Page 1 of 1

HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 16:22
by gruenie
Hello Bill,

again me who needs your advice! ;-)
Maybe you remember our discussion from last year about hMailServer and ASSP and the Problem of "MaxAuthErrors" etc.
You had a nice solution and it works well.

Now I set up another configuration:
Server 1 with public IP xxx.yyy.zzz.59 running HMS and listening on port 25 - configured as an Backup-MX
Server 2 with public IP xxx.yyy.zzz.60 running ASSP listening on port 25 and HMS listening on port 2525.

I think the Server 1 is now (with your help and after discovering the SEP/clamAV-Problem etc.) well configured and worked without any problems with the old HMS on Server 2 (without ASSP).

I set up Server 2 like discussed some month ago:
ASSP listens on port 25 and forwards incoming messages to HMS on the same machine to port 2525.
I edited the assp.pl in AASP 2.3.3 like adviced:
Changed line:

Code: Select all

if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors) {
to:

Code: Select all

if ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors)) {
and added the following lines to the eventHandler.vbs:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress = "xxx.yyy.zzz.60" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
.

As far as I can see after just one day running this configuration is fine as long as just the main-server 2 is involved.
But if mails were routed through the Backup-MX on Server 1 to port 25 (ASSP) of the main server 2 all mails are rejected getting back the following information:
The following recipient(s) could not be reached:
webmaster@domain.com
Error Type: SMTP
Remote server (xxx.yyy.zzz.60) issued an error.
hMailServer sent: AUTH LOGIN
Remote server replied: 521 ASSP.nospam does not accept mail - closing transmission - too many previouse AUTH errors from network xxx.yyy.zzz.0
If I route the mails from the Backup-MX on Server 1 to the port 2525 (HMS) bypassing ASSP on port 25 all is fine.

What did I wrong?

Greetings from Germany again!

Gruenie

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 16:51
by Bill48105
Hey Grunie.
Sounds like you need a Route to tell server 1 to use a port besides 25. Or that ASSP edit could require a check of server1's IP address.
Bill

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 17:03
by gruenie
Hey Grunie.
Sounds like you need a Route to tell server 1 to use a port besides 25. Or that ASSP edit could require a check of server1's IP address.
Bill
Hello Bill,
thanx for the fast reply.
Your first suggestion works of course and that is what I'm using at the moment:
Route in Server1: ->> Server2:2525 (which is the HMS directly).

But that is not what I want. I would like to involve ASSP also for emails coming from the backup-MX.

The problem is, that I have no idea where exactly I have to do changes. The text from the rejection-mail comes from hMS and not from ASSP. So it seems that hMS has a problem to get the mails through the Backup-MX and ASSP.

If I do not use your hack in assp.pl and eventHandler.vbs it works!
But I want to use it because it prevents from attacks.

Gruenie.

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 17:06
by Bill48105
Right what I'm saying is hmail must be trying to send thru assp & it's being rejected. So you need a Route to ASSP so you can tell hmail to use another port. Then in ASSP you can setup AUTH on that 2nd port. I don't recall if doing so bypasses the ASSP AUTH block change or not but if not it'd just require bypassing the block if sender IP matches safe one. Maybe adding the server IP to ASSP noprocessing IP list would help.

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 17:57
by gruenie
Right what I'm saying is hmail must be trying to send thru assp & it's being rejected. So you need a Route to ASSP so you can tell hmail to use another port. Then in ASSP you can setup AUTH on that 2nd port. I don't recall if doing so bypasses the ASSP AUTH block change or not but if not it'd just require bypassing the block if sender IP matches safe one. Maybe adding the server IP to ASSP noprocessing IP list would help.
Sorry, I did not get exactly what I should try?!
Setting up a second port in ASSP and route the mails from Backup-HMS to this second port in ASSP?
Do I also need to set up a second destination port in HMS2 where ASSP should forward to?
Could I use the SSL ports in ASSP (465) and HMS2 (587) for that and do I have to enable AUTH for this route (in backup-HMS and/or ASSP)?
Do I nedd a special IP-range. Hmmm....

And doesn't mean "no processing" that mails from the source will not been handled (isn't it the same like bypassing ASSP)?

Maybe you could make it a little bit more clear for the little stupid Gruenie from Germany! :? :lol:

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-01-30 18:00
by Bill48105
Right you could try all of those. If they work or not will depend on what you are trying to accomplish. ;)

Like I said the error looks like hmail trying to send thru assp. You either don't send thru assp and send direct to hmail on alternate port or you alter assp to allow sending thru it.

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-01 15:22
by gruenie
Hello Bill,

thanx again for your answer.
I tried now many different solutions.
It did not help to put the Backup-MX in the whitelist and no processing of ASSP or to disable AUTH for the Backup-MX etc.
What works now is to use a second listening-port in ASSP (in my case 2025) and to forward all messages from the Backup-MX to ASSP:2025. So the problem is definitely to route the mails through port 25 of ASSP.
But I would like to use the port 25 of the ASSP (which is on the same machine as the main HMS).
Why? In this configuration I'm the admin also of the Backup-MX and can do whatever I want to. But I have some other projects where they are using extern Backup-MX-servers.

After all my tests I'm quite sure that the problem comes from your hack. But I have no idea why the normal way (Internet->ASSP:25->HMS:2525) works but when the email is routed through the Backup-MX it does not work.
Hmmm...

We (or better you! :-)) made two changings:
In the assp.pl:

Code: Select all

from:
if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors) {
to:
if ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors)) {
and in the eventHandler.vbs:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress = "xxx.yyy.zzz.60" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
To remember: the error message in the rejected emails through port 25 is:
Error Type: SMTP
Remote server (xxx.yyy.zzz.60) issued an error.
hMailServer sent: AUTH LOGIN
Remote server replied: 521 ASSP.nospam does not accept mail - closing transmission - too many previouse AUTH errors from network xxx.yyy.zzz.0
Could it be that the reason for the problem is the hack in the eventHandler.vbs because there we poit to connections on port 25 of the ASSP. Would it be possible to exclude the remote Backup-MX-IP from that rule?

Or wouldn't it be a solution?

Thanx again in advance!

Gruenie

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-01 17:41
by Bill48105
Bet you didn't add the backup mx IP to your assp noprocessing did you? ;) Understand you can't enforce assp testing on backup mx like other connections. It's relaying outside mail to you. You really need to have own assp setup at secondary (IN FRONT OF IT) & relay direct to main hmail instread of trying to relay thru main assp. assp even has option to sync settings between assp servers. I mean you could alter assp & the script to bypass testing but then you'll just get spam being relayed to you thru the backup server.
Btw assuming that IP is your backup you'd want:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress <> "xxx.yyy.zzz.60" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
OR better yet if you setup your backup to connect to port besides 25 that isn't even needed.

IOW if the ip is NOT that IP so that if it is that IP it's not rejected. You'd need the same sort of thing in ASSP although setting it in noprocessing IP's should bypass it without changing code.

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-03 19:10
by gruenie
Hello Bill,

yes I also tried to add the Backup-MX to the noprocessing and it did not work.
To explain it better (hopefully):
I have 2 cases.
Case 1: the Backup-MX is also an hMS and under my control
Case 2: the Backup-MX is a different type of Mailserver and I have no chance to change things
In both cases the main Mailserver is: ASSP:25 -> hMS (5.4):2525.

So in the first case I could try and do whatever I want - but in the second case the Backup-MX is just forwarding the emails to port 25 of the ASSP in the main server and I have no possibility to change things. Thats the problem.
So I need a possibility that ASSP in the main mailserver accepts the mails from the Backup-MX on port 25. But I also do not want to miss your hack!

To remember: You kindly did your hack (changes in the assp.pl of ASSP and adding the lines in the eventHandler.vbs of hMS) to avoid the outside (dictionary) attacks against the mailserver. With ASSP in front of the main hMS the IP-blocking-feature of hMS is effectless - and more then that: it blocks the IP of ASSP!

What your hacks are doing (and I hope I don't write rubbish) is to lead the attackers to believe that they never entered the right credentials even if they already hacked the system.
If I disable your hack completely then ASSP on port 25 of the main mailserver accepts the messages from the Backup-MX and forwards them to hMS.

In the hacked configuration its just an authentication problem that the mails coming from the backup-MX are rejected - but only if they are forwarded from port 25 of ASSP to hMS in main mailserver. If I add a second port in ASSP then the main hMS accepts the mails (but that I cannot do in case 2 because how I could tell the foreign Backup-MX that it should contact to a different port?).
So I'm quite sure that the problems comes from the modifications in the eventHandler.vbs.

My question was if there is a possibility to change something in that hack that connections from the IP of the backup-MX are allowed and will not rejected with the error message?

No, in your code the IP is the IP of the mailserver where ASSP and hMS are running. It avoids attacks coming from ASSP on the same IP:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress <> "xxx.yyy.zzz.60" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
What I don't understand is that the current configuration accepts mails if they come from any mailserver outside. But if they were routed through the backup-MX they are rejected.

Regards

Gruenie

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-03 23:59
by Bill48105
UNTESTED but something along the lines of:

Code: Select all

if ($ip ne "x.x.x.x" && ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors))) {
where x.x.x.x is IP of the remote server you trust. BUT i don't recall off hand if IP is stored as string (so you'd use ne) or if it's stored as a number then it'd be != NumberValueOfIP. Odds are it's a string so the aboe should work. ne the IP would tell assp to skip the block from that IP.

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-05 02:57
by gruenie
Hello Bill,

thanx again for the help.
The code with the string seems to work:

Code: Select all

if ($ip ne "x.x.x.x" && ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors))) {
I will continue to test it and have a look at it.

If I want to add another Backup-MX could I do it with the following code?

Code: Select all

if ($ip ne "x.x.x.x" && $ip ne "y.y.y.y" && ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors))) {
Kind regards

Gruenie

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-05 04:26
by Bill48105
Very cool glad it's working.
Logic gets messy with more than one patly due to the negatives. I think I'd add parenthesis to force order like:

Code: Select all

if (($ip ne "x.x.x.x" && $ip ne "y.y.y.y") && ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors))) {

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-08 01:05
by gruenie
Hello Bill,

just a short feedback:
After testing the new code for some days it seems to work as expected! :-)
You did again a great job and you are my hero! :idea: :D

Thanx again for your help!

Gruenie

Re: HMailserver as Backup-MX - and another HMS with ASSP

Posted: 2014-02-08 01:20
by Bill48105
gruenie wrote:Hello Bill,

just a short feedback:
After testing the new code for some days it seems to work as expected! :-)
You did again a great job and you are my hero! :idea: :D

Thanx again for your help!

Gruenie
lol thx. ok cool. :)