Network policies at my workplace (a University outside the US) are rather inconsistent. While every port other than 80 and 443 is blocked, no websites are restricted (at least for professors). Gmail/pop and smtp sockets are open as an exception to the rule (which makes both me and the Dean think there is no particular policy against personal e-mail).
I'm faculty at this University, but also teach at a different one, for which I use a university-specific, non-gmail e-mail address. I have all of my e-mail history in Outlook, however, as you can suspect I can access that alternative e-mail address through webmail but not through smtp/pop/imap from my workplace. We asked the sockets to be open but have been given no response by the IT guys in more than a month.
I've been considering port tunneling, but haven't access (right now) to a server with ports 80 and 443 to ssh-tunnel through. I know I could use one port at home to tunnel either the incoming or the outgoing e-mail. But I think it's too power consumming for just half the job.
Is there a way I can do the tunneling with the help of some free service like no-ip, for example?
So far, the best solution I've found is to ssh-tunnel the imap socket. This way, I can get both incoming and outgoing mail through one tunnel. I plan to wake-on-lan and hybernate my home server in order to save power.
Related
Not sure if this belongs on Stack Overflow or somewhere else but I'll try here first.
I have multiple servers, each with the same setup where nearly everything running on the server is in a docker container. I have two goals I would like to achieve. First, the host machine is setup to send emails for users with uid < 1000 to my external email address. Second, on one server, I have a docker-mailserver container running to handle random, seldom used emails (for log files, etc.).
It seems I can have either the host machine running postfix OR the docker-mailserver running (and bound to port 25). Currently, I have the docker container, running the mail server, full operational and everything can send and receive just fine.
However, now I am unable to start postfix on the host machine so that I can receive emails sent to the root user (things like cron output) since port 25 is --rightfully-- in use by the actual mail server receiving email.
Questions:
1) How can I tell postfix on the host to not bind to port 25? If port 25 is only used for receiving mail, why would my outgoing-only postfix config need to use port 25?
2) I am perfectly comfortable not receiving emails for the root user, if whatever would normally be sent to the root user is logged elsewhere (perhaps, syslog?). Are the emails to root only maintained as emails or are they somewhere else, negating the need for postfix on the host for forwarding to a real account?
Thanks in advance.
Specifically answering your questions first:
You should be able to have postfix listen on any port you specify by editing the main.cf configuration file and changing the smtp listener to a numbered port of your choice. Of course, if it isn't a "known" port, I'm not sure what/who will ever connect to it, but maybe you don't care in this situation as you are only using postfix as a relay?
It may depend some on the Linux distribution or setup of your host, but most systems will leave email in the local delivery "mail spool" if there is no system/daemon set up to move it anywhere else. Back when that was the normal way to handle multi-user mail on UNIX systems, a login user used a mail reader client to read through email in your local "spool", and of course if you don't have that, you can simply vi your mail file and read the raw contents if necessary. These mail files are normally located in /var/spool/mail on most systems.
Stepping away from your questions, I would guess you don't necessarily need postfix running on your host, especially as your containerized mailserver is handling the port 25 SMTP traffic for the host. Local email will stay local, I assume, without postfix, and be available through local means; and you might even find a simpler solution to external forwarding (e.g. a script that can parse mail spools and just connect to an SMTP relay and send it to an external address) if you want that.
This might be a bit weird to explain, but I'll try my best.
I have a Lua program that's intended to serve some data through the network. Specifically, the internet. The data the program is actually transmitting are only strings stored within UDP packets. Generalized, this is how the program operates:
The first client launches the program and specifies that they are the 'host' of the connection. The program opens a connection on UDP port 6000 and the main loop listens for any packets received on said port.
The second client launches the program and specifies that they are to connect to the 'host' on port 6000. The user enters the IP, and the client opens a UDP connection using a random port between 6050 and 7000
When the client successfully connects to the server, they send a 'connection' packet, simply containing a '202 OK' string. The 'host' receives this and registers the new client
Now that the connection has been initialized, the programs can send data between each other using the registered data.
Now, on a local network this program works fine. The purpose of the 'host' mode is to have multiple clients connect to the host and have the host relay packets from one clients to all the currently registered clients. Port selections are arbitrary and random port selection from the client was simply to allow debugging and testing from a single computer. This has been tested between two and more computers on a physical network, and worked successfully. However, when I attempt to run this over the internet it's a no go. I know that the ports are closed and that's why it's not working. But seeing as I'm going to be distributing this program (privately) I can't expect every person to open ports on their router (or know how to). Security is not currently a concern with the program, and should be disregarded in the current state. That being said, I recognise there's the potential for a lot to go wrong with the use of this program through the network and I accept that. Onto the main question, how can I have the host and client communicate over the internet without having to open ports?
I'll elaborate - for example, browsers. Although the technology is quite different to what I'm doing, it's easier to paint a picture - the browser requests data from a web server, and it gets sent back to the client. But wait, if the router is in it's default state (I hope) all the ports are closed? So how does the client receive this data if the port is closed?
I hope this makes some kind of sense and I don't sound like a complete fool.
I managed to find some suitable libraries and utilities to be able to communicate through the internet (NAT traversal is now a term I am familiar with), those libraries being that supplied by NMAP. These libraries include an implementation for STUN in LUA, among HEAPS of other useful networking-related libraries and scripts.
To actually answer my own question (very simply), the clients and servers are behind what's known as a NAT gateway. Due to the limitations of addresses of IPv4, NAT gateways were implemented to bypass this limitation of IPv4 (a total of about 4.2 billion addresses) by separating the clients' internal network from the external network - in this case the internet. The NAT is supplied with a single IP address, and the NAT then supplies all of its users within the internal network with an IP respective to the network they're on. As such, the devices cannot directly be accessed without forwarding connections from the NAT gateway (generally the router) to the client. However, when using UDP connections the NAT gateway opens a port for the purposes of this connection which gets closed after the connection dies. This port that is opened differs from what is specified by the client when they open the connection, which is where the STUN methods come in. STUN allows the host to find the port that the client is connecting from and send data back to this port so the user can receive it. Bear in mind this is an EXTREMELY simple explanation of how the technology works, and I'd suggest reading up on the Wiki and some of the Request for Comments for STUN.
I have a VM instance on Google Compute Engine, which is running Windows Server 2012 R2. I have my Apache web server, PHP, MySQL, FTP, and various other things running great, easily accessible from the world. I installed MDaemon Messaging Server (Alt-N's email server), which I had on my old physical box for years. I am able to use port 110 just fine, but I simply cannot get SMTP to work. Yes, I'm well aware of (Compute Engine's Blocked SMTP Ports). Knowing these blocked google ports, I would like to choose port 2525 as Mdaemon's SMTP port. I added firewall rules on the server to allow it, and I added the Compute Engine Network port exceptions as well, and of course changed the Mdaemon's server settings for 2525. I still cannot send email. Hell, I even tried port 2626 and nadda.
I understand I could sign up through google's recommended "sendgrid" that would force me to use mail.sendgrid.com, port 2525, and have a maximum of 25,000 per month limit (on free sendgrid account), but I personally think it's ridiculous needing to sign up and have limits on email when I paid $2,400 for Mdaemon email server. I should be able to use my own domain's mail.mydomain.com and authenticate through MY email server, not sendgrid's.
Is there something simple I'm missing to be able to use my own email server software on my google compute engine VM instance? Or is it just fact that this is the right I give up by choosing google's cloud server services?
SMTP server, in your case MDaemon, sends all outbound emails directly to the recipient's mail servers on their inbound SMTP port which is 25. This is the port you will need to configure on your MDaemon's SMTP outbound port setting. So changing it to 2525 or 2626 won't help because recipient's SMTP servers usually do not listen on those ports.
As you also mentioned all outgoing traffic to port 25 (SMTP) is blocked on Compute Engine. Therefore you'll need to configure a smart host for your MDaemon message routing which listens on a non-blocked port. This is something like using a third party service (e.g. SendGrid).
For example, when you make an ssh connection, you are connected to port 22. What happens then? On a very high level brief overview, I know that if port 22 is open on the other end and if you can authenticate to it as a certain user, then you get a shell on that machine.
But I don't understand how ports tie into this model of services and connections to different services from remote machines? Why is there a need for so many specific ports running specific services? And what exactly happens when you try to connect to a port?
I hope this question isn't too confusing due to my naive understanding. Thanks.
Imagine your server as a house with 65536 doors. If you want to visit family "HTTP", you go to door 80. If you were to visit family "SMTP", you would visit door no. 25.
Technically, a port is just one of multiple possible endpoints for outgoing/incomming connections. Many of the port numbers are assigned to certain services by convention.
Opening/establishing a connection means (when the transport protocol is TCP, which are most of the “classical” services like HTTP, SMTP, etc.) that you are performing a TCP handshake. With UDP (used for things like streaming and VoIP), there's no handshake.
Unless you want to understand the deeper voodoo of IP networks, you could just say, that's about it. Nothing overly special.
TCP-IP ports on your machine are essentially a mechanism to get messages to the right endpoints.
Each of the possible 65536 ports (16 total bits) fall under certain categories as designated by the Internet Assigned Numbers Authority (IANA).
But I don't understand how ports tie into this model of services and
connections to different services from remote machines? Why is there a
need for so many specific ports running specific services?
...
And what exactly happens when you try to connect to a port?
Think of it this way: How many applications on your computer communicate with other machines? Web browser, e-mail client, SSH client, online games, etc. Not to mention all of the stuff running under the hood.
Now think: how many physical ports do you have on your machine? Most desktop machines have one. Occasionally two or three. If a single application had to take complete control over your network interface nothing else would be able to use it! So TCP ports are a way of turning 1 connection into 65536 connections.
For example, when you make an ssh connection, you are connected to
port 22. What happens then?
Think of it like sending a package. Your SSH client in front of you needs to send information to a process running on the other machine. So you supply the destination address in the form of "user#[ip or hostname]" (so that it knows which machine on the network to send it to), and "port 22" (so it gets to the right application running on the machine). Your application then packs up a TCP parcel and stamps a destination and a return address and sends it to the network.
The network finds the destination computer and delivers the package. So now it's at the right machine, but it still needs to get to the right application. What do you think would happen if your SSH packet got delivered to an e-mail client? That's what the port number is for. It effectively tells your computer's local TCP mailman where to make the final delivery. Then the application does whatever it needs to with the data (such as verify authentication) and sends a response packet using your machine's return address. The back and forth continues as long as the connection is active.
Hope that helps. :)
The port is meant to allow applications on TCP/IP to exchange data. Each machine on the internet has one single address which is its IP. The port allows different applications on one machine to send and receive data with multiple servers on the network/internet. Common application like ftp and http servers communicate on default ports like 21 and 80 unless network administrators change those default ports for security reasons
I've recently setup my Ubuntu web server with exim4 so my PHP website applications can send email such as "thank you" and "confirmation" notices.
I've got it setup and working such that I can send email to gmail, Yahoo! and my work address. However, my work email gets caught up in our spam filter. I'm new to setting up mail servers so I'm not sure what I might need to look for in making this mail server more trusted, while keeping is secure.
Here are some details:
Server is NATed behind a firewall.
Firewall has port 25 open for outgoing SMTP traffic (from server to anywhere).
Server is virtual hosting a couple different of our websites
The server is running the following exim4 config:
dc_eximconfig_configtype='internet'
dc_other_hostnames='web-serv.example1.com;example2.com'
dc_local_interfacees='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='' dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
Questions:
Do I need to open port 25 to incoming SMTP mail (anywhere to server)? I wonder if other mail servers need to talk to my mail server to verify itself, in a sort of handshake attempt.
I have not created any MX records primarily because the server has different websites on it the mail server should send mail for all the websites. Do I need to pick/create a domain address and create MX records for it?
One thing of note is that the mail headers look like this:
Return-Path: <www-data#example2.com>
Received: from web-serv.example1.com ([Firewall public IP Address])
Received-SPF: neutral (google.com: [Firewall public IP Address] is neither permitted nor denied by best guess record for domain of www-data#example2.com)
"web-serv" is the host name of the server, such that you get this if you type it into the command line:
$ hostname
web-serv
and "www-data" is the account name for the Apache2 server that Ubuntu gave it as default.
Any other general advice would be appreciated. It's all new to me.
Cheers!
One item of note, since I posted this question time time ago (almost 10 months) is that I found out the biggest issue I had was with setting up the DNS for reverse DNS on our hosting providers side of things.
In other words, our hosting provider (the people who give us our IP address and manage our hardware) had to enter a record to match my server(s) hostname to whatever IP address it used.
There's a specific name for this. I believe it's a "PTR" record but the name escapes me at the moment, but you basically tell them "my server hostname is ..." and they do a quick update to the DNS for reverse DNS purposes.
When I asked this question, we had a different hosting provider who didn't really help explain this to me, and after switching providers, I got to talk to someone who was happy to help me understand that side of the equation.
And as I understand it, this is setup by the people who assign you the IP addresses. But there's probably more to it than that.
Once I got that setup properly, email had no problem getting through the spam filters and Gmail/Yahoo showed SPF as "passed". It was showing neutral before.
Our company email was set to drop any email that would not resolve reverse DNS, which is why I could not even receive the email or find it in the spam filter. Of course, that situation would be dependent on the company and what email policy and software they're using to manage spam. Some might just drop all email that does not reverse DNS and some might dump it in to spam filters instead.
Hope that might help some people with similar issues.
Cheers!