails.
  I read the Admin Guide but there is no example how to Configure outbound SMTP( only inbound SMTP).
  Is there something that i have to do?
  I hope someone can help me.

  Try this config:
  access-list csc_out permit tcp host 192.168.200.xxx any eq smtp ---for smtp
  access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq 80
  access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq pop3
  access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq ftp
  class-map csc_outbound_class
  match access-list csc_out
  policy-map csc_out_policy
  class csc_outbound_class
  csc fail-close
  service-policy csc_out_policy interface inside

• Major bug in SMTP rate-limiting implementation

  I use my home computer to, among other things, host a mailing-list for a fan-club of a contemporary Russian poet. The total list of subscribers is about 40 people and messages are, on average, rare.
  However, when a discussion picks up, the number of e-mails can briefly spike easily exceeding Verizon's "you must be spamming" threshold. Imagine: one person asks a question and two others respond. Both the question and the responses get sent to the list, so that's 3x40=120 e-mails. If the discussion gets any longer, the e-mail account gets suspended for several days for exceeding the quota...
  I understand, why Verizon rate-limits the outgoing e-mail sending and don't object to it in principle. However, the current implementation has a major flaw. When the threshold is exceeded, instead of blocking all subsequent messages with a permanent error (5xx in SMTP-speak), the server ought to issue a temporary failure (4xx in SMTP-speak).
  This would block any spam-bots just as effectively, but allow legitimate messages to be properly queued by the sender's computers for resending. The 5xx code signals a permanent error so instead of being queued, the innocent message is suddenly bounced.
  A friend of mine is an RCN-subscriber and we know, that RCN implements rate-limiting exactly this way: if you are sending "too much", your messages will start being temporarily rejected for a while.
  Solved!
  Go to Solution.

  Anthony, this is not a "disagreement" -- I'm pointing out a bug. The bug manifested itself with the following two problems:
  Although none of the e-mails sent by my computer were spam, I was "identified" as a spammer and my access to SMTP was suspended for days. For no good reason.
  Even if it were possible to appeal such automatic verdict (and I did try to talk to a customer support representative), permanent rejections in the case of a temporary error are wrong -- and in violation of SMTP specifications.
  I did post the same text under the "New Ideas", but I don't think, "new idea" is the good place for this. I'm not suggesting a new service, but demanding a fix to the existing one.

• Automatic replies stuck in Outbound SMTP queue - 451 4.4.0 and 451 5.7.3 errors

  We have a pair of Exchange 2010 SP3 servers (A and B) with a few DAGs set up on them, plus a third hub transport & client access server (C) which routes in and outbound emails through a mail filtering service.
  Normal emails sent from Outlook or OWA are being delivered in and out just fine, but any system generated replies such as OOF or automatic replies set on our Servicedesk mailbox are failing to arrive.
  When I look at the queue viewer on A which is the normal active copy of the DAG I can see 100 or more emails sat in a queue called "Exchange2010 Outbound" which is our Send Connector - it's sent to route mail through two smart hosts owned by our
  mail filtering provider. The last Error is showing as "451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange server authentication" Attempted failover to alternate host, but that did not succeed. Either there
  are no alternate hosts or delivery failed to all alternate hosts"
  The only references to that error I can find seem to involve a complete inability to send emails, and are caused by an unticked box on the receive connector for "exchange server authentication", but that *is* enabled on all of our receive connectors
  and anyway this is concerned with emails leaving the organisation.
  Any suggestions?

  Hi Vespa,
  Agree with Andy. I would like to verify if you are sending outgoing messages through a SmartHost. Because many SMTP Gateways drops "Automatic Replies" by default since they have the Return-Path empty.
  What's more, here is a similar thread for your reference.
  Exchange 2010 External Out of Office messages not going External
  http://social.technet.microsoft.com/Forums/exchange/en-US/87a815bb-c136-428c-8c69-dc3a69fdfd7f/exchange-2010-external-out-of-office-messages-not-going-external
  Hope it helps.
  If you need further assistance, please feel free to let me know.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• Messaging Server 7 - Disable outbound SMTP

  Oracle Communications Messaging Server 7u4-27.01(7.0.4.27.0) 64bit (built Aug 30 2012)
  libimta.so 7u4-27.01 64bit (built 08:47:11, Aug 30 2012)
  Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
  Recently moved mail to a hosted solution but have inbound mail coming through postini routed to both our hosted email system and into our Oracle Messaging Server for backup purposes.  We'd like to keep the inbound messages coming into the Oracle Messaging Server but we'd like to disable the ability to send outbound from it.  What is the easiest way to accomplish this?
  Thanks as always!

  If you do "imsimta qm" to get into the qm subcommand and the do "stop <channel>" for each channel, that will prevent job_controller running any jobs to process mail in the channel queues. Mail will come in, but nothing will be processed.
  If you want mail to be delivered to local users, but nothing allowed to send output via SMTP, then only stop the tcp_* channels.
  If no one is using the system, then there should be relatively little mail building up in the tcp_* channels, so this should not be a big concern, but just in case...
  If the number of messages in all the channel queues builds up to 100,000 (by default) you may have trouble it not processing other incoming mail. For more info about that, see the MAX_CACHE_MESSAGES option which can be added to the job_controller.cnf file. For more info about that, see:
  https://wikis.oracle.com/display/CommSuite/Job+Controller+Configuration+File
  and the following MOS knowledge article:
  Mass Mailing Clogging Queues, Preventing Other Mail Delivery (Doc ID 1410844.1)
  https://mosemp.us.oracle.com/epmos/faces/DocContentDisplay?id=1410844.1

• 4710 outbound smtp problem

  I have a new ACE 4710. I am unable to get the mail server to send mail through the ACE. I have even set the ACL to any any both inside and outside. The mail server worked fine when it was behind the ALTEON load balancer.
  Don't know what I am missing any ideas would be greatly appreciated.

  It shouldn't be any problem.SMTP is nothing but a LAyer4 traffic on port 25.
  Are you simply routing the SMTP traffic through the ACE or Loadbalancing the SMTP traffic?
  Is the ACE in routed/bridged mode ?
  what is the default gateway on SMTP server?
  Syed

• IMS 5.2: iMS outbound SMTP connections

  Hi,
  I would like to know how does iMS determine when to open an SMTP connection to a remote SMTP server.
  - Does it try to deliver a message as soon as it receives it (from a client)?
  - Does it do that at a certain configurable time interval?
  - Where is this information stored and how can it be changed? Config file? LDAP?
  - Does iMS Patch 1 or Patch 2 make any changes to this?
  - Does switching from dirsync to Direct LDAP have any impact on this?
  Thanks.

  Hi,
  I would like to know how does iMS determine when to
  open an SMTP connection to a remote SMTP server.
  - Does it try to deliver a message as soon as it
  receives it (from a client)?iMS receives a message. The order of processing is:
  1. Message file is written to disk. Ack is given to sending server.
  2. Message is entered into the job_controller's queue.
  3. Job_controller schedules delivery based on:
  A. settings for number of threads, and "threaddepth" setting. by default, "threaddepth" is 128.
  B number of messages addressed to each domain addressed in the queue.
  If there are threads available to send a message, it's sent immediately. If there are more than the threaddepth messages queued for a domain, then another thread is started, up to the maximum number configured.
  - Does it do that at a certain configurable time
  interval?Retries are done, based on the "backoff" settings in each channel. Original sending is not configurable, as it's immediate.
  - Where is this information stored and how can it be
  changed? Config file? LDAP?imta.cnf, job_controller.cnf.
  - Does iMS Patch 1 or Patch 2 make any changes to
  this?Yes, the patches fix some job_contoller issues where messages were not picked up immediately. Strongly suggest p2.
  - Does switching from dirsync to Direct LDAP have any
  impact on this?No, but all users should set up direct ldap. Strongly recommended. dirsync has bugs that will never be addressed, and can cause incoming mail to hang.
  >
  Thanks.

• Control of Outbound SMTP?

  Hi,
  Is it possible to control where users can send mail and direct them to specific relays? I only want a couple of people to be able to mail out to the internet and ideally they would also have attachment stripping etc. running and others should only be able to send to internal addresses e.g. [email protected] so it would bounce anything not for company.com? Also I'd like any mail for company.com to go to the internal only relays whilst anything else can go upstream to the ISP's relay.
  For inbound I'm stopping users receiving mail by tagging anything with the company domain as -9 Spam score and anything else as +9 spam score and redirecting spam >5 to a 'quarantine' mailbox.
  I'm basically trying to recreate the ability to restrict who users can send to in exchange.
  Cheers,
  F
  P.S. Running Leopard Server 10.5.1

  I see. What have tried so far? What worked, what didn't work? Can you give us an example of exactly what you're trying to do?

• Routing outbound SMTP email for a domain to a GWIA

  Hi,
  I need to forward email as the original sender to an ISP for certain of our users to pickup with their BlackBerry's.
  I had originally configured our production GWIA's with: /flatwd and /realmailfrom which achieved the forwarding of email messages.
  Though it seems to have broken the 'Forward as Attachment' feature from the GW client.
  I looked at TID 7002601 which looks like exactly what I need.
  I configured a secondary domain with a GWIA and did the necessary configs in C1/GWIA.CFG.
  Problem is that even though I specify the forward address as ROUTEDOM.ISPGWIA:[email protected] (ROUTEDOM.ISPGWIA being the object name of my secondary GWIA) - messages are still continuing to route via the original path and not through the additional GWIA.
  Any pointers would be much appreciated!

  nireshenb,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Some emails received with empty attachment file but visible in SAPOffice

  Hi,
  I hope someone can shed some light on this.  I couldn't find anything in OSS regarding this issue.  Our client suddenly started having a problem where emails sent out of the system containing .PDF attachments are being received sporadically as blank attachments.  This appears to be a performance issue and occurs randomly, typically in the middle of a batch of output being distributed by RSCONN01.
  Oddly enough, when we display the SAPOffice email in SOST the next day, the attachment is there.  If we resend, the attachment comes through fine.  This only occurs in batch.
  My instincts tell me this is occuring during the RFC call to MLUNXSND.  It's almost as if SENDMAIL is being triggered before the attachment is successfully written down to the unix level.
  Our network is notoriously poor.  I have no idea to which directory the attachments get written before the email is sent.
  Can anyone provide suggestions on where to look?  I'm thinking maybe a directory is full somewhere?  We've never archived anything.  This has been working successfully and without error for over 18 months now.  It just started happening a week or so ago.
  My only other thought is that perhaps the commit to the database is not complete when generated by RSNAST00 prior to running RSCONN01.  Is it possible that SCOT is processing the outbound email before the attachment data is completely written to the database?  I would have thought that a commit work in RSNAST00 would prevent this?
  Our basis group appears to be helpless and either unwilling or unable to research it further.  The fact that the output is fine in SAPOffice/SOST leads me to believe this is a problem at the UNIX level and is a basis issue, not an application issue.
  Thanks so much for any suggestions on where to look for help to this problem.  We are on 4.6C

  Is it possible that in batch mode perhaps multiple uuencode/sendmails are being called simultaneously and this is causing the problem where as when you run or test it manually you only invoke a single uuencode/sendmail at the unix level. (sendmail.cf)
  You can test from 1 unix with something like this to send /tmp/report.pdf via email
  uuencode /tmp/report.pdf report.pdf | mailx -s "test" ray[at]company.com
  Perhaps try a batch of 10 of them at once from unix too
  i=0;while [[ $i -lt 10 ]]
  do
     uuencode /tmp/report.pdf report$.pdf | mailx -s "test $i" ray[at]company.com &
     let i="$i+1"
  done
  Alternatively perhaps your system is only allowed to make limited outbound SMTP connections by a firewall or mail gateway that's the next hop after Unix?

• ASA: SMTP Outbound Blocked

  Hello everyone,
  i am having trouble with my outbound SMTP traffic. i have 5510 ASA with IPS module. i also have three interfaces configured the inside, DMZ, and outside. my incoming email pass with no problemes but my outgoing onse do not they get stuck in my DMZ with the follwing message No route to host . from my email relay i can ping even telnet any other port of any server on the internet but when it comes to SNMP it gives me this error. also the same thing happens with the inside. the configuration hasen't changed i also did a packet trace witch gave the result allowed across the board. now i am really stuck and can't figure out what is going on here is my asa config:
  ASA Version 8.2(1)
  hostname dspasa2
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address X.X.X.165 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.0.3 255.255.255.0
  interface Ethernet0/2
  nameif dmz
  security-level 50
  ip address 10.0.0.101 255.255.255.240
  interface Ethernet0/3
  shutdown    
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list inside_access_in extended permit tcp host 192.168.0.1 any log disable inactive
  access-list inside_access_in extended permit udp host 192.168.0.1 any log disable inactive
  access-list inside_access_in extended permit ip host 192.168.0.4 any log disable
  access-list inside_access_in extended permit tcp host 192.168.0.5 any log disable
  access-list inside_access_in extended permit udp host 192.168.0.5 any log disable
  access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data log disable
  access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp log disable
  access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 any log disable
  access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.100 eq 8445
  access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
  access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
  access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
  access-list inside_access_in extended permit object-group TCPUDP host 192.168.0.201 host 81.80.56.164 log disable
  access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any log disable
  access-list outside_access_in extended permit esp any any log disable
  access-list outside_access_in extended permit ah any any log disable
  access-list outside_access_in extended permit udp any any eq isakmp
  access-list outside_access_in extended permit tcp any host X.X.X.161 eq smtp
  access-list outside_access_in extended permit tcp any host  X.X.X.161 eq 8445
  access-list outside_access_in extended permit tcp any host X.X.X.161 eq https
  access-list outside_access_in extended permit object-group TCPUDP any host  X.X.X.164
  access-list dspgroup_splitTunnelAcl standard permit any
  access-list dspgroup_splitTunnelAcl_1 standard permit any
  access-list dspgroup_splitTunnelAcl_2 standard permit any
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
  access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
  access-list SPIL standard permit 192.168.0.0 255.255.255.0
  access-list QOS extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
  access-list dmz-in extended permit icmp any any
  access-list dmz-in extended permit tcp host 10.0.0.100 any eq https
  access-list dmz-in extended permit tcp host 10.0.0.100 any eq www
  access-list dmz-in extended permit udp host 10.0.0.100 any eq domain
  access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  mtu management 1500
  ip local pool VPNPOOL 10.10.10.1-10.10.10.20 mask 255.255.255.0
  ip verify reverse-path interface outside
  ip verify reverse-path interface inside
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 192.168.0.0 255.255.255.0
  static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
  static (dmz,outside)  X.X.X.161 10.0.0.100 netmask 255.255.255.255
  static (outside,inside) 192.168.0.201  X.X.X.164 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  access-group dmz-in in interface dmz
  route outside 0.0.0.0 0.0.0.0  X.X.X..166 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.0.0 management
  http 192.168.0.0 255.255.0.0 inside
  snmp-server location DSP
  no snmp-server contact
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set myset esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 match address snimndb
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 1800
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash md5    
  group 2
  lifetime 1800
  crypto isakmp ipsec-over-tcp port 10000
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh 192.168.64.0 255.255.255.0 inside
  ssh 192.168.0.0 255.255.0.0 management
  ssh timeout 60
  console timeout 0
  management-access inside
  priority-queue outside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 192.168.0.4 source management
  webvpn
  group-policy dspgroup internal
  group-policy dspgroup attributes
  dns-server value 192.168.0.4 192.168.64.47
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPIL
  default-domain value dsp.snim.com
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 10 retry 2
  tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X ipsec-attributes
  pre-shared-key *
  tunnel-group RAPARIS type remote-access
  tunnel-group RAPARIS general-attributes
  address-pool VPNPOOL
  default-group-policy dspgroup
  tunnel-group RAPARIS ipsec-attributes
  pre-shared-key *
  class-map voix
  match dscp ef
  class-map IPS
  match any
  class-map QOS
  match access-list QOS
  class-map inspection_default
  match default-inspection-traffic
  class-map inspection_defautl
  policy-map type inspect dns preset_dns_map
  parameters
  policy-map voix
  class voix
    priority
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  class IPS
    ips promiscuous fail-open
  service-policy global_policy global
  service-policy voix interface outside
  prompt hostname context
  Cryptochecksum:bb43480221ed20aafc3e397fd7432bc3
  : end
  Here is an ouput of the Packet Tracer
  dspasa2# packet-tracer input dmz tcp 10.0.0.100 234 173.194.79.26 25
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group dmz-in in interface dmz
  access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: IDS
  Subtype:
  Result: ALLOW
  Config:
  class-map IPS
  match any
  policy-map global_policy
  class IPS
    ips promiscuous fail-open
  service-policy global_policy global
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
    match ip dmz host 10.0.0.100 outside any
      static translation to X.X.X.161
      translate_hits = 3540, untranslate_hits = 920
  Additional Information:
  Static translate 10.0.0.100/0 to 81.80.56.161/0 using netmask 255.255.255.255
  Phase: 7
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
    match ip dmz host 10.0.0.100 outside any
      static translation to X.X.X.161
      translate_hits = 3540, untranslate_hits = 920
  Additional Information:
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:      
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 8470, packet dispatched to next module
  Result:
  input-interface: dmz
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  please help

  Hi,
  I bealeve that you must to edit your policy map and add to your default inspection the smtp traffic.
  policy-map global_policy
  class inspection_default
    inspect smtp
  Because your dmz is more trustable than the outside interface, I think you must include this type of traffic to the global inspection.
  Take care man.

• Inbound SMTP rejects all messages.

  Hi,
  In short: after a clean install i can't receive any mail anymore...
  Let me start by saying that I’m not an IT professional, just a hobbyist with only limited knowledge on server specific subjects. I trust i must be doing something totally simple totally wrong.
  I have my own domainname, and i run a small network with Apple, Linux and Windows machines. This network is connected to the internet via adsl router/modem.
  About a year ago i installed a copy of OS X Server 10.4 on a Mac Mini. Due to my inexperience i made some ‘strange’ choices during installation but got everything up and running. Now that i’ve gained a bit more experience with OS X Server i wanted to do a clean install more tailored to my needs.
  The Mini is now configured as a standalone server running windows file service, www and mail. As an experiment i switched of dns and dhcp on the router and let OS X handle these too.
  On the previous installation i switched off outbound smtp to avoid the risk of unknowingly creating an open relay, and only used the server for incoming mail. It worked without a problem.
  The newly installed server handles outbound smtp as well, and that works fine. The problem i run into is with inbound smtp connections: all mail gets rejected, 554 Relay access denied.
  I have a dns provider, and the dns record has a MX entry pointing at my external ip address. The router has NAT configured to route traffic on ports 25, 110 and 143 to the Mini. Nothing changed there, and it seems to work without a problem.
  The dns server running on the Mini is for name resolution on the local network. The router and the server are pingable by name, and the server is marked to handle the mail for this zone. Seems to work.
  Here’s part of the smtp log file, replaced all ‘@’ with ‘#’.
  Sep 25 12:57:26 minimac postfix/smtpd[3231]: connect from smtp-vbr3.xs4all.nl[194.109.24.23]
  Sep 25 12:57:26 minimac postfix/smtpd[3231]: NOQUEUE: reject: RCPT from smtp-vbr3.xs4all.nl[194.109.24.23]: 554 <test#korteweg.com>: Relay access denied; from=<korteweg#xs4all.nl> to=<test#korteweg.com> proto=ESMTP helo=<smtp-vbr3.xs4all.nl>
  Sep 25 12:57:27 minimac postfix/smtpd[3231]: disconnect from smtp-vbr3.xs4all.nl[194.109.24.23]
  ‘test’ Is of course an existing user, with mail access enabled in the workgroup manager.
  After finding a similar problem with Google i edited the main.cf file to include the external ip address as a proxy, but that didn’t help.
  I spent some time searching through other threads here but couldn't find anything helpfull. Any bright ideas would be very much appreciated!
  Jaap

  Open up relay access from within the SMTP preferences (via Server Admin) for clients in your local network. Probably korteweg.com, the IP address range(s) used within your network, and localhost 127.0.0.1. There's a recent Squirrelmail/Webmail discussion around that discusses 127.0.0.1.
  I'd probably plug POP/110 and IMAP/143 on the external-side firewall, and would consider open up squirrelmail/webmail or an encrypted connection (eg: ports SMTPS/465, IMAPS/993, POP3S/SPOP/995) into your server if remote access into your mail server is needed.
  Your SMTP server would connect into the next mail server via port 25 (and thus that needs to be open); mail clients tend to use 110 and 143. If you have no clients using your mail from the outside, opening these will simply attract riff-raff.

• Authenticated outbound email?

  I'm wondering if there's a way to configure Messaging Server 7.0 to authenticate on outbound SMTP connections. Specifically, there are services that allow email relay, but only if the inbound connection is authenticated.
  To be clear, I'm talking about an MTA to MTA transfer. It appears you can configure some MTAs to log into a mail relay before passing mail along.
  As an example, sendmail accepts this in sendmail.mc
  FEATURE(authinfo, `hash -o /etc/mail/authinfo')
  define(`SMART_HOST', `outbound.mailhop.org')
  I've gone through a lot of material, but I can't find any hint that Messaging server allows this. I'm I missing something, or is it just not a supported feature.
  Thanks,
  John

  jandrusiak wrote:
  I'm wondering if there's a way to configure Messaging Server 7.0 to authenticate on outbound SMTP connections. Specifically, there are services that allow email relay, but only if the inbound connection is authenticated.
  To be clear, I'm talking about an MTA to MTA transfer. It appears you can configure some MTAs to log into a mail relay before passing mail along.
  I've gone through a lot of material, but I can't find any hint that Messaging server allows this. I'm I missing something, or is it just not a supported feature.The functionality was added to Messaging Server 7.0 update 1 (Communication Suite 6 update 1) but it appears to have not been (publicly) documented.
  <snip>
  Limited SASL capabilities have been added to the SMTP client. SASL authentication will be attempted if the maysaslclient or mustsaslclient channel options are set (it must succeed if mustsaslclient is set).
  The PLAIN and EXTERNAL SASL mechanisms are currently supported. The AUTH_USERNAME and AUTH_PASSWORD TCP channel options provide the credentials for the plain mechanism and the EXTERNAL_IDENTITY TCP channel option provides the identity string for SASL EXTERNAL. (EXTERNAL_IDENTITY can be set to the empty string to enable SASL EXTERNAL without an identity string.)
  </snip>
  So to give you an example that worked in my own MS7.0 update 1 test environment:
  1. Create a new channel which uses the mustsaslclient keyword in imta.cnf e.g.
  ! tcp_secure
  tcp_secure nomx multiple subdirs 20 dequeue_removeroute maxjobs 7 musttlsclient mustsaslclient pool SMTP_POOL daemon [192.168.1.10]
  tcp_secure-daemonNote: the musttlsclient keyword ensures that the connection is encrypted prior to passing across the plain-text username/password. Also in this case the channel is configured to send emails to a dedicated system with an IP address of 192.168.1.10.
  2. Create a rewrite rule which directs emails for [email protected] to the new channel:
  domain.com $U%$D@tcp_secure-daemon3. Create a tcp_secure_option channel option configuration file which contains the SASL auth username/password:
  bash-3.00# cat /opt/sun/comms/messaging/config/tcp_secure_option
  AUTH_USERNAME=authuser
  AUTH_PASSWORD=secretpassword4. Rebuild the MTA configuration and restart e.g.
  ./imsimta cnbuild;./imsimta restart5. Send an email to [email protected], you should see something like the following in the logs:
  27-Jan-2009 12:25:51.82 tcp_secure                DEQS 1 [email protected] rfc822;[email protected]
  [email protected] [192.168.1.10] dns;[192.168.1.10] (TCP|1.2.3.4|34682|192.168.1.10|25) (domain.com --
  Server ESMTP [Sun Java System Messaging Server 6.2-9.14 [built Aug 19 2008]]) smtp;250 2.1.5 address accepted for
  deferred processing: [email protected]: DEQS stands for "(D)equeue, (E)SMTP, TL(S)/SSL used". Q appears to be the new code for SASL client auth (also not yet documented).
  Regards,
  Shane.

• More flexibility in limiting requests per second or minute

  We've read the docs on limiting the requests-per-second (max-rps), but we would actually like to set the threshold at less than one request per second. For example, we'd like to set the maximum requests to something like once every 5 seconds. But values like 0.2 for max-rps are not accepted. So the question is:
  Is there a way to set the maximum frequency of requests to something like once every 5 or 10 seconds?
  Is there an add-in that does that or could we create an add-in to do that?
  It looks like the server is NOT open source, so we cannot change the current code to address this, but certainly let me know if I'm wrong about that.
  In case it's helpful as background, the reason we want a lower threshold is that we only intend to limit access for html or jsp pages (not gif, jpg, js, css, etc.) That's because we don't want users to get half of a page, like the html, but no images or css, which would look like an ugly error. We want them to get the html complete with all the embeded files or get an error page. We're really only trying to block bots, which might make requests every second or slightly less often, and not block any human users. If there are other general suggestions for how to meet our goal, I'd love to hear them.

  No, the lowest max limit is 1rps. The request limiting isn't really meant for what you're describing, it is for limiting high request rates. At less than 1/sec such detection would have false positive with real users anyway, so it wouldn't be such a great way of distinguishing users from bots. I'm not sure it would prove very satisfactory.
  You could create your own NSAPI plugin (see docs on NSAPI usage) to implement your desired logic. I'd probably look into long term counters instead, but I don't really know the details of the exact problem you're trying to address.

• SMTP Conversion Threads - how many?

  I am wondering how many conversion threads one should set for inbound/outbound SMTP traffic on a GWIA.
  The GWIA in question handles the following in a 24 hour period:
  Inbound 12000 - 15000 messages
  Outbound 3000 - 5000 messages
  My conversion threads are currently set to 7/7.
  Is this too low? What would the GURU's suggest?

  Thank you for your reply - much appreciated.
  There is no backlog of mail. The GWIA appears to be working fine with those settings, but I always like to fine tune my system for best possible performance.
  I was just wondering if there were any recommended settings for GWIA or if there's some kinda calculation ie this amount of inbound mail per minute requires this amount of conversion threads.