Creating Global Email Server with single domain - dovecot

I have Postfix/Devocet Email server in a US location, and I would like to create a second email server in the India region but the domain name should be XXYYZZ.COM for both the servers. In the API we are finding the user's location, based on the location I will redirect the Emails.
If the user from US/India tries to create an Email box, India user mails need to redirect to the India server and US user mails need to redirect to the US server using a single domain user1#xxyyzz.com.

Bonjour Nanda,
I understand what you are looking for and it is perfectly possible via proxying which dovecot itself can do.
All you need is extra servers which will act as proxy in front of those you use as backend (US server and India server).
Since I have not much information about your backend, I suggest you read about:
Dovecot proxy (https://doc.dovecot.org/configuration_manual/authentication/proxies/)
IMAP+POP proxying (https://wiki1.dovecot.org/HowTo/ImapProxy)
LMTP proxying (https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/).
If the user from US/India tries to create an Email box
By explicitly setting a "host" attribute for each user in your passdb backend (at account creation), you should be able to redirect all requests to a specific host.

Related

SAML certificate authentication vs login

I have a working implementation of SAML (OneLogin) within an enterprise architecture.
When a guest user arrives at my application they are redirected to the company login where they enter their username / password. After that the user identity is passed back to my application and we log them in.
However, I notice that in other applications within the company I do not have to login at all. Somehow the website "knows who I am" and seems to authenticate me automatically. I presume there is some form of certificate on my pc / browser which the other applications are passing to the SAML??
Can somebody tell me the technical term or process? Is there a process whereby I simply pull the certificate from the browser or PC and pass it to the SAML? I would like my users to be able to auto-login without entering their credentials.
Thanks
There's a number of mechanisms that support an "automatic" authentication like what you describe. In the Identity and Access Management (IAM) realm, we have all sorts of names for it, but many of us call that "seamless single sign-on (SSO)".
Within a corporate environment, I would suspect that you are dealing with a one of two mechanisms: Kerberos authentication (especially if you're a Microsoft shop and log in to a domain-joined machine on a daily basis), or your machine is in an MDM-type of system, which uses a machine- and/or user-based certificate (aka PKI) to authenticate the user or user/machine combination.
Within your enterprise, if there are other applications whose users are immediately authenticated to the application without entering their username and password, then you should talk to your IAM team or your Single Sign On (SSO) administrators to understand why that doesn't work for yours.
I will also say that it's possible that your security team evaluated what information your application offers (insider financials? source code? your secret recipe? credit card data?) and decided that they would still require the user enter their username and password to get access to the data. So when you go to your SSO admins to ask, if they say that it's intentional, you should feel free to ask why and who you should talk to about it.
After a LOT of research and testing I finally have the answer to this question, and it is incredibly simple!
In summary:
I have a working solution with OneLogin that sends me to a page like this:
https://sts.companyname.com/adfs/ls
The url is specified in the config: saml->config->idp->singleSignOnService->url
However, this page requires the user to enter their username and password and, instead, I would like the system to be fully seamless.
The solution, it turns out, is simply to hyperlink to the following url:
https://sts.companyname.com/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mypage.com/saml/metadata
where "loginToRp" url is the url provided in saml->config->sp->entityID
The ADFS IDP Initiated Signon will connect to your metadata schema and automatically log the user in (without the user needing to provide any credentials)
NOTE: this only applies to intranet sites in a corporate environment

Receive email with AWS SES without MX record

I'll like to process incoming email on a specific email. In aws docs it says
Although you are not required to publish an MX record to receive mail through Amazon SES, if you don't publish the record, Amazon SES will receive mail for your domain only if you explicitly route it to Amazon SES.
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-mx-record.html
How do I explicitly route email to SES?
After hours of research and failed attempts of having SES receive emails without the use of a MX record (had set up an additional Route via gSuite / Google Apps), here is my best suggestion on how to go about this.
Short Version
Create a subdomain and point its MX record to SES after inserting the TXT verification record. After creating the necessary ruleset to receive and save email from any#sub.domain.com, you can now have SES receive email from any email address you own (even if it's not verified with SES) by simply forwarding its emails to the SES enabled subdomain email address.
Long Version
Unfortunately, it does still require an MX record, but check it out...
You can create a custom subdomain on your primary domain and call it anything. In my case, I called it ses.mydomain.com
Next, I added my newly created subdomain to SES via the Domains link.
Immediately upon adding it as a domain to SES, a pop-up window appears displaying the required TXT verification record and MX mail record.
Shortly after assigning these two DNS records to my subdomain, the subdomain is verified and able to receive email after setting a few quick rules via Rule Sets!
Here's the cool part - you can still have SES receive email from any email address you have access to.
How you might ask?
By just setting up a forwarder on the email address you do want to send to SES, by forwarding it to the SES-enabled subdomain email address.
Meaning - If SES is able to receive email from someone#ses.example.com, but you want it to actually receive email from someone-else#example.com, then all you need to do is forward someone-else#example.com to someone#ses.example.com!
Remember, you still need to create the necessary rules to receive emails. See this AWS Blog Post for more information.
Use one of the AWS SES's inbound endpoints:
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/regions.html#region-select
e.g. for US-EAST-1 the inbound endpoint is inbound-smtp.us-east-1.amazonaws.com. For receiving only you do not use SMTP endpoints. The procedure is pretty much the same using MX records or not: somewhere (in your DNS or in your mail handling system) you must point to a SES inbound endpoint.
For example, my MX records point to Google Apps, but using 'Hosts' and 'Routing' (inside Google Apps/Gmail options) I managed to relay only one recipient to SES. So every e-mail my domain receives goes to Gmail recipients as usual, except for one special_recipient#mydomain.com which I relayed to SES (which, in turn, goes to SNS then to SQS).
from:
https://aws.amazon.com/blogs/aws/new-receive-and-process-incoming-email-with-amazon-ses/
Now you need to route your incoming email to SES for processing. You have two options here. You can set the domain’s MX (Mail Exchange) record to point to the SES SMTP endpoint in the region where you want to process incoming email. Or, you can configure your existing mail handling system to forward mail to the endpoint.

How to add new 'From' email id each time sending email using PostFix server

I am new to PostFix and have setup PostFix as a server recently. In the testing, PostFix is working fine and relaying the emails with 'From' email address stored in the PostFix credentials files likes admin#mydomain.com and password : xxxxxxx
My problem is: We have a web application that allows direct email sending feature between the website users. As User 1 can send email to User 2 (user2#example.com) and vise verse. But while sending emails using the PostFix server, the user2 will always receive the admin#mydomain.com instead of user1#example.com so the user2 can not reply on the email directly to the user1.
This problem is a bigger one as we have thousands of the users that are waiting for this feature. So if someone can help me configuring the PostFix server so that at the time of sending email, user can set their email id as the 'From' field of the email using any web form and the receiving user will get the email as the email was originally generated by user1#example.com so that he can reply directly to the user 1 on his email id.
I have done some research work on the PostFix about this problem but did not find much interesting one. The approach others followed are using the smtp_generic_maps but this can work only with a limited set of email ids stored in the >>/etc/postfix/generic. But we want this solution fully dynamic so that any user can add the FROM as his/her email while internally the email will be sent using the admin#mydomain.com in PostFix.
Early response is much appreciated.
Thanks
Finally I fixed this issue by using an Grails application which doesn't require for adding fixed emails in the PostFix.
Use the Grails Mail plugin and set PostFix server as the default Mail server.
Also add inbound connection in the Postfix so that other email services will not ban you.
As well as change the port from 25 to some other port as Port 25 is being used to send Trozen horses and spamming ..
I love PostFix now.. Enjoy free mail service for your small business.
Thanks

New host - 404 Error

I am a newcomer at the web part of programming and I was given a host. I uploaded a simple index.html file with one header(It is correct). If I then try to connect with the nameserver/ip (gotten with PuTTy) , I get an 404 error. I have tried many different stuff about folders , but I could not fix anything
The nameserver IP address is almost certainly not your hosting IP address. The nameserver is the server (probably owned by your host - but possibly an outsourced service) that converts the human readable domain name (such as www.domain.com) to an IP address the computer can connect to (such as 198.252.206.16 - the IP 4 address I get for www.stackoverflow.com). It acts as a giant lookup list of domain names and IP addresses, much like a telephone book or Yellow Pages.
Moreover, as your host will almost certainly be hosting many domains (tens or possibly hundreds) per server, you will need to use a domain name when attempting to connect to your web page - this will be needed for Apache or IIS to know how to route the request/which content to return to the browser. It will do this using the request header sent by the browser when requesting the page. If you are testing locally then localhost/127.0.0.1 will be good enough if you have a single site registered/single set of content in a wwwroot directory (or equivalent). Similarly a virtual server or dedicated server may well respond to requests by IP address if it is the only site/application registered on the server.
To use another real-world analogy, it is a bit like addressing an item of post to a town or village - without including the recipient name, street or house number - and then expecting it to be received and to get a response.
Some hosts provide temporary domain names for you to use before you purchase your domain name or whilst the domain name details are propagated to DNS servers around the world. This usually looks something like-
http://your-user.your-host.com/ or http://server.your-host.com/your-username/
If your host offers such a service then this should normally be detailed in their self-help pages, or the admin area where you set up the site. Clearly such a domain is not intended for "production" use, and you should purchase a domain name before using the site for anything other than testing - if only to allow you the flexibility to move to a new host in the future.
This is not a question for StackOverflow users though, and I strongly suggest you consult your host's documentation or contact them for further assistance.

Detect whether public IP address is dynamic or static

There are several email servers refusing connections of clients with public dynamic IP addresses. For example many smtp servers receiving emails only accept connections to clients having static IP adresses to avoid spam emails which are directly sent from computers having dynamic IP addresses.
When I looked for answers using google I only found information saying it is impossible to distinguish between static/dynamic addresses. So how do the email servers do it? Are there any databases providing information for specific IP ranges?
Have a look at the MX records of t-online.de (one of the largest German email providers). Try to connect to mx00.t-online.de:25 using Putty (raw mode) on a computer having a dynamic IP address. The mail server immediately closes the connection and does not even allow the client to send any command, while a connection of a server having a static IP is not refused.
Or have a look at the following extract of a SMTP session:
220 mailin.rzone.de [joses mi173] ESMTP RZmta 29.19 ready
EHLO Home-PC
250-mailin.rzone.de [joses mi173] greets 87.179.163.89
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-DELIVERBY
250-SIZE 104857600
250 HELP
MAIL FROM:<sender#example.com>
250 2.1.0 <sender#example.com> Sender ok
RCPT TO:<recipient#example.org>
550 5.7.1 87.179.163.89 is a dynamic IP
This is the email server for customers of Strato, a German hosting company, which also denies access to clients having a dynamic IP address. Email addresses have been changed. I used a recipient address which is acceptable for mailin.rzone.de, so there is no relay issue.
Also http://whatismyipaddress.com/blacklist-check states the following:
Just because the IP is listed with a particular blacklist does not
mean that you are sending spam, just that particular blacklist
suggests not to accept mail directly from that IP address. Most
residential Cable/DSL IP addresses that are dynamically assigned will
indicate that they are blacklisted, meaning you should be sending from
your ISP's mail server, not a mail server running on your own internet
connection.
This is probably the result of using a DNS blacklist based on ISP-provided information about which of their IP addresses are authorized to send email directly. See Spamhaus' Policy Block List for an example.
The information isn't independently discoverable. Participating ISPs must provide the DNSBL services with information about their network.
However, in the case of some of these lists, like Spamhaus, the information is queryable by the general public under certain conditions. You couldn't detect whether IPs are static or dynamic directly, but could still check any particular IP.
You mentioned that whatismyipaddress.com incorrectly lists your current IP address as static. Using their blacklist check tool with your IP, 87.179.190.52, I see that they currently incorrectly show it as unlisted by Spamhaus' PBL (among others). The IP I'm connecting from is both correctly described as dynamic, and listed in the PBL, hinting that that might be what they're basing their information on.
I believe those email servers you're referring to only do a reverse DNS check so as long as you have a PTR record for that IP address, I think it should be OK.
Bottom line, I don't think dynamic IP allocation is an issue with mail servers.
Regarding the question, the only way I can think of is by looking at the WHOIS information, there's a field called NetType. Obviously, you cannot rely on it but at least it can give you an idea if the ISP did provide that information.
Static/public ip addresses are listed by some ISP's as follows
123.123.123.4 static.yourisp.isfine.com
WHILE dynamic are listed:
123.123.123.5 dhcp.mx1.coldservice.com
see?