[solved] Postfix smtp filtered to the outside world

Similar Messages

• Best Practice on Not Exposing your internal FQDN to the outside world

  Exchange server 2010, sits in DMZ, internet facing. The server is currently using the Default Receive Connector. This exposes the internal fqdn to the outside world (ehlo). Since you should not (can't) change the FQDN on your Default Receive connector, what
  is the best practice here?
  The only solution I can see is the following:
  1. Change the Network on the Default Receive Connector to only internal IP addresses.
  2. Create a new Internet Receive Connector port 25 for external IP addresses (not sure what to put in Network tab?) and use my external FQDN for ehlo responses (e.g. mail.domain.com)
  3. What do I pick for Auth and Permissions, TLS and Annoymous only?
  Michael Maxwell

  Yes, it fails PCI testing/compliance. I shouldn't be able to see my internal server and domain. I understand that is the recommendation, but my client doesn't want to host in the cloud or go with a Trend IHMS (trust me I like that better, but its
  not my choice). I have to work with the deck of cards dealt to me. Thanks, just want a solution with what I have now.
  Michael Maxwell
  Understand. I wont go into the value of those tests  :)
  If the customer is really concerned about exposing the internal name, then create a new receive connector with a different FQDN  ( and corresponding cert)  for anonymous connections as you mention above. Know that  it also means internal clients
  can connect to the server on port 25 as well if you dont have the ability to scope to set of ip addresses ( i.e. a SMTP gateway).
  The internal names of the servers will also be in the internet headers of messages sent out:
  http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html
  http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2007/SecurityMessageHygiene/HowtoremoveinternalservernamesandIPaddressesfromSMTPheaders.html
  Twitter!:
  Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Make VM accessible to the outside world (iptables question)

  I have a VM running on one of our internal servers on top of Oracle Enterprise Linux 4.x with VMware Server 3.x
  Inside the VM runs a Oracle Database and a WebLogic Server, and I need to access the Weblogic administrative interface and the applications running on it from another computer part of Oracle Internal Network.
  If I start the VM with its network interface in "bridged" mode, then the VM doesn't get any IP by DHCP. If I try to manually assign an IP to it, the network doesn't work, most probably because of some security rules enforced by the local SA.
  If I start the VM with its network interface in NAT mode, then the internal applications fail to start with network sockets errors.
  The only way to start the VM and the applications running inside it without errors is the "host network only" mode, but then the applications are not available from any other machine than the one on top this VM runs.
  So I guess that the easiest way to solve this problem would be to create some IPTABLES rules so that all http/https/ssl traffic passing through the physical machine network interface on certain ports to be forwarded to the VM host-only network interface.
  I do not have enough knowledge of IPTABLES rules and I know this is quite a huge subject, so starting to learn it now will take some days which I can not afford right now...
  Is someone with more knowledge on the subject able to help me here?
  Thanks and Regards
  Serban

  Can you get in touch with your local SA to see if there are any policy or network security restrictions that apply? DHCP is not a good solution for your situation anyway, and I would not bother to setup firewall with dynamic port forwarding and proxying to bypass networking restrictions. I think, the most, if not the only feasible option, to make your VM talk to the outside world, is to setup your VM in bridged network mode, so that the VM interface can broadcast at the same level as your host interface. Besides, your current external network security may prevent routing any IP address other than the one of your host computer, in which case you will be able to access your VM only from within your host computer, regardless.
  If you cannot work out a static IP address or direct access to your VM from outside, perhaps simple port forwarding may work in your case, which will automatically forward all traffic to a certain port on your host computer to the network of your VM, but then you won't be able to choose.
  Edited by: Dude on Nov 12, 2010 7:14 AM

• How to expose a web service to the outside world?

  Hello,
  i have created a Web service from a Session bean and successfully published it on one of my UDDI registries using the Admin tool.
  At this point, what do I need to do further in order to expose this Web service not just in our LAN but to the outside world?
  Roy

  Offcourse it should be published at UDDI.
  Four play  key roles in Web services: Universal Description, Discovery and Integration (UDDI), Web Services Description Language (WSDL), Web Services Inspection Language (WSIL), SOAP, and Web Services Interoperability (WS-I).
  The UDDI specification defines open, platform-independent standards that enable businesses to share information in a global business registry, discover services on the registry, and define how they interact over the Internet.
  See this link too:
  http://help.eclipse.org/help32/index.jsp?topic=/org.eclipse.jst.ws.consumption.ui.doc.user/concepts/cwsdlud.html
  Regards, Suresh KB

• [SOLVED] Creating an invisible-to-the-outside network with Arch

  Hi All,
  I want to create an internal network to share access to a larger business network and to the outside world.
  Essentially, I want to create a small network that is invisible to the other machines and routers of our network, but which shares all ports.  My current thinking right now is to buy a network card for my desktop, connect it to a wifi router(specifically this one as it has enough power to reach a few rooms over), and create a wifi network with a hidden-SSID.
  I will then set up port forwarding on my desktop to share my primary ethernet network with the wifi network on my other ethernet card.
  I don't know very much about networking though, so I want to know if this setup will be visible to the greater network, or if it will be hidden?  Also, is that a good wifi router to get for this purpose, and does it matter which ethernet card I get?
  Thanks for your help with this, I realize this a pretty disjointed question - with hardware, software, and random networking questions all mixed together.
  -Mike
  Last edited by MikeDacre (2014-10-14 16:10:35)

  This is actually very simple to do. The wifi router I mentioned in my previous post works well, and any old ethernet card with a chipset supported by the current kernel (most of them), will work too. Then all you do is connect the server to the 'modem' port of the router via an ethernet cable, and configure some sort of dhcp server like dhcpd or dnsmasq to give the wifi router an IP. To share the internet with it, forward your internet connection with iptables and you are good. If you want to also connect to the wifi with the server - for example because that makes file sharing easier - then you need to be a little careful with your routing table to make sure you don't try to connect to the net via the wifi connection.
  Most routers support hidden SSIDs, just log in to the router and configure that directly.
  Hey presto, you are done, you have a hidden wifi network that allows other machines to connect to the net through your server.

• Security: Portlets visible to the outside world?

  When I deploy portlets to a oc4j instance managed by the applicationserver it seems that the url of the webapplication is automatically visible through the ora http server. Since my webapplications only contain portlets that should be accessed by the portal, how do I prevent the outside world from sending request directly to the webapplication?

  You have used some very general terms in your question but I will attempt to reply with some caveats.
  Generally speaking most remote access VPNs use private addresses which are translated using NAT when traffic leaves the protected (internal) network en route to a public server, such as a web server on the Internet. You address appears to the remote server as one of the addresses from the NAT pool (or sometimes outside interface) of the VPN concentrator or firewall that is performing that function.
  You can always check your address as it appears to the outside by browsing to something like http://whatismyip.com

• Relay settings to get mail from the outside world

  Hello. First, let me say - I'm a mail newbie, so be gentle.
  I've just recently set up my mail server, and I am having an issue where I can receive mail from some people and not from others. Those who cannot send me mail get an error about the relay not accepting it. In server admin, I have checked accept SMTP relays only from these hosts and networks, and I have put in 127.0.0.1/32 and my server's ip/32 (at the advice of apple tech support when I was configuring mail). Is something missing here that would allow me to receive mail from anyone? Thanks in advance for any help.

  Here you go. Thank you.
  Admin$ postconf -n
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  content_filter =
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = all
  mail_owner = postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  messagesizelimit = 10485760
  mydestination = $myhostname,localhost.$mydomain,localhost,brainart.biz,www.artsmiths.biz,artsmi ths.biz,www.brainart.biz,mail.artsmiths.biz,smtp.artsmiths.biz,mail.brainart.biz ,smtp.brainart.biz
  mydomain = artsmiths.biz
  mydomain_fallback = localhost
  myhostname = artsmiths.biz
  mynetworks = 127.0.0.1/32,70.90.83.165/32
  mynetworks_style = host
  newaliases_path = /usr/bin/newaliases
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = postdrop
  smtpdpw_server_securityoptions = none
  smtpdrecipientrestrictions = permitmynetworks,reject_unauthdestination,permit
  smtpdsasl_authenable = no
  smtpdtls_keyfile =
  smtpduse_pwserver = no
  unknownlocal_recipient_rejectcode = 550

• Relay Mail from FAX Machine to the Outside World via GMAIL

  Hey everyone, I am not really sure I am in the right place here, but I am tired of running into a brick wall over this issue.
  Here is my basic issue:
  I have a fax machine that supports a functionality known as Fax to email. The machine is new, but Ricoh (5510nf) does not seem to be up on things when it comes to configuration.
  The machine does not support SSL authentication, and for that matter I believe it requires an open relay to work (that is what Ricoh told me).
  So what I need is for the fax machine to use the OS X mail services (or any service/program...) to send a scanned image along the net to the recipient's address. So I log into the fax machine via it's internal address, and the settings of the fax machine include the following:
  SMTP Server:
  POP Server:
  Host Name:
  E-Mail Address:
  Domain Name:
  Account Name:
  Password:
  Reception Interval(min.)
  At first I thought this was going to be a no brainer, but it turns out that I am the no brainer.
  The OS X Server is not really setup to do anything but serve files right now. It is not setup with DNS or other such services.

  According to the available parameters you posted, the Fax machine supports authentication. This should be good enough to send through a mail server. It certainly does not require an open relay to send.
  However, given that gmail requires SSL, you are indeed stuck. That said, I am not sure setting up your own mail server just for this makes lots of sense. Running a mail server has implications. You need to secure it to make sure it is not abused and it also requires a certain amount of maintenance.
  I would rather try and use your ISP's SMTP server. Most likely they allow for sending without SSL and with authentication. Should this not be an option (unlikely), report back and I can try and help you to get your mail server up and running.
  HTH,
  Alex

• Where to store configuration about the outside world?

  I have an abap report that write files to a network share. I would like to store the information in a way that it won't get transferred to the QA system during system copy. How do you keep this kind of configuration outside of the database? Is there a standard way?
  Thanks.

  Hi Igal,
  I think you create param table in DEV system, then you just shouldn't import it to QUA. Configuration copy should not apply here as well as it is still part of development.
  If this doesn't work you can hardcode system check inside a report. There are system vairables like sy-syst or similar (can't remeber excat sy- names now) which stores name of the system, type, and client. I think by checking them inside a program you can ommit place where you call your production path on QUA system side.
  Regards
  Marcin

• JDEV 10.1.3 and the outside world

  This vesrion of JDEV is excellent when working within a database framework. In fact it is too good, with very little documentation to cover all of the possiblities. But it appears to be database bound.
  Can someone tell me, point me to, or reference if and how well JDEV can be used to communicate with other applications, external i/o data streams, XML translation, etc.
  I'm trying to decide if this is the right environment for a new project or if another IDE like VS.NET or Borland would be more appropriate. I've used them all but have the least experience with JDEV and its capabilities.
  Thanks
  Mike

  Beyond excellent interaction with database oriented application, JDeveloper also has great features for working with other data sources.
  For example you can create data controls for: Web services, XML files, and any Java class. These will allow you to use the drag and drop data binding with these data sources as well.
  Here is a sample of how a Web service can be used in an ADF based application:
  http://www.oracle.com/technology/products/jdev/viewlets/1013/WebServicesAndADF_viewlet_swf.html
  For more infomration you might want to read the ADF Developer Guide:
  For example the chapter about Web services data controls:
  http://www.oracle.com/webapps/online-help/jdeveloper/10.1.3/state/content/navId.4/navSetId._/vtAnchor.CJAJGIEB/vtTopicFile.adfdevguide%7Cweb_services%7Ehtm/

• Why can't quicktime streaming server get to the outside world?

  I cannot get quicktime streaming server to go out to the web. Everyone on the other end gets connection failed. I have my firewall on my server temporarily turned off. It works fine on the LAN. Please give me some ideas.

  Firefox can't establish a connection to the server at upload.xvideos.com.
  How do I fix this

• Mailx unable to send mails to outside world?

  hi
  on a solaris sparc 9 environment mailx command is unable to send mails to the outside world. What could be the reason & needs to be checked?
  thanks

  sounds basic, but what's your entry of malhost in /etc/hosts pointing to? If it's not there, add the entry with the IP address of your SMTP host.
  when sending test mail from mailx, have another window open thats tail-ing the contents of /var/log/syslog - that usually contains good info about sendmail.
  another thing worth checking is the rules on your SMTP gateway. If this is a new host, it may need adding to the list of authorised relay list. Also check to see if the SMTP host is alowed to relay mail outside of its own domain too.

• Different Business Cases where SAP needs to be Inegrated with outside world

  Hello Experts,
  Can I get some info, where SAP R/3 needs to be integrated with out side world(Business Flows) that are most commonly used in all industrial sectors.
  Inrgraton either with XI/PI or any other Interation tolls in the market.
  Thanks & Regards,
  Srikanth

  Dear Srikanth,
  Please go through the link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/46d6c25d-0b01-0010-06a9-8e8218753c02
  Traditionally, integrating SAP applications with the outside world used to be extremely difficult, due to limited interfacing provided by SAP. EAI vendors like IBM and webMethods addressed this business need, providing SAP adapters as part of their integration offerings. Recently, SAP has also addressed this issue through its SAP Net Weaver/XI offering.
  Please let me know in case of any spcific queries.
  Regards,
  Rakesh

• Computer Not Visible to Outside World

  How do I retain my computer's unique IP address following the addition of an AirPort Extreme base station?
  WIRED SETUP: Telephone line --> DSL modem --> AirPort Extreme --> Ethernet port on back of G5
  My computer has always had a unique IP address. This allows me to connect to my computer when I'm on-the-road traveling, etc. (via Timbuktu or FTP).
  Now that I've set up the AirPort Extreme base station, my base station has been given a unique, static IP but my computer is now dependent on DHCP for it's IP address allocation. As far as I can tell, this renders my computer inaccessible from the outside world.
  How do I configure this so that I'm able to retain the benefits of the AirPort Extreme (using it to broadcast a wireless Internet connection) while ALSO keeping my G5 (see "WIRED SETUP" above) completely accessible to the outside world? Thanks!
  Dual 1.8GHz G5 (rev B)   Mac OS X (10.4.4)  

  Disabling distribute DHCP address won't work for your situation. Since you want to continue to use the wireless connection in addition to the G5 wired computer, you will need to still distribute IP addresses on the AEBS.
  As a solution, SurferLeo v.0, you can set up port forwarding on the base station. In affect, while you're on the road, you would attempt to connect to your public IP address (the one given by your DSL modem; the IP address given to your AEBS). Then, port forwarding would forward that traffic to the specific private IP address specified in the port forwarding settings.
  So, given that your public IP is x.x.x.x and that your G5's IP is 10.0.0.2 (or whatever), you would configure the AEBS to forward port numbers A, B, and C to 10.0.0.2 - where "A, B, and C" are the port numbers for the specific task you are performing.
  This site discusses setting up port forwarding.
  Here's a list of common port numbers.
  Various Macs and PC's   Mac OS X (10.4)  

• Expose services on XI to the outside network

  Hi,
  We have a requirement that the web service hosted on xi would be invoked by another system which is outside the client's network. Although I will be using https in this case, still the client is apprehensive about opening the port of SAP XI to the outside world.
  Should we use a middleware system between XI and the outside network
  OR
  Expose the XI webservices over HTTPS?
  Please suggest the correct option.
  regards,
  Piyush

  Hi,
  Another possibility is thru the DMZ, there you will publish a web service to receive the data and later that web service will be mapped to the PI web service.this is manage by network administrator not in pi configuration.
  other possibility is ussing HTTPS or digital signature (RSA,3DES).
  Thanks
  Rodrigo