Aaaaaaaaah! I see!

LOL!

What would I do without you guys :D

Thanks!

Hi folks

I was discussing our mail server setup with a couple of guys who have audited our Windows network. One of the points that came up was that mail servers 'announce' themselves and that this information can be a security concern. They said that you can change this information and 'hide' your Internet name making it more difficult for anyone trying to hack the system.

I was checking out Mercury/32's configuration. When we set it up we followed the advice in the help file and left the 'Announce myself' field blank, as the help file states 'In the majority of cases this field can and should be left blank'.

What I don't quite understand is how this affects the way the mail is delivered. The guys I was talking to said that authentication works on the domain name of the sender address.

So, if I change the 'Announce myself as' field to 'Heritage Services' I assume that the headers will reflect this in the HELO: ? What I don't want to happen is that I change this value and then have mail bounced back to me because of authentication or other errors.

Here are the relevant parts (I hope) from my Mercury.ini file:

[General]
myname:          apsarchaeology.co.uk    # Canonical name for this server

[MercuryE]
HELO : apsarchaeology.co.uk

[Protocols]
MERCURYS.DLL
MERCURYP.DLL
# MERCURYE.DLL
MERCURYC.DLL
# MERCURYD.DLL
# MERCURYH.DLL
# MERCURYF.DLL
# MERCURYW.DLL
# MERCURYX.DLL
MERCURYI.DLL
MERCURYB.DLL

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: apsarchaeology.co.uk
lincsheritage: lincsheritage.org
lincsheritage: lincsheritage
heritagelincs: heritagelincs
heritagelincs: heritagelincs.org

MercuryS and MercuryC GUI:
Announce myself as: blank

So, I wonder if anyone has any comments they would like to share on this. I understand the basics of SMTP delivery (thanks, Thomas!), but when it gets into authentication of domains I'm lost. If you want to see more information please ask.

Thanks.

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: apsarchaeology.co.uk
lincsheritage: lincsheritage.org
lincsheritage: lincsheritage
heritagelincs: heritagelincs
heritagelincs: heritagelincs.org

The domains are specified as server : domain and you only have one server here so the server should all be the same.  If you have a fixed IP address where the mail could be delivered then you should also have a domain [<IP address>].

 MercuryS and MercuryC GUI:
Announce myself as: blank

I would not use blank for MercuryS since all that does is use the entry for myname: in the mercury.ini or apsarchaeology.co.uk and that hides nothing.  If you want to hide the real domain for some reason then put in something like apsarchaeology. 

For MercuryC that's another story.  Your ISP may not like you not providing a full valid host name in the EHLO string.  Leave it blank and it's going to use the good host name apsarchaeology.co.uk.

If MercuryS/MercuryE/MercuryC announce myself is blank the myname field is used.

The announce myself is used by some systems to do reverse lookups and other checks as validity and reputational checks in engines like brightmail and irongate.

There is in my opinion no security hole in telling the connecting part the proper host name (the one that matches the DNS-entry for the IP) in a HELO/EHLO statement.

Thanks to both of you for your replies.

In all honesty I thought the same but wanted to ask you guys about it. Anyone wanting to hack a system will not have much of a problem identifying the domain name associated with the IP address. Thanks for the confirmation about the announce myself field being used for reverse lookups - this was an issue that caused us problems when we first set it up until we configured the reverse DNS records.

@Thomas:

So, the server announces itself as apsarchaeology.co.uk. In reality, our IP address maps to mail.apsarchaeology.co.uk. Should the entries be:

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: mail.apsarchaeology.co.uk
apsarchaeology: [IP Address]

Should I also change the Internet name to mail.apsarchaeology.co.uk? The website for apsarchaeology.co.uk is hosted at a different IP address. The 'A' record for mail.aps... points to our IP address.

The reason we added the other domains is because I have MX records setup which point from those domains to either MessageLabs servers (APS and lincsheritage) or to our own IP address (heritagelincs). 'A' records exist which point mail.aps... mail.lincsheritage and mail.heritagelincs to our IP address.

Thanks

All very valid questions!

We have on our main system, internet name for this system set to: mail.praktit.se

I should maybe have set this to only praktit.se and then set in each module the actual host name, mail.praktit.se

Problem comes with lists, as it parses the verp with postmaster@ plus the internet name so we have a stub-domain called mail.praktit.se that has a default A-pointer and a MX-cname post (directed towards our inbound machinery), plus reverse lookup to the A-Pointer.

The messy part comes in, when you ask modules to use separate ip's and the server is set to use several IP numbers. MercuryS can but not MercuryE, and thus MercuryE will use the first IP, so all your instances and DNS have to point back to the original/first IP.

Our local domains section lists only externally reachable domains, paired with the mx-pointers and the public IP we use, meaning
mail: mail.praktit.se
mail: praktit.se
mail: [IP address]

This setup works with all major players - some arbitrary rascals deny traffic against geo-location IP lookups, saying they don't have any businesses in Sweden - but that sort of refusal is their business, and in my opinion a violation of f.ex. trouble/abuse/hostmaster reachability acc. to the rfcs.

Thanks for the information, Peter.

I'm a little confused now so I'll describe our setup:

2 copies of Mercury/32 running on separate servers in the same LAN on a single subnet. Mercury1 and Mercury2

Mail sent to apsarchaeology.co.uk and lincsheritage.org is forwarded to MessageLabs who then forward it to our IP Address. Mail sent to heritagelincs.org is forwarded directly to our IP Address. Mercury1 receives all mail that is delivered to our IP Address.

Mercury1 sends mail from apsarchaeology.co.uk and lincsheritage.org back out through MessageLabs.

Mercury2 uses POP3 to poll Mercury1 for mail sent to heritagelincs.org. Mercury2 sends mail from heritagelincs.org using the SMTP end to end client.

So, do you think Mercury1 should be configured:

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: apsarchaeology.co.uk
apsarchaeology: [IP Address]

or

[Domains]
mail: mail.apsarchaeology
mail: apsarchaeology.co.uk
mail: [IP Address]

or does it not matter?

We thought that having the domains that Mercury1 sends mail on behalf of (aps and lincsheritage) listed in the [Domains] section would ensure that mail sent to that domain would be received. If lincsheritage.org is removed will we still be able to send and receive mail addressed/sent to that domain?

Everything is working fine at the moment, but if it will make the system more resilient, I'll make the changes.

> @Thomas:
>
> So, the server announces itself as apsarchaeology.co.uk. In reality, our IP  address maps to mail.apsarchaeology.co.uk. Should the entries be:

For MercuryC For MercuryS it's not material at all since this mail is coming to your system from two separate MX hosts.  No one is coming in direct when using the apsarchaeology.co.uk domain name since you cannot even connect to port 25 of 79.170.40.170.

Answer Section:
    apsarchaeology.co.uk, MX, 10, cluster8.eu.messagelabs.com
    apsarchaeology.co.uk, MX, 20, cluster8a.eu.messagelabs.com
    apsarchaeology.co.uk, TXT, "v=spf1 a mx a:mailforwards.extendcp.co.uk ~all"
    apsarchaeology.co.uk, A, 79.170.40.170

The IP address has a PTR record pointing to web170.extendcp.co.uk and so you could probably use this with MercuryE as well.

The host name mail.apsarchaeology.co.uk has a different IP address and you cannot connect directly to port 25 from the outside either.

Answer Section:
    mail.apsarchaeology.co.uk, A, 82.69.48.10

and it has a PTR record of mail.apsarchaeology.co.uk

and so I would use this in MercuryE.

The host name in the servers MercuryS, MercuryP and MercuryI would be blank since apsarchaeology.co.uk  is already the name of the server.

>
> [Domains]
> apsarchaeology: apsarchaeology
> apsarchaeology: mail.apsarchaeology.co.uk
> apsarchaeology: [IP Adress]
>
> Should I also change the Internet name to mail.apsarchaeology.co.uk? The website for apsarchaeology.co.uk is hosted at a different IP address. The 'A' record for mail.aps... > points to our IP address.

Personally I think this should be

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: apsarchaeology.co.uk
apsarchaeology: mail.apsarchaeology.co.uk
apsarchaeology: [82.69.48.10]

>
> The reason we added the other domains is because I have MX records setup which point from those domains to either MessageLabs servers (APS and lincsheritage) or to our own IP address (heritagelincs). 'A' records exist which point mail.aps... mail.lincsheritage and mail.heritagelincs to our IP address.

Then put them in the domain list with a server name apsarchaeology:, here's what I have for my gateway server tstephenson.com that has a number of other domains coming in via the same IP address.  The only time the server is not Stephens is when there is either a domain account or a daemon sending the mail off to another server.  These daemons are the ones from Petr Jaklin that are listed in the Mercury addons.

stephens: stephens
stephens: [209.128.94.2]
stephens: mail.tstephenson.com
stephens: tstephenson.com
stephens: [192.168.1.2]
dm=merwin: merwin-tstephenson.com
dm=merc452: merc452.tstephenson.com
stephens: stephens.sj.scruznet.com
dm=ubunto: linux-tstephenson.com
stephens: dyndns-tstephenson.dyndns.org
dm=merwin: merwin.dyndns.org
daemon:c:\mercury\mercfwd.dll;[192.168.1.3]: novell-tstephenson.com
daemon:c:\mercury\mercfwd.dll;[192.168.1.153]: xampp.dyndns.org

[quote user="Greenman"] Thanks for the information, Peter.

I'm a little confused now so [/quote]

R u less confused after Thomas reply?

Generally if it is working, and you discover something is not - then you work that. There are several ways to achieve the same thing, as you have we also have our mx-pointers to another host than the Mercury machinery, so if something has to travel from one to the other, it passes through our mx-antispam/viral host, and then back in again.

Thanks, guys.

I have changed the [Domains] information to the following as per your suggestions:

Mercury1 (sends mail out on behalf of apsarchaeology and lincsheritage, and receives mail for apsarchaeology, lincsheritage and heritagelincs):

[Domains]
apsarchaeology: apsarchaeology
apsarchaeology: apsarchaeology.co.uk
apsarchaeology: mail.apsarchaeology.co.uk
apsarchaeology: [82.69.48.10]
heritagelincs: heritagelincs
heritagelincs: heritagelincs.org
heritagelincs: mail.heritagelincs.org
heritagelincs: [82.69.48.10]
lincsheritage: lincsheritage
lincsheritage: lincsheritage.org
lincsheritage: mail.lincsheritage.org
lincsheritage: [82.69.48.10]

Mercury2 (only sends mail out on behalf of heritagelincs.org):

[Domains]
heritagelincs: heritagelincs
heritagelincs: heritagelincs.org
heritagelincs: mail.heritagelincs.org
heritagelincs: [82.69.48.10]

I added the heritagelincs entries to Mercury1 because that is the server that receives all our mail and which fields all requests. We sent out a mailshot from Mercury2 last night and I received one authentication error - 550-Callback setup failed while verifying username@heritagelincs.org I don't really know, but I assume this was because heritagelincs.org was not properly entered in the domains list?

Anyway, that's one for me to sort out today.

Is there any point in adding the heritagelincs domain to Mercury2? All it does is send mail - mail it receives is via POP3, it does not receive SMTP mail on port 25.

Thanks again for your help with this. I'd appreciate any further comments if you have them.

I would use the following for Mercury 1 since there is only one server involved.  There is never more than one server involved unless using Mercury/32 with multiple Netware servers.