World: r3wp

I am moving few domains of my friend to my server. However - he wants 
to access email, which means, I need to provide him with authenticated 
smtp. I have my old sendmail in simple mode - simply relying allowed 
from local 10* network, but not from the outside.


Has anyone succesfull configured sendmail, so that it would use authentication 
by username, password? My friend sent me following link, but I don't 
understand, what should I do :-) Hopefully I don't need to recompile 
sendmail :-)

http://www.sendmail.org/~ca/email/auth.html

I found out, that my Sendmail is probably compiled with SASL support:

[[root-:-linux] mail]# sendmail -d0.1 -bv root | grep SASL

                NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
[[root-:-linux] mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

220 linux.pekr.dom ESMTP Sendmail 8.12.10/8.12.10; Wed, 2 Sep 2009 
15:37:31 +0200
ehlo localhost

250-linux.pekr.dom Hello localhost.localdomain [127.0.0.1], pleased 
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5   <---- This means SASL is allowed
250-DELIVERBY
250 HELP

... now just how to further instruct sendmail to use it?

only allow the SSL ports to be used?

I got it running thanks to some sane persons, not linux top gurus, 
who can't explain kind of anything to mortal man. Those ppl will 
always wonder, why linux is still not mainstream ...

http://www.jonfullmer.com/smtpauth/

Simply put - starting "saslauthd -a shadow" daemon, then uncommenting 
2-3 lines in sendmail.mc, restarting sendmail, and voila, it was 
done ...

Thinking about providing my brother with some webmail option on my 
Linux server. In the past, I used simple Squirrel mail. Then I know 
some ppl do use Horde. Now my friend suggested me a Zimbra. Isn't 
Zimbra a little bit too much for just an occassional web option to 
pop3 account?

or would you move email out from your server to gmail? Does it allow 
you to host your domain?

Zimbra is overkill

I thought so - more a groupware than a simple webmail interface to 
email, right? Most of us use Thunderbird anyway, so ...

squirrel is fine .

What ftp server do you use?

wsftpd

under windows FileZilla, xlightftpd ...

you mean vsftpd?

ah, probably yes ... but I use old fedora, dunno if new distros use 
it still, or if it got replaced by some better/different system ...

does anyone have any idea why is this happening to me.. I setup iptables 
firewall and now my rebol send method (to SMTP on some completely 
other server) doesn't work any more..

setup file is like this: 
#!/bin/bash
#
# iptables example configuration script 
#
# Let's not lock ourselves out of the server
#
 iptables -P INPUT ACCEPT
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22

# This is essential when working on remote servers via SSH to prevent 
locking yourself out of the system
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Allow HTTP connections on tcp port 80
#
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v

it doesn't work unless I put input on ACCEPT again (  iptables -P 
INPUT DROP )

does the sending of email through external smtp require that the 
server also accepts some connection? Could it be that the delay with 
iptables is too long somehow .. I notice that ssh login works visibly 
slower when setup

what is additionally strange is that on the other VPS where I have 
the same iptables setup this works

sending email works

I tried from console too .. if firewall is all on ACCEPT it works 
.. if not this happens : 


>> send [janko-:-itm-:-gmail-:-com] "asasd asd a"                        
               Net-log: ["Opening" "tcp" "for" "esmtp"]
connecting to: secure.emailsrvr.com
** Access Error: Cannot connect to secure.emailsrvr.com
** Where: open-proto
** Near: smtp-port: open [scheme: 'esmtp]
either only

does a direct tcp connection on port 25 work?

Try adding :  iptables -A OUTPUT -i lo -j ACCEPT

On second thought, that wouldn't help. Try adding a few -j LOG rules 
to help debug.

Tested your rules here on Linux, works ok.

I can connect to remote server on port 25.

Check your DNS config and test your accesses with telnet.

Thanks for help Graham and Doc .. I wanted to reply multiple times 
but altme didn't want to accept my text and it was disconnecting 
me

It took me half of day of looking but I think I am close to it now.. 
when I run the script I get 

iptables: No chain/target/match by that name

and it's realted to this line:

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


after much digging it currently it looks that the vps is missing 
"state" kernel module which is given there by -m "meaning match" 
.. I just wrote the vps host computer admin and I hope he will be 
able to enable it

you should be able to load the module yourself with modprobe etc. 
(and it's strange iptables doesn't load it automatically, i thought 
it did)

anyway... i'd recommend using something like Shorewall instead of 
coding your iptables manually. (i used to code iptables manually 
many years ago...)

http://www.shorewall.net/

(it takes some time to configure, but iptables takes some time to 
configure as well)

modprobe gives me the following error: 

FATAL: Could not load /lib/modules/2.6.24-2-pve/modules.dep: No such 
file or directory


I looked and it seems that VPS container can't access kernel modules 
.. I am still waiting for administrator because there was some linux 
conf two days now.. he should fix it today ... 


I will check out shorewall .. I need quite simple confihuration , 
no forwarding, just close everything and lock ssh to some static 
IP-s

ShoreWall, MonoWall ... and the winner is - Mikrotik :-)

Petr, I'm not sure why someone would want a non-standard, hard to 
use shell over Linux, but, ok... :P

Gabriele - because Linux sucks. Because if it would be easy, Janko 
would not post his questions here. I user REBOL, because it provides 
me with simplicity to what I need to do. I use Mikrotik, because 
it is absolutly best low-cost FW/shaper/whatever, used by 90% small 
WISP?

how is mikrotik easier than the above, give that they don't even 
have complete documentation on their side?

it's much harder to figure out than iptables, you can find MILLIONS 
of hits on google about iptables

Gabriele - you should know what you are talking about, no? I use 
MT for 3 years, and the docs are there, there is a forum, there is 
a wiki. It allows so much complicated stuff like traffic bonding, 
easy scheduling/shaping, mangling, scripting, virtual interfaces, 
dynamic lists, etc.  that it is not even funny to compare it to bare-bones 
Linux ....

Simply put - our example - small to middle network, 600+ wi-fi users, 
50+ MT nodes, which even lamers like me and my brother can properly 
build. Would we be possible to make it using bare-bonesLinux? Absolutly 
not. Your reaction is imo typical example of why Linux fails in the 
long run. PPl want easy solution, not guru stuff.

so, what the hell has that to do with Janko's problem (a firewall 
for his server)?

can you explain me why mikrotik supports openvpn but *only* on tcp 
and not udp? that makes no sense at all.

It might have nothing to do with Janko's problem. But - I saw you 
suggesting him ShoreWall, and in that regard I did mention Mikrotik, 
because I have experience with it, and simply put - nearly all WISP 
are using it, and that means something. Some ppl do replace Cisco's 
with it. The system is no-brainer - just insert CF with MT, boot, 
and there you go. If some node dies, you can replace it in 10 minutes, 
no virtualisation or advanced technique used, just its clever design. 
Besides that - MT is still Linux underneath ...

I find using plain linux for FW/GW purposes only as extremly bad 
idea nowadays. Of course, if your server does provide you with services 
as webhosting, then Linux is preferred.

As for OpenVPN - I don't know - it is kind of "recent" addition, 
as community screamed for it. There is l2tp, pptp, ppoe and I use 
simple pptp ....

I can give anyone demo access to my central router, to look around. 
My opinion simply is, that some things don't need to be entirely 
free, in order to be considered. And something like 30-40 USD is 
cool price ...

I lost the messages i was typing to you yesterday, and you know why? 
My internet connection does not work. Guess what is my ISP? One of 
those WISP that uses mikrotik for everything. Yes, I guess that means 
something. It means that incompetent people just damage other people's 
work.