[qmailtoaster] Re: Project Infrastructure - email Lists Migration
On 05/20/2012 09:31 AM, Eric Shubert wrote: Just a heads up. In the next few days, we'll be migrating the email services (primarily lists) for the qmailtoaster.com domain from Jake's server to a VM that Martin has generously provided. We don't anticipate any interruption in services, but one never knows. I'll let you know when the migration's complete. Thanks for your continued participation and patience. The list migration is now complete. If anyone notices any anomalities, please post to the list. If the list isn't working, please contact me or Martin directly. Thanks to Martin for hosting the new list server! -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Call for participation - Mirors
Greetings all... As most of you know, we have a group of servers that volunteers provide that act as our mirror servers. My project plan calls for 8-10 mirrors spread throughout the globe, and currently we have volunteers in: mirror2 - Europe - AG mirror3 - Europe - UK mirror4 - USA - East mirror5 - USA - West mirror7 - USA - West mirror8 - Europe - DK mirror9 - USA - West If you count, you'll see that we have currently 7 mirrors, and NONE are in Africa, Asia, or Australia. I do have a volunteer from Africa, but they're not setup yet... but I'm also anticipating losing one of the US - West servers in the next 2 months. As a result, I'm requesting additional volunteers to act as mirror servers -- *particularly from those of you in Asia, Australia, or the Eastern US/Canada* Thanks in advance -- I know I'll get volunteers -- this is indeed a AWESOME project to be a part of! Best Regards, Dan McAllister -- IT4SOHO, LLC PO Box 507 St. Petersburg, FL 33731-0507 CALL TOLL FREE: 877-IT4SOHO We have support plans for QMail!
Re: [qmailtoaster] Call for participation - Mirors
Hi Dan, If you need a DNS @Portugal, count me in. Sérgio Rosa No dia 22 de Mai de 2012 18:06, Dan McAllister q...@it4soho.com escreveu: Greetings all... As most of you know, we have a group of servers that volunteers provide that act as our mirror servers. My project plan calls for 8-10 mirrors spread throughout the globe, and currently we have volunteers in: mirror2 - Europe - AG mirror3 - Europe - UK mirror4 - USA - East mirror5 - USA - West mirror7 - USA - West mirror8 - Europe - DK mirror9 - USA - West If you count, you'll see that we have currently 7 mirrors, and NONE are in Africa, Asia, or Australia. I do have a volunteer from Africa, but they're not setup yet... but I'm also anticipating losing one of the US - West servers in the next 2 months. As a result, I'm requesting additional volunteers to act as mirror servers -- *particularly from those of you in Asia, Australia, or the Eastern US/Canada* Thanks in advance -- I know I'll get volunteers -- this is indeed a AWESOME project to be a part of! Best Regards, Dan McAllister -- IT4SOHO, LLC PO Box 507 St. Petersburg, FL 33731-0507 CALL TOLL FREE: 877-IT4SOHO We have support plans for QMail!
Re: [qmailtoaster] Can anyone point me to QTP for QMT .13, Centos 4.6
On 05/21/2012 07:50 AM, Ev Batey WA6CRE wrote: Just upgraded, QMT, Centos, iron and location. I'm hoping someone has a link, how-to, on migrating qmt-mail-folders, users, lists, aliases. Failed to be recognized when scp -rp from oldhost:/home/vpopmail/domains/eachone to newhost:/same... I'm also getting no MX records found going one way. Inbound mail not -- - - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Help request to comunity on tech issue.
Sorry for the lack of answer. Yes, I have some expertise in iptables and firewalling in general. One thing you should need is multiple IPs on each server. Then, via iptables and cron you can change your source ip address every minute or so. Give me some time and I can post examples. On Mon, May 21, 2012 at 7:07 PM, fmende...@terra.com wrote: Hello Natalio, do you have a precise example on how to implement this? Thanks. On lun 21/05/12 4:35 PM , Natalio Gatti nga...@gmail.com sent: I can only think in one solution. Via iptables and src-nat. Not so-random, but you can change your outbound IP address every minute. And AFAIK, once a connection has been established, the nat table mantains the translation. On Mon, May 21, 2012 at 5:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot.
Re: [qmailtoaster] Call for participation - Mirors
Hey! don't forget South America! Count me in. I'm in Argentina. Send me your requirements. On Tue, May 22, 2012 at 2:52 PM, Sérgio Rosa sergior...@awd.pt wrote: Hi Dan, If you need a DNS @Portugal, count me in. Sérgio Rosa No dia 22 de Mai de 2012 18:06, Dan McAllister q...@it4soho.com escreveu: Greetings all... As most of you know, we have a group of servers that volunteers provide that act as our mirror servers. My project plan calls for 8-10 mirrors spread throughout the globe, and currently we have volunteers in: mirror2 - Europe - AG mirror3 - Europe - UK mirror4 - USA - East mirror5 - USA - West mirror7 - USA - West mirror8 - Europe - DK mirror9 - USA - West If you count, you'll see that we have currently 7 mirrors, and NONE are in Africa, Asia, or Australia. I do have a volunteer from Africa, but they're not setup yet... but I'm also anticipating losing one of the US - West servers in the next 2 months. As a result, I'm requesting additional volunteers to act as mirror servers -- *particularly from those of you in Asia, Australia, or the Eastern US/Canada* Thanks in advance -- I know I'll get volunteers -- this is indeed a AWESOME project to be a part of! Best Regards, Dan McAllister -- IT4SOHO, LLC PO Box 507 St. Petersburg, FL 33731-0507 CALL TOLL FREE: 877-IT4SOHO We have support plans for QMail!
Re: [qmailtoaster] Help request to comunity on tech issue.
Thanks a lot Natalio. I saw some time ago, a patch, for qmail 1.03 to change outbound ip depending on the domain asociate to it. But what we need is a rotation of a list of Ips each time it needs to send. Regards. From: Natalio Gatti Sent: Tuesday, May 22, 2012 5:11 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Help request to comunity on tech issue. Sorry for the lack of answer. Yes, I have some expertise in iptables and firewalling in general. One thing you should need is multiple IPs on each server. Then, via iptables and cron you can change your source ip address every minute or so. Give me some time and I can post examples. On Mon, May 21, 2012 at 7:07 PM, fmende...@terra.com wrote: Hello Natalio, do you have a precise example on how to implement this? Thanks. On lun 21/05/12 4:35 PM , Natalio Gatti nga...@gmail.com sent: I can only think in one solution. Via iptables and src-nat. Not so-random, but you can change your outbound IP address every minute. And AFAIK, once a connection has been established, the nat table mantains the translation. On Mon, May 21, 2012 at 5:42 PM, fmende...@terra.com wrote: Hello everyone I am the owner of a growing hosting enterprise in my country (Perú), and we are facing big rise on our client number. As an efect of this we are seeying a rise in mail outbound in our servers. Even thoug we put limits to hourly sending, having more than 9k clients, all delivering through the same cluster, it lacks of efectiveness because each server in cluster uses only one ip for sending tasks. We are now seeying blocking issues because of the many clents generated traffic. We talked to some people at godaddy and hostgator, as we know they use a cluster system that includes on each server a list of IPs that rotates in a random fashion, so even with high demand quality service on mail delivery from client accounts is always achieved. I would like to ask for some guidance and help to this comunity on how can we could implement such solution to rotate in a random or other way the IPs for sending clients mails. I hope you people can see my situation and can help me with this. We used to work with exim, but since we changed to QMT it was the best desition we ever made on this matters. Now we need to push it to a next level. Thanks a lot.
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Délsio: Our clients are 99% enterprises. Small, medium size, and thus their needs to send emails is not comparable to regular home users.. Even 350 mails per hour is in some cases not enought. Thought they don’t want to rise their monthly payment or move to dedicateds. So traffic is high. Having multiple servers or having them on cluster is just the same. As each one only have 1 ip, reputation may be affected due to the high volume. Solution is to split as much as possible with diferent ips over each current server on array. We already talked about this with our tech assesor. So please any answer or contributions regarding this thread I would really appreciate that would be focus to this. Regards. From: Délsio Cabá Sent: Monday, May 21, 2012 10:51 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Help request to comunity on tech issue. Hi all, I am also a small ISP but I don't have such problems and I don't use a cluster yet. The easiest solution is normall the best one. If you have a Storage try to implement a Load Balance with multiple mail servers instead of a cluster. This way you will be able to answer smtp/pop3 requests using multiple IP addresses. But before that you should check your bandwidth and delay also. Many problems occur on the transmission side. Regards On 22 May 2012 01:14, Eric Shubert e...@shubes.net wrote: On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. With so many clients, the probability of compromised passwords is fairly high. I wouldn't be very quick to dismiss this as a possibility. Do your anti-spam measures have any effect on authenticated smtp sessions? All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. 350 per hour per account seems like a high limit to me for typical email use. In any case, how are you enforcing this limit? So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Are all machines in the cluster going out on the the same public IP? If so, I presume you have NAT in effect. If that's the case, you should look into implementing SNAT along with NAT, so the source IP changes according to which machine behind the NAT is the source of the packets. This is something your NAT router needs to do. Thanks. A little more detailed description of your current setup might be helpful for us to know what might be most effective for you. -- -Eric 'shubes' On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption (human action). The script is written in python, and will need a little tweaking for the QMT environment, as it's presently written to scan a spamdyke log (the author wasn't using the submission port at all). I think it'd be better to scan the send log if that's feasible. Anywise, I think this approach is promising. If anyone has any
Re: [qmailtoaster] Re: Help request to comunity on tech issue.
Hi Eric. We have modified our control panel so that when clients create a new email, the can't use their own passwords. It is generated with high char random values. We also had put limits to conections and monitor ip conections during smtp/pop tasks. Not more than 1 conection to smtp or pop, and only same IP on both tasks can be accepted. Any other attemp over 5 times blocks the accounts. We also track ip origin on smtp/pop conection and webmail conection. If the regular base is that ip connects from peruvian ranges, and suddenly there is one conection from any other part of the world, then account is blocked and client is asked to fill secret info regarding its account and the 2nd email he/she registered at signup time. Limit to 350 is not high, as our clients are not home users. Over 99% of them are small medium size companys that use alot of emails during day. We already had done a process to determine this and it is a real usage. In same cases it is even not enought. And as I wrote before: Our clients are 99% enterprises. Small, medium size, and thus their needs to send emails is not comparable to regular home users.. Even 350 mails per hour is in some cases not enought. Thought they don’t want to rise their monthly payment or move to dedicateds. So traffic is high. Having multiple servers or having them on cluster is just the same. As each one only have 1 ip, reputation may be affected due to the high volume. Solution is to split as much as possible with diferent ips over each current server on array. We already talked about this with our tech assesor. So please any answer or contributions regarding this thread I would really appreciate that would be focus to this. Regards. -Mensaje original- From: Eric Shubert Sent: Monday, May 21, 2012 6:14 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Help request to comunity on tech issue. On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. With so many clients, the probability of compromised passwords is fairly high. I wouldn't be very quick to dismiss this as a possibility. Do your anti-spam measures have any effect on authenticated smtp sessions? All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. 350 per hour per account seems like a high limit to me for typical email use. In any case, how are you enforcing this limit? So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Are all machines in the cluster going out on the the same public IP? If so, I presume you have NAT in effect. If that's the case, you should look into implementing SNAT along with NAT, so the source IP changes according to which machine behind the NAT is the source of the packets. This is something your NAT router needs to do. Thanks. A little more detailed description of your current setup might be helpful for us to know what might be most effective for you. -- -Eric 'shubes' On lun 21/05/12 4:55 PM , Eric Shubert e...@shubes.net sent: I don't know if rotating addresses is the best solution or not. It's certainly not practical for small QMT installations. I think in many (if not all or most) of these cases, the user's password has been compromised. This is especially likely if it's possible to configure a client insecurely (plain text password with no TLS/SSL). I've seen this happen on more than one occasion, on a small domain. Password sniffing does happen. First step is to ensure that clients cannot attempt to authenticate with clear text passwords. This can be enforced with dovecot, but we don't have a way yet to enforce it on the sending/smtp side. I'm hopeful that Sam will get this feature built into spamdyke in the near future. Another good defensive weapon is a script I came across on the spamdyke list today, and hope to make available in some form with QTP in the future. It's a script that periodically checks the logs for accounts which have sent more messages in a given interval than some allowed limit. When it finds such an account, it changes the password, removes messages from that account still in the queue, and notifies the postmaster with an email. I think this is very practical, because passwords do become compromised on occasion, even with full encryption
[qmailtoaster] Re: Help request to comunity on tech issue.
Sounds like you've taken great measures to prevent unauthorized use. I still think that 350 per account is high though. That's an average of nearly one every 10 seconds for 60 minutes straight. I think it's safe to say that some of these people are sending to lists. They're your customers though, so I don't doubt that they're generating the volumes you say. How is your cluster presently configured? Are all hosts sending outbound email in a balanced fashion? You've said that you have 5 hosts and 5 IP addresses, but haven't told us much about how things are configured. Are each of these 5 hosts QMTs? On bare iron or virtual? On 05/22/2012 05:23 PM, F. Mendez wrote: Hi Eric. We have modified our control panel so that when clients create a new email, the can't use their own passwords. It is generated with high char random values. We also had put limits to conections and monitor ip conections during smtp/pop tasks. Not more than 1 conection to smtp or pop, and only same IP on both tasks can be accepted. Any other attemp over 5 times blocks the accounts. We also track ip origin on smtp/pop conection and webmail conection. If the regular base is that ip connects from peruvian ranges, and suddenly there is one conection from any other part of the world, then account is blocked and client is asked to fill secret info regarding its account and the 2nd email he/she registered at signup time. Limit to 350 is not high, as our clients are not home users. Over 99% of them are small medium size companys that use alot of emails during day. We already had done a process to determine this and it is a real usage. In same cases it is even not enought. And as I wrote before: Our clients are 99% enterprises. Small, medium size, and thus their needs to send emails is not comparable to regular home users.. Even 350 mails per hour is in some cases not enought. Thought they don’t want to rise their monthly payment or move to dedicateds. So traffic is high. Having multiple servers or having them on cluster is just the same. As each one only have 1 ip, reputation may be affected due to the high volume. Solution is to split as much as possible with diferent ips over each current server on array. We already talked about this with our tech assesor. So please any answer or contributions regarding this thread I would really appreciate that would be focus to this. Regards. -Mensaje original- From: Eric Shubert Sent: Monday, May 21, 2012 6:14 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Help request to comunity on tech issue. On 05/21/2012 03:06 PM, fmende...@terra.com wrote: Hello Eric, thanks for your reply. We do not have spam issues with our customers, what we have is a high volume due to large clients number. With so many clients, the probability of compromised passwords is fairly high. I wouldn't be very quick to dismiss this as a possibility. Do your anti-spam measures have any effect on authenticated smtp sessions? All meassures to void spam sending are taken, but the blocks are being generated for large volume send from just a bunch of IPs (5) which are the number of mta's qmt in our cluster. As all you may know, having 9k clients with at least 4 email accounts per client and a limit of 350 per hour per account, it is still a big traffic generated. 350 per hour per account seems like a high limit to me for typical email use. In any case, how are you enforcing this limit? So I am looking forward to have better service on delivery having in mind that custmer number is growing fast and anti-spam messures do its job preatty good. But of the lack of IP on each mta in cluster, it is affecting delivery. Hope someone around may share a solution. Are all machines in the cluster going out on the the same public IP? If so, I presume you have NAT in effect. If that's the case, you should look into implementing SNAT along with NAT, so the source IP changes according to which machine behind the NAT is the source of the packets. This is something your NAT router needs to do. Thanks. A little more detailed description of your current setup might be helpful for us to know what might be most effective for you. -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com