smtpwire
smtpwire
This program sits on the normal mail port - port 25 or port 587 for both plain
and TLS/SSL (or sometimes 465 or 2525 are used) - and pretends to be a fully
functional mail deamon.
It allows ALL mail traffic for a server to be sucked in and treated like an
incoming data stream like a wire service.
If only a few logons on a particular server are required and NOT all, do NOT
use this program but use your favourite *nix email program like 'sendmail' and
just add 'sffmail' to the required logons in the '/etc/aliases' file.
SMTPWIRE allows NO relays or other dodgy bits - all that is done in other Fip
programs downstream (if you really need them of course).
If you need outgoings, use 'ipsmtp' and point it - using the -h (hostname)
switch - at your in-house email server.
To get mail to your system you will need to sweet-talk the mail administrator
to replay those logons you are interested in to the host running 'smtpwire'.
A small FipHdr is added with date and time fields, sender and receiver logons
before the file is passed on - normally to spool/xsmtp for 'ipchkmail' to sort
out.
The Sender is the FipHdr fields SA and the Receipient the DA FipHdr (and DZ to
the no angle brackets-non-domain, stripped version)
To install on a Unix box, you will need to take sendmail down first before
replacing it (so please do make sure no-one else needs mail on that system !).
It is usually started by :
On Unix it is the 'sendmail' with the '-bd' switches running :
ps -ef | grep sendm
root 163 1 0 09:40:22 ? 0:00 /usr/lib/sendmail -bd -q1h
On Solaris - /etc/rc2.d/S88sendmail
Stop sendmail with 'S88sendmail stop'
Then stop it from restarting by renaming this to something NOT starting with
'S99'
On Linux - RedHat - /etc/rc.d/rc2.d/S80sendmail
Stop sendmail with 'S80sendmail stop'
Then stop it from restarting by renaming this to something NOT starting with
'S99'
Note that on some flavours of Unix, 'smtpwire' needs to be started by someone
with 'root' priviledges if the port number is less than 1024 - which port 25
normally is !
If using Unix/Linux, only one instance of smtpwire should be in the SYSTEM file
and the -E 99 switch is used to determine the number of simultaneous inputs.
There is an optional parameter file which will be the same as the -z input
switch.
It can contain any SSL settings :
use-tls:yes/no/both
The commands are for a ftp running over SSL/TLS on the remote server
NOTE - smtpwiressl and NOT smtpwire must be used for SSL/TLS
default is NO
no - normal, standard SMTP on (normally) port 25 for the control
yes - connect (on port 587) and use SSL for all transfers
both - connect in plain and if the remote client sends a 'STARTTLS' command,
use SSL for all subsequent transfers
tls-auth: (XXX)
AUTH type for TLS/SSL default: TLS
Valid entries are TLS, SSL, TLS-C (whatever that is !) and something starting
'X-' which will be something homegrown !
NOTE that for all versions of SSL the method string is "SSL" (this string is
case sensitive according to the RFC)
eg tls-auth:SSL
ssl-method: tls tls1 tls1.1 tls1.2 sslv2 sslv3 sslv2and3
Version number to use for TLS/SSL default: 999 for current default (2 or 3)
(only the digits are significant, so add other text to make it readable)
For 'modern' connection, pls do NOT use sslv2 ! as it is deemed insecure
If default it will check the available list and pick the highest.
The default is currently 23 which on a modern server is sslv3 and tls1_2 !)
ssl-password: (password)
ssl-passwd: (password) default: none
Optional password if the handshake requires a shared secret
ssl-cert: (name of a PEM certificate file) default: none
ssl-root-cert: (name of a root PEM certificate file) defaunt: none
Optional certificates - held in tables/ssl
ssl-verify: yes/no verify certificates default: yes
ssl-ciphers: (list) acceptable ciphers
(use 'openssl ciphers' to list)
default: "HIGH:!aNULL:!kRSA:!SRP:!PSK:!CAMELLIA:!RC4:!MD5:!DSS"
round-robin: (number) default: none
round-robin-fiphdr: (2 letter FipHdr field) default: none
Round-Robin the output files and add the RR number to the fipHdr.
Both parameters are required - the Number is the MAXimum.
eg to leave the output in folder1 to folder9
round-robin:9
round-robin-fiphdr:RR
and a suitable output folder might be outque:xchg\RR
(when testing, rember to add an extra '\' for the shell if using input
switch outque : -o xchg\\RR)
Note that the round-robin number is NOT added automatically to any output
folder - ie you MUST specify a FipHdr as in /fip/spool/2xml\RR
output-queue: (full pathname or folder under /fip/spool) default: xsmtp (under
/fip/spool)
This is the same as the -o input switch
This can be in fipseq and use the round-robin fiphdr :
output-queue:avcheck\RR
doneque: (full pathname in FipSeq) default: none
This is the same as the -d input switch
extra-fiphdr: (FipHdr fields in FipSeq) Add this to the FipHdr of each
incoming file. default: none
save-data-path: (pathname for data)
This puts the data of the incoming data in a file in this folder and creates
a FipHdr file that contains 2 FipHdrs containing the full path/filename
SX: and FTP_EXTERNAL_FILE:
(ipbalan uses SX and ipftp uses FTP_EXTERNAL_FILE)
eq save-data-path:/fip/data/jpegs/\$e\$y\$i\$d/
Use this for big files that you do not want to copy around the Fip Spool
area.
balance-group; (Balance Group name) Balance group for balancing doneque
balance-group-nohdr; (Balance Group name) Balance group for balancing doneque
default: none / no balancing
This is the same as the -J input switch
This group MUST be in sys/BALANCE
balance-folder: (folder under spool) Balance queue for balancing doneque
This is the same as the -j input switch
default: 2balance
helo-host: (hostname in banner when remote connects)
ehlo-host: (hostname in banner when remote connects)
For bonefide systems this could be 'mail.(domainname)' or the actual
hostname/FQDN
default is notfip-(IPaddress in hex)
allow: (IPaddress to allow)
disallow: (IPaddress to block)
use this for blacklist/whitelist certain addresses
A zero '0' or '*' (star) can be used to indicate ALL eg 10.3.3.* or 10.3.3.0
disable-limit: (number)
number of bad RCPT TO errors before IP address is blacklisted
default: 30 unsuccessful attempts
address-check-file: (filename) No default
address-check-file1: (filename) No default
address-check-file2: (filename) No default
address-check-file3: (filename) No default
the file must be in (E/D) (sep) email address (sep) (other info ...) NL or CR
NL
eg E|dot@fingerpost.co.uk|#AB:other information for other Fip Programs
Check the incoming email address against a standing file of addresses.
If it fails, the file is ONLY written to the doneque (if there is one) - the
sender gets no indication.
It also allows some flexibilty to merge schemes - perhaps unix logon and a
further 'psuedo' list.
The default - without any checks at all - is to allow any email address and
assumes you will validated at a later Fip stage
There can be 4 different address-checks files
address-check-sep: (separator in FipSeq) Field sep in the check file default:
colon '|'
address-check-valid: (fiphdr info in fipseq) Extra FipHdr added to incoming
files with VALID logons
address-check-invalid: (fiphdr info in fipseq) Extra FipHdr added to incoming
files with INvalid logons
address-check-logon-fiphdr: (2 letter fiphdr in fipseq)
The checks are done as exch RCPT is specified by the remote - it is
temporarily in FipHdr field E1
This is Z field but can be modified using FipSeq to a different value
replace:QZ E1 holidays.com=allwork.com
address-check-logon-fiphdr:QZ
Input Parameters :
All Optional :
-A : name of the archive file if not the -n name field default: 'name'
-c : the chrset of the source (SC header field) default: ascii
-C : always close the underlying socket default: no
-d : done folder default: none
This holds a copy of all incoming data files from every source
The structure is
(done folder) / (date)_(logon) eg 20110921_fip / (filename as written to the
o
utput folder)
It can be purged with an entry in maintenance (zapfiplog)
eg if '-d raw.smtpwire' and we want the last 30 days data
/fip/bin/ipdelque -q/fip/spool/raw.smtpwire -i1 -a30
-D : the name of a DUPLICATE wire where 2 copies of the same
file is required (SD header field). default: none
-E : maximum number of threads default: 1
up to a max of 200 (not Win2k)
Note this is also a hardware limit in that small systems may not be able to
run more than 50 or so
-f : Extra FIP header information default: none
For fixed header info in FIP. eg -f #QA:AA#QB:BASIC
As this flag is normally the last specified, its contents
can be used to overwrite any unique fields such as DU, DP,
SN etc.
-h : hostname/internet address to select default: systemname on boot
for servers with more than one card/address
To specify ALL ipaddresses on this box : '-h +'
-I : id of this instance default: ignored
Where there are several copies of 'smtpwire' running (more relevant for
Win2k)
-j : balance queue for balancing doneque items default: 2balance
-J : balance group for balancing doneque items default: -none- no balancing
This group MUST be in sys/BALANCE
-l : no logging at all default: file
-L : log all connections and files default: no
-n : name of service (same as -z) default: SMTPWIRE
-o : Output folder in /fip/spool default: spool/xsmtp
-O : Name of output format (DF field) default: SMTPWIRE
-P : port number to use default: 25 for plain, 587 if TLS is specified
-r : the name of a DIFFERENT routing table to 'name'
(SR field : used by iproute) default: name
-R : dump all raw data in a dump file in /fip/dump default: no
-s : same as -h
-SSL : Force HTTPS (ie TLS/SSL) default: no
-w : max timeout with no data default: 60 secs
ie between packets. Set to ZERO to disable or 10 (or more) secs
-u : logon for files created if NOT that
which was used to start 'smtpwire' default: same
-V : HTTPS TLS/SSL method to use default: 23 for 2 or 3
-z : Name of the Parameter file in tables/wire default: same as -n
-Z : do NOT archive any incoming files default: archive
-v : Print the version number and exit
It is good practice to test a new or modified smtpwire - if viewable from
outside
Try a tester such as :
https://www.checktls.com/TestReceiver
https://toolbox.googleapps.com/apps/checkmx/
Version Control
;1u2 24sep15 minor cleanups
;b-f 23nov15 added blacklist in /fip/fix (e - allow 0 for range) ;f 16apr18
better TLS plus optional param file
;g-i 18jun18 fipseq + Exchange/QP and spc dot bugette
;j 18dec18 added round-robin and parse outque and -z can be diff to -n (for
parameter file) and better use-tls support
;k-o 19dec18 added save-data-path: and balance-group/-nohdr/-queue and
address-check and allow/disallow and better SSL
;p 30jan19 added address-check-file1-3 ;q 250-STARTTLS ;r minor ;st 3feb21
added extra-fiphdr
;u1-2 26nov21 added speedy on outque where it changes
;0z 23may00 original version
;a 18oct00 added -u plus bugette for MS EXCHG relays
;b-d 15nov00 MSexchg seems to allow multiple Senders !!
- 503 already have sender now ignored
;e 29oct01 WINNT filenames better
;f 21jul03 better handling of to/from names; added DZ
;g-i 26jul03 added -C; added -w; better logging of incoming files
allow multiple incoming files in one connection
;j-p speedy, -I wireId added ;n donque added, parse added ;o added S5
(remaddr) S6 (thsaddr) and S7 (thshost)
;q-s added -B for balance any done queue items
;t 24jun15 started STARTTLS ;u-z bugette - return MUST CRNL
(copyright) 2024 and previous years FingerPost Ltd.