|
Version 6.4 |
|
| ||||||||||||||||||||||||||||
SecurityIs my Server an open relay?Open Relay is an SMTP (or SIP) server configured in such a way that it allows anyone on the Internet to send e-mail (or make calls) through it, not just mail destined to or originating from known users. If you receive a lot of mail/spam from unknown origin, but the targets are your local users, then it has nothing to do with relaying; relaying means sending through your server to external targets. With the default settings CommuniGate Pro is configured NOT to be an open relay, it relays only e-mails (calls) submitted by senders who had authenticated.Relaying for non-authenticated senders is possible if the sender had connected from an address listed in a Senders Address Profile with the "Trusted Source (Allowed Open Relaying)" option enabled. Ideally that option should not be used and all your users must authenticate when sending. If you receive all mail from a gateway - do NOT add the gateway address to the Profile, but add it to UnBlacklistable (White Hole) IP Addresses list. An Account was compromised and my server is being used for mass mailing. What can I do?Someone had learned/guessed the password of an Account and uses that Account to send spam. Note that this case has nothing to do with open relaying. Open the Mail page in the WebAdmin Monitors realm, and open the Queue page. There you should see a lot of messages with similar size and contents.
In order to lower the chances of the users' passwords becoming compromised:
To reduce the damage caused by compromised Accounts, and to make them to be less attractive for hackers:
WebAdminI have rerouted the Postmaster account and now I cannot log in as the PostmasterCommuniGate Pro applies routing rules not only to addresses in incoming messages, but to all addresses it processes. If you have rerouted the postmaster account to some other account abc, then all attempts to log in as the postmaster will cause the Server to try to open the abc account. If you provide the correct password (i.e. the abc account password), you will be able to log in, but you will have the access rights granted to the abc account, not to the postmaster account. You still can log into the postmaster account even if the postmaster name is redirected to a completely different address. Use the following name instead of the postmaster name:abcd@postmaster.local
This address is always routed to the account postmaster.
Use the regular postmaster account password with this string.
For more details on the .local routing, check the Local Delivery Module section. I have deleted the Postmaster accountIf you have deleted the postmaster account, stop the Server and start it again.If the CommuniGate Pro Server does not find the postmaster account during the startup process, it creates a new one. Check the postmaster account files to get the new postmaster password, in the same way you used when you installed the CommuniGate Pro Server. I have created a secondary Domain and now I cannot log into WebAdminWhen you connect to CommuniGate Pro via a browser, the Server checks the domain name you have specified in the browser URL. If that name matches the name of one of your Secondary Domains, the WebAdmin Interface of that Domain is opened, rather than the Server WebAdmin Interface. To open the Server WebAdmin Interface, use the Main Domain Name in your browser URL. If that name does not have a DNS A-record or its record points to a different server, use the Server IP Address in the browser URL. If all Server IP Addresses were assigned to secondary Domains, you can try to use ANY domain name that points to the CommuniGate Pro Server, and does not match any of the Secondary Domain names. If all Server IP Addresses were assigned to secondary Domains and all DNS domain names pointing to your server are names of your secondary Domains or secondary Domain Aliases, then use the following URL:http://sub.domain.com:8010/MainAdmin
where sub.domain.com is any name pointing to your server computer or any of its IP addresses.
https://sub.domain.com:9010/MainAdmin When I try to log in, I get the "access from your network is denied" errorThis message means that the Account has Roaming service disabled, and the connection is not originating from Permitted Login Addresses. Enable the Roaming service for the Account, and also make sure it's enabled on the domain level. SMTP ReceivingMy Server does not accept mail from my Web script/appletWhen the SMTP module receives messages, it tries to route the address specified in the Mail From command (the message 'Return-Path' address). If the domain name in that address is a name of the Server local Domain and the specified Account (or other Object) is not found in that Domain, the Router returns an error code and the SMTP module refuses to accept the message. You should reconfigure your script/applet to use either an empty Return-Path (<>) for generated messages, or to use an E-mail address of some existing Account. If the script/applet cannot be reconfigured, you can create an Alias for any existing Account. If, for example, your script/applet submits messages to your server with the <webform@mydomain.com> Return-Path address, and you do not have the webform Account in the mydomain.com Domain, you may want to create the webform alias for the postmaster Account. If delivery of a submitted message fails, the error report will be sent to the postmaster Account. SMTP SendingMy Server cannot send mail to some host using SSL/TLSWhen the CommuniGate Pro SMTP module connects to a mail host/relay and tries to establish a secure (SSL/TLS) connection, it receives the host Certificate and check the name in that certificate. That name should match either the name of the domain the mail should go to, or the MX relay name for that domain name. When a remote server hosts several domains on the same IP address, it always sends out only one certificate, because the server cannot learn to which domain the incoming messages will go to and thus it cannot present the Certificate for that particular domain. As a result, your (sending) server may refuse to proceed. If the server mainhost.com also hosts client1.com and client2.com domains, and the MX records for all 3 domains point to the same name and to the same IP address on that server, the server will always present only one Certificate - usually, the mainhost.com Certificate. To allow your CommuniGate Pro Server to send mail securely to client1.com and client2.com domains, you should specify 2 Domain-level Router records:client1.com = client1.com@mainhost.com._via
client2.com = client1.com@mainhost.com._via These records will place mail to client1.com and client2.com domains into the mailhost.com SMTP queue. You should place the mainhost.com name into the Send Encrypted list of the SMTP module, and the server will connect to the mailhost.com server, check its certificate (it should contain either the mailhost.com name or the name of the relay the SMTP module connected to), and then the SMTP module will establish a secure (SSL/TLS) connection with that server and it will send mail to recipients in the client1.com and client2.com domains via that secure connection. AccessWebUser connections return the pink page saying "we do not provide Web Access to this Domain"It is very important to understand that the domain name something.com and mail.something.com are completely different domain names. If your CommuniGate Pro Server has the main Domain mycompany.dom, and you are trying to connect to it by typing http://mail.mycompany.com:8100 in your Web browser, you will get the page saying that the CommuniGate Pro Server does not provide access to the mail.mycompany.com Domain. In most cases, you want the domain names mail.mycompany.com, webmail.mycompany.com, etc. to be just other names (aliases) of the mycompany.com CommuniGate Pro Domain. To specify this, open the mycompany.com Domain Settings page and find the Aliases table. In an empty field, enter the mail.mycompany.com name and click the Update button. Now the CommuniGate Pro Server will know that mail.mycompany.com domain name is just a different name for the mycompany.com Domain it serves. Connection requests specifying the mail.mycompany.com domain name will connect to the mycompany.com CommuniGate Pro Domain, and messages sent to a username@mail.mycompany.com address will be delivered to the account username in the mycompany.com domain. Note: The WebAdmin interface opens the Server Administrator Interface if the name specified in the browser URL is not a CommuniGate Pro Domain name. This is why connections to the WebAdmin port (8010) can work, while the connections to the WebUser port (8100) return the "pink page". WebUser sessions are disconnected almost immediately after loginWhen a user connects to your server via a "multi-homed HTTP proxy" (used by large ISPs such as AOL), TCP connections come to the CommuniGate Pro Server from several different IP addresses of those proxy servers. If the Require Fixed Network Address option is enabled in the Account WebUser Preferences, user browser connections can be rejected. Disable the Require Fixed Network Address option for those users that connect via "multi-homed proxy" servers. If most of your users connect via those proxy servers, you may want to disable this setting in the Domain Account Defaults or in the All-Server Account Defaults. What does the "unassigned local network address" error meanYour CommuniGate Pro server computer has one or several IP (network) addresses assigned to it. Those addresses can be assigned to CommuniGate Pro Domains, and the Domains WebAdmin page shows all Domains with the IP addresses assigned to them. Usually, the Main Domain has the Assigned IP Addresses setting set to All Available, so all IP Addresses not assigned to secondary Domains are automatically assigned to the Main Domain. If none of your Domains has the Assigned IP Addresses setting set to All Available, then some of your Server IP addresses may be not assigned to any Domain. When a user connects to the server using a POP or IMAP client and provides just the account name (without the domain name), or when a secure (SSL/TLS) connection has to be established, the CommuniGate Pro Server takes the local IP address the user has connected to and tries to find the Domain that address is assigned to. If that IP address is not assigned to any CommuniGate Pro Domain, then the "unassigned local network address" error is generated. Open the WebAdmin Settings->General page to see all the Local IP Addresses of your Server. You may have to click the Refresh button to see all addresses. The unassigned IP Addresses are displayed in red. DirectoryMicrosoft LDAP (Outlook and Outlook Express) users cannot find Directory recordsMost of LDAP clients (including the Microsoft Outlook products) contain a setting specifying the Directory subtree that should be used for search operations. In Outlook Express, this setting can found in Tools->Accounts->Directory Service, on the Advanced stub. It is called Search Base and it should contain the DN for the user domain (by default, that DN is cn=domainname). If this setting field is left empty, Outlook products silently replace it with the c=country_code string, and search operations fail (unless your Directory has the c=country_code subtree). If you do want to search the entire Directory with an Outlook product, enter the word top into the Search Base setting field. Attempts to update Account Settings result in the directory record with the specified DN is not found errorThis error appears when the Directory Integration option is enabled. This option tells the CommuniGate Pro Server to update the Account record in the Central Directory every time the Account Settings are updated. If the Directory does not contain a record for that account, the error message is returned. Account records may be missing in the Directory if the Accounts were created when the Directory Integration option was disabled. To fix the problem, open the Domain Settings and find the Directory Integration panel. Click the Delete All button. It will remove all Domain object records from the Directory. Then click the Insert All button. The CommuniGate Pro Server will create a Directory record for the Domain, and then it will create Directory records for all Domain Objects (Accounts, Groups, Mailing Lists). Note: if the Domain contains more than 100,000 Accounts, the Insert All operation can take several minutes. Date and TimeTime stamps in messages sent or received with CommuniGate Pro are several hours offThis problem is caused by an incorrect Time Zone setting on the server and/or on the client machines. To check the Time Zone setting value on the server machine, open the General page in the Settings realm of the CommuniGate Pro WebAdmin Interface. The Server Time field should contain the correct Date and Time values and the correct Time Zone value: -0800 means '8 hours behind the GMT', +0800 means '8 hours ahead of GMT'. If the Time Zone value is incorrect, fix the OS settings that specifies that value, and re-open the General page to verify the Time Zone value. LogsEvery time I access the WebAdmin interface, a Failure-type ROUTER record appears in the LogThe WebAdmin interface adds the LoginPage@ string to the domain name you specify in your browser URL field and tries to route the resulting address as any other E-mail address. If routing fails, the WebAdmin Interface defaults to the main domain and to the Server WebAdmin Interface, but the failure record appears in the Router Log:ROUTER failed to route 'LoginPage@mail'
Usually this happens when you use a non-qualified domain name (like mail) instead of the
qualified domain name (mail.mycompany.com). You should either use the qualified domain
name in your browser URLs, or you should add the mail Domain Alias to the mail.mycompany.com
CommuniGate Pro Domain.
What do these DNR-16538(xxx.xx.x.xx.rss.mail-abuse.org) A:host name is unknown records mean?When your SMTP module uses RBLs to check the IP address of the server that tries to send any mail to your server, it converts that server aa.bb.cc.dd IP Address into the dd.cc.bb.aa.rbl-server-name domain name, and tries to resolve this name using the DNS system. If the sending server is not a known offender, and its address is not included into the RBL database, this composed domain name will NOT exist in the DNS system, and the DNR module will report this with a Problem-level Log record. If you use RBL servers, you may want to restrict the DNR module Log Level to Major & Failures events only. MiscellaneousWhat is that non-standard UDP port the CommuniGate Pro Server opens on my system?This is a DNR (Domain Name Resolver) socket. The port number is selected by the OS, and it can change if you restart the CommuniGate Pro Server. This socket is used to send requests (UDP packets) to DNS servers and to receive responses from those servers. Other applications (servers, browsers, etc.) use the same type of sockets to resolve domain names, but they usually open and close those UDP sockets quickly, so you may not notice them in your netstat output. CommuniGate Pro opens the DNR UDP socket when it starts, and uses that socket for all DNR requests, closing the socket only when the Server shuts down. How can I make my formmail-type CGI work with CommuniGate Pro?Formmail and similar CGIs are used to send E-mail messages from regular Web Server HTML forms. Implemented in the form of a Perl script, these CGIs use the legacy sendmail program to send the composed messages. On most platforms, CommuniGate Pro software installer does not replace the legacy sendmail program, though the package does contain the sendmail replacement program. In order to use that program, you should modify your Perl script: you should find all references to the sendmail program (usually the default path used is /usr/sbin/sendmail), and replace them with the {application directory}/sendmail references. For example, if CommuniGate Pro and your CGI are installed on a MacOS X system, where the CommuniGate Pro application directory is /usr/sbin/CommuniGatePro/, the CGI script /usr/sbin/sendmail strings should be replaced with the /usr/sbin/CommuniGatePro/sendmail strings. |