Can't think of a good subject for this, sorry!
I have a customer with an ADSL line and direct delivery of email via SMTP to their external IP (into Exchange). The MX record for the domain points to one of my servers running Postfix, which basically forwards mail to their IP if it is up.
So far so good....
However, they've just suffered a BT-inflicted ADSL outage that's lasted several days and they want to have a backup for the future. They're going down the 3G backup route (using a router which falls over from ADSL to 3G), but this will give them a dynamic IP when on 3G and, more importantly, we've found out the hard way that in general 3G providers do not allow us to make incoming connections (whether on port 25 or any other).
So, my question is: what is the best solution to this?
I have come up with several options: - Move the email to POP3 delivery, ie mail ends up in a POP3 mailbox on my server, they collect periodically from that box. From experience this causes problems with Exchange, although I don't recall what exactly. - Provide some kind of POP3/IMAP access to the Postfix mailqueue, so in normal use mail comes via SMTP, but when they switch to 3G they can access the mailqueue (using POP3 or IMAP, and then by extension via webmail) as a temporary measure, with the mail coming in via SMTP as normal once the connection is restored. However, I have no idea if this is even possible? - Drop everything to a POP3 mailbox on the server, but configure fetchmail to deliver it to them via SMTP if the connection is up. Sort of half-way between the two above options. - Setup a VPN between the mail server and the exchange server, and deliver to the VPN address. This seems like the "best" option although I have no idea whether it is practical having never tried it. I'd assume OpenVPN as the best VPN solution? I also don't know how well it would scale if I want to then do this with lots of other sites?
On 08 Dec 14:47, Mark Rogers wrote:
Can't think of a good subject for this, sorry!
I have a customer with an ADSL line and direct delivery of email via SMTP to their external IP (into Exchange). The MX record for the domain points to one of my servers running Postfix, which basically forwards mail to their IP if it is up.
So far so good....
However, they've just suffered a BT-inflicted ADSL outage that's lasted several days and they want to have a backup for the future. They're going down the 3G backup route (using a router which falls over from ADSL to 3G), but this will give them a dynamic IP when on 3G and, more importantly, we've found out the hard way that in general 3G providers do not allow us to make incoming connections (whether on port 25 or any other).
So, my question is: what is the best solution to this?
I have come up with several options:
- Move the email to POP3 delivery, ie mail ends up in a POP3 mailbox
on my server, they collect periodically from that box. From experience this causes problems with Exchange, although I don't recall what exactly.
The Exchange pop for incoming mail handler is *terrible* - not a good way to go.
- Provide some kind of POP3/IMAP access to the Postfix mailqueue, so
in normal use mail comes via SMTP, but when they switch to 3G they can access the mailqueue (using POP3 or IMAP, and then by extension via webmail) as a temporary measure, with the mail coming in via SMTP as normal once the connection is restored. However, I have no idea if this is even possible?
It's "possible" but would involve hidden deliveries and a lot of faffing.
- Drop everything to a POP3 mailbox on the server, but configure
fetchmail to deliver it to them via SMTP if the connection is up. Sort of half-way between the two above options.
... suffers that the envelope header has gone, which might not be the same as the From/To values.
- Setup a VPN between the mail server and the exchange server, and
deliver to the VPN address. This seems like the "best" option although I have no idea whether it is practical having never tried it. I'd assume OpenVPN as the best VPN solution? I also don't know how well it would scale if I want to then do this with lots of other sites?
That'd be the way that I'd go. They've then got a "static" ip on a private network to you (and yes, I'd set the vpn up to be static for that).
If you've got windows at one end, and linux at the other, using OpenVPN is probably your best bet.
Cheers,
Brett Parker wrote:
On 08 Dec 14:47, Mark Rogers wrote:
[SNIP]
- Setup a VPN between the mail server and the exchange server, and
deliver to the VPN address. This seems like the "best" option although I have no idea whether it is practical having never tried it. I'd assume OpenVPN as the best VPN solution? I also don't know how well it would scale if I want to then do this with lots of other sites?
That'd be the way that I'd go. They've then got a "static" ip on a private network to you (and yes, I'd set the vpn up to be static for that).
If you've got windows at one end, and linux at the other, using OpenVPN is probably your best bet.
I'd do the same: OpenVPN is goodness. Note too that Netgear DG834G or similar (some Linksys or Draytek models IIRC) support IPSEC VPN endpoints, so if you have an IPSEC endpoint-enabled modem/router at each end, you're sorted (but OpenVPN doesn't support IPSEC).
In either case, in the event of an outage you'll have changing IP addresses at the remote end, one of which will almost certainly be dynamic (3G), so you'll need to use dyndns or similar as well. Also, by using dyndns, you could dispense with the VPN, as your server will always be able to find the remote address.
Cheers, Laurie.
On 08 Dec 15:47, Laurie Brown wrote:
Brett Parker wrote:
On 08 Dec 14:47, Mark Rogers wrote:
[SNIP]
- Setup a VPN between the mail server and the exchange server, and
deliver to the VPN address. This seems like the "best" option although I have no idea whether it is practical having never tried it. I'd assume OpenVPN as the best VPN solution? I also don't know how well it would scale if I want to then do this with lots of other sites?
That'd be the way that I'd go. They've then got a "static" ip on a private network to you (and yes, I'd set the vpn up to be static for that).
If you've got windows at one end, and linux at the other, using OpenVPN is probably your best bet.
I'd do the same: OpenVPN is goodness. Note too that Netgear DG834G or similar (some Linksys or Draytek models IIRC) support IPSEC VPN endpoints, so if you have an IPSEC endpoint-enabled modem/router at each end, you're sorted (but OpenVPN doesn't support IPSEC).
In either case, in the event of an outage you'll have changing IP addresses at the remote end, one of which will almost certainly be dynamic (3G), so you'll need to use dyndns or similar as well. Also, by using dyndns, you could dispense with the VPN, as your server will always be able to find the remote address.
It's even better than that, because you're also not likely to have an external IP at all on 3G, vodafone 3G sticks, in my experience, tend to throw you in to a nat'd 10.0.0.0/24 address space.
Brett Parker wrote:
[SNIP]
It's even better than that, because you're also not likely to have an external IP at all on 3G, vodafone 3G sticks, in my experience, tend to throw you in to a nat'd 10.0.0.0/24 address space.
Oh dear. Well, that's handy... So no point in 3G as a backup then...
Cheers, Laurie.
On 08 Dec 16:42, Laurie Brown wrote:
Brett Parker wrote:
[SNIP]
It's even better than that, because you're also not likely to have an external IP at all on 3G, vodafone 3G sticks, in my experience, tend to throw you in to a nat'd 10.0.0.0/24 address space.
Oh dear. Well, that's handy... So no point in 3G as a backup then...
Perfectly fine with the VPN route - pants any other way :)
On Wed, Dec 08, 2010 at 04:31:05PM +0000, Brett Parker wrote:
It's even better than that, because you're also not likely to have an external IP at all on 3G, vodafone 3G sticks, in my experience, tend to throw you in to a nat'd 10.0.0.0/24 address space.
Depends on the provider. When I had my Orange 3G USB dongle I got a real world, unfirewalled IP (dynamic though, so not useful as an SMTP endpoint). I believe there's an APN under 3 that gives this too.
I'd go for the VPN approach in all cases that didn't have a static IP at the destination end, whether there's NAT involved or not.
J.
On Wed, Dec 08, 2010 at 05:25:22PM +0000, Jonathan McDowell wrote:
On Wed, Dec 08, 2010 at 04:31:05PM +0000, Brett Parker wrote:
It's even better than that, because you're also not likely to have an external IP at all on 3G, vodafone 3G sticks, in my experience, tend to throw you in to a nat'd 10.0.0.0/24 address space.
Depends on the provider. When I had my Orange 3G USB dongle I got a real world, unfirewalled IP (dynamic though, so not useful as an SMTP endpoint). I believe there's an APN under 3 that gives this too.
I'd go for the VPN approach in all cases that didn't have a static IP at the destination end, whether there's NAT involved or not.
Surely many/most ISPs/hosting companies now provide authenticated SMTP on various ports other than the standard 25. Certainly all three that I use do so - that's Gradwell, Gandi and Tsohost. You just set up your mail (whether MUA or MTA) to use authenticated SMTP on the specified port and away you go. That works from anywhere, I just turn my netbook on and send away without worrying whether I'm on a hotel's WiFi, a 3G dongle (as at present0 or at home on my ADSL.
On Wed, Dec 08, 2010 at 05:50:42PM +0000, Chris G wrote:
On Wed, Dec 08, 2010 at 05:25:22PM +0000, Jonathan McDowell wrote:
I'd go for the VPN approach in all cases that didn't have a static IP at the destination end, whether there's NAT involved or not.
Surely many/most ISPs/hosting companies now provide authenticated SMTP on various ports other than the standard 25. Certainly all three that I use do so - that's Gradwell, Gandi and Tsohost. You just set up your mail (whether MUA or MTA) to use authenticated SMTP on the specified port and away you go. That works from anywhere, I just turn my netbook on and send away without worrying whether I'm on a hotel's WiFi, a 3G dongle (as at present0 or at home on my ADSL.
The originally query was about inbound SMTP when the primary ADSL link was down.
For outbound SMTP relaying through a smarthost on 587 (submission) using STARTTLS to encrypt is definitely the way to go; this is the way my laptop is configured meaning it doesn't matter which network I'm on.
J.
On Wed, Dec 08, 2010 at 10:25:52AM -0800, Jonathan McDowell wrote:
On Wed, Dec 08, 2010 at 05:50:42PM +0000, Chris G wrote:
On Wed, Dec 08, 2010 at 05:25:22PM +0000, Jonathan McDowell wrote:
I'd go for the VPN approach in all cases that didn't have a static IP at the destination end, whether there's NAT involved or not.
Surely many/most ISPs/hosting companies now provide authenticated SMTP on various ports other than the standard 25. Certainly all three that I use do so - that's Gradwell, Gandi and Tsohost. You just set up your mail (whether MUA or MTA) to use authenticated SMTP on the specified port and away you go. That works from anywhere, I just turn my netbook on and send away without worrying whether I'm on a hotel's WiFi, a 3G dongle (as at present0 or at home on my ADSL.
The originally query was about inbound SMTP when the primary ADSL link was down.
Ah, sorry, I wasn't concentrating. In that case I think I'd go for either one onf the solutions suggested or (what I do) is use the forwarding to more than one destination facility of one of my ISPs. One destination is my home server via the normal ADSL, a second destination is a system where I have a shell login 'out there' on the internet so if my 'main' ADSL is down I can still login to the 'out there' shell accoubnt and read my mail.
For outbound SMTP relaying through a smarthost on 587 (submission) using STARTTLS to encrypt is definitely the way to go; this is the way my laptop is configured meaning it doesn't matter which network I'm on.
On 08/12/10 18:25, Jonathan McDowell wrote:
The originally query was about inbound SMTP when the primary ADSL link was down.
For outbound SMTP relaying through a smarthost on 587 (submission) using STARTTLS to encrypt is definitely the way to go; this is the way my laptop is configured meaning it doesn't matter which network I'm on.
I'm trying to make my Nokia N900 send and receive emails. I can't even do it from home now for some reason although I have managed to receive them in the past.
I want to be able to send them as well though when I'm out in, say a pub with wifi, like the Coach and Horses or the Wig and Pen.
I wondered if SmartTLS was the way to go. The phone runs Maemo so I might be able to install some software if needs be.
Can anybody advise me if I'm looking in the right area please?
On 08/12/10 15:21, Brett Parker wrote:
If you've got windows at one end, and linux at the other, using OpenVPN is probably your best bet.
This looks to be the way I need to go, but I've not got a lot of experience with OpenVPN and know that it's very flexible so I need pointing in the right direction.
I guess what I want is for my mail server to be an OpenVPN server (is it client/server?) and for the Windows boxen to connect to the server via whatever method they like. What I need, though, is that each Windows box always gets the same IP address on the VPN, and that different Windows boxes cannot talk to each other through the VPN (as they'd be different client's boxes).
Where do I start, is this quite straightforward?
Mark Rogers wrote:
On 08/12/10 15:21, Brett Parker wrote:
If you've got windows at one end, and linux at the other, using OpenVPN is probably your best bet.
This looks to be the way I need to go, but I've not got a lot of experience with OpenVPN and know that it's very flexible so I need pointing in the right direction.
I guess what I want is for my mail server to be an OpenVPN server (is it client/server?) and for the Windows boxen to connect to the server via whatever method they like. What I need, though, is that each Windows box always gets the same IP address on the VPN, and that different Windows boxes cannot talk to each other through the VPN (as they'd be different client's boxes).
Where do I start, is this quite straightforward?
OpenVPN (http://www.openvpn.net/index.php/open-source/overview.html) and Shorewall [iptables wrapper] (http://www.shorewall.net/) are probably where you need to start; they work happily together and the documentation is both excellent and mutually supportive.
There is a GUI for OpenVPN that runs on Window$ making a connection in for road warriors (which is effectively what the Exchange box would be when your mail server is an OpenVPN server) beyond trivial. You can find it at http://openvpn.se
There's a learning curve ahead, but lots of how-tos and tutorials on the respective web-sites. Good luck!
I'm sure there are others on this list apart from me who can do this, so ask away if you have problems.
Cheers, Laurie.
Mark Rogers wrote:
I guess what I want is for my mail server to be an OpenVPN server (is it client/server?) and for the Windows boxen to connect to the server via whatever method they like. What I need, though, is that each Windows box always gets the same IP address on the VPN, and that different Windows boxes cannot talk to each other through the VPN (as they'd be different client's boxes).
Where do I start, is this quite straightforward?
Yes, it's quite straightforward. "ifconfig-pool-persist FILENAME" in the configuration should mean each Windows box always gets the same IP address on the VPN and I think omitting "client-to-client" will stop them talking to each other. Firewall tun devices if you want to be really sure.
www.openvpn.net is really quite a detailed site and the software's debug output is pretty good too. I've been using it for years.
Hope that helps,
Same boat here, Exchange on site behind our ADSL service.
The next MX record after our static IP is a backup mail provider so mail goes there when our ADSL is down, our set up is as follows;
1. We have pop access to the backup provider, 3rd party software on the Exchange server connects out and checks for new mail every 10 mins so when service is restored after an outage the missing mailing will start filing into your inbox within 10 mins.
2. This also means if we can get a temporary connection up (even if its a NAT'd 3G jobbie, mail will flow just slowly on the inbound as that 10 minute interval comes round).
3. Our backup mail providers also provides webmail access so remote workers who can't get into our OWA can use that.
Take from that what you will. A VPN isn't a bad idea, just set up an OpenVPN server your end and install the client on their Exchange box then they can always connect to you even over 3G.
(An easy way to start but maybe not the most secure is to download the OpenVPN Access Server virtual machine from their website, its almost ready to go out the box. We have a site-to-site link between two offices. If one end loses ADSL service [and thusly their static IP] we have an OpenVPN AS virtual machine at both ends and the client installed at both ends so it can be fired up and one server can dial into the other). My two pence, HTH.
--James. (This email was sent from a mobile device, this is not secure)
-
Brett Parker -
Chris G -
Chris Walker -
James Bensley -
Jonathan McDowell -
Laurie Brown -
Mark Rogers -
MJ Ray