smtpwire

smtpwire

This program sits on the normal mail port - port 25 or port 587 for both plain
and TLS/SSL (or sometimes 465 or 2525 are used) - and pretends to be a fully
functional mail deamon.

It allows ALL mail traffic for a server to be sucked in and treated like an
incoming data stream like a wire service.

If only a few logons on a particular server are required and NOT all, do NOT
use this program but use your favourite *nix email program like 'sendmail' and
just add 'sffmail' to the required logons in the '/etc/aliases' file.

SMTPWIRE allows NO relays or other dodgy bits - all that is done in other Fip
programs downstream (if you really need them of course).

If you need outgoings, use 'ipsmtp' and point it - using the -h (hostname)
switch - at your in-house email server.

To get mail to your system you will need to sweet-talk the mail administrator
to replay those logons you are interested in to the host running 'smtpwire'.

A small FipHdr is added with date and time fields, sender and receiver logons
before the file is passed on - normally to spool/xsmtp for 'ipchkmail' to sort
out.

The Sender is the FipHdr fields SA and the Receipient the DA FipHdr (and DZ to
the no angle brackets-non-domain, stripped version)

To install on a Unix box, you will need to take sendmail down first before
replacing it (so please do make sure no-one else needs mail on that system !).

It is usually started by :
    On Unix it is the 'sendmail' with the '-bd' switches running :
    ps -ef | grep sendm
    root   163  1  0 09:40:22 ? 0:00 /usr/lib/sendmail -bd -q1h

    On Solaris - /etc/rc2.d/S88sendmail
        Stop sendmail with 'S88sendmail stop'
        Then stop it from restarting by renaming this to something NOT starting with
'S99'
    On Linux - RedHat - /etc/rc.d/rc2.d/S80sendmail
        Stop sendmail with 'S80sendmail stop'
        Then stop it from restarting by renaming this to something NOT starting with
'S99'

Note that on some flavours of Unix, 'smtpwire' needs to be started by someone
with 'root' priviledges if the port number is less than 1024 - which port 25
normally is !

If using Unix/Linux, only one instance of smtpwire should be in the SYSTEM file
and the -E 99 switch is used to determine the number of simultaneous inputs.

There is an optional parameter file which will be the same as the -z input
switch.
It can contain any SSL settings :
    use-tls:yes/no/both
        The commands are for a ftp running over SSL/TLS on the remote server
        NOTE - smtpwiressl and NOT smtpwire must be used for SSL/TLS
        default is NO
        no  - normal, standard SMTP on (normally) port 25 for the control
        yes - connect (on port 587) and use SSL for all transfers
        both    - connect in plain and if the remote client sends a 'STARTTLS' command,
use SSL for all subsequent transfers
    tls-auth: (XXX)
        AUTH type for TLS/SSL       default: TLS
        Valid entries are TLS, SSL, TLS-C (whatever that is !) and something starting
'X-' which will be something homegrown !
        NOTE that for all versions of SSL the method string is "SSL" (this string is
case sensitive according to the RFC)
        eg tls-auth:SSL

    ssl-method: tls tls1 tls1.1 tls1.2 sslv2 sslv3 sslv2and3
        Version number to use for TLS/SSL       default: 999 for current default (2 or 3)
        (only the digits are significant, so add other text to make it readable)
        For 'modern' connection, pls do NOT use sslv2 ! as it is deemed insecure
        If default it will check the available list and pick the highest.
        The default is currently 23 which on a modern server is sslv3 and tls1_2 !)
    ssl-password: (password)
    ssl-passwd: (password)                  default: none
        Optional password if the handshake requires a shared secret
    ssl-cert: (name of a PEM certificate file)      default: none
    ssl-root-cert: (name of a root PEM certificate file)    defaunt: none
        Optional certificates - held in tables/ssl
    ssl-verify: yes/no  verify certificates     default: yes
    ssl-ciphers: (list) acceptable ciphers
        (use 'openssl ciphers' to list)
        default:  "HIGH:!aNULL:!kRSA:!SRP:!PSK:!CAMELLIA:!RC4:!MD5:!DSS"
     ssl-display: yes/no     display SSL connection details  default: no

    round-robin: (number)               default: none
    round-robin-fiphdr: (2 letter FipHdr field) default: none
        Round-Robin the output files and add the RR number to the fipHdr.
        Both parameters are required - the Number is the MAXimum.
        eg to leave the output in folder1 to folder9
            round-robin:9
            round-robin-fiphdr:RR
        and a suitable output folder might be   outque:xchg\RR
            (when testing, rember to add an extra '\' for the shell if using input
switch outque : -o xchg\\RR)
        Note that the round-robin number is NOT added automatically to any output
folder - ie you MUST specify a FipHdr as in /fip/spool/2xml\RR

    output-queue: (full pathname or folder under /fip/spool)    default: xsmtp (under
/fip/spool)
        This is the same as the -o input switch
        This can be in fipseq and use the round-robin fiphdr :
        output-queue:avcheck\RR

    doneque: (full pathname in FipSeq)      default: none
        This is the same as the -d input switch
    extra-fiphdr: (FipHdr fields in FipSeq) Add this to the FipHdr of each
incoming file. default: none

    save-data-path: (pathname for data)
        This puts the data of the incoming data in a file in this folder and creates
a FipHdr file that contains 2 FipHdrs containing the full path/filename
            SX: and FTP_EXTERNAL_FILE:
        (ipbalan uses SX and ipftp uses FTP_EXTERNAL_FILE)
            eq  save-data-path:/fip/data/jpegs/\$e\$y\$i\$d/
        Use this for big files that you do not want to copy around the Fip Spool
area.
    balance-group; (Balance Group name) Balance group for balancing doneque
    balance-group-nohdr; (Balance Group name) Balance group for balancing doneque
        default: none / no balancing
        This is the same as the -J input switch
        This group MUST be in sys/BALANCE
    balance-folder: (folder under spool) Balance queue for balancing doneque
        This is the same as the -j input switch
        default: 2balance

    helo-host: (hostname in banner when remote connects)
    ehlo-host: (hostname in banner when remote connects)
        For bonefide systems this could be 'mail.(domainname)' or the actual
hostname/FQDN
        default is notfip-(IPaddress in hex)
    allow: (IPaddress to allow)
    disallow: (IPaddress to block)
        use this for blacklist/whitelist certain addresses
        A zero '0' or '*' (star) can be used to indicate ALL    eg 10.3.3.* or 10.3.3.0
    disable-limit: (number)
        number of bad RCPT TO errors before IP address is blacklisted
        default: 30 unsuccessful attempts
    address-check-file: (filename)        No default
    address-check-file1: (filename)       No default
    address-check-file2: (filename)       No default
    address-check-file3: (filename)       No default
        the file must be in (E/D) (sep) email address (sep) (other info ...) NL or CR
NL
        eg  E|dot@fingerpost.co.uk|#AB:other information for other Fip Programs
        Check the incoming email address against a standing file of addresses.
        If it fails, the file is ONLY written to the doneque (if there is one) - the
sender gets no indication.
        It also allows some flexibilty to merge schemes - perhaps unix logon and a
further 'psuedo' list.
        The default - without any checks at all - is to allow any email address and
assumes you will validated at a later Fip stage
        There can be 4 different address-checks files
    address-check-sep: (separator in FipSeq)    Field sep in the check file default:
colon '|'
    address-check-valid: (fiphdr info in fipseq)    Extra FipHdr added to incoming
files with VALID logons
    address-check-invalid: (fiphdr info in fipseq)  Extra FipHdr added to incoming
files with INvalid logons
    address-check-logon-fiphdr: (2 letter fiphdr in fipseq)
        The checks are done as exch RCPT is specified by the remote - it is
temporarily in FipHdr field E1
        This is Z field but can be modified using FipSeq to a different value
        replace:QZ  E1  holidays.com=allwork.com
        address-check-logon-fiphdr:QZ

Input Parameters :
All Optional :
    -A : name of the archive file if not the -n name field  default: 'name'
    -c : the chrset of the source (SC header field)     default: ascii
    -C : always close the underlying socket         default: no
    -d : done folder                    default: none
        This holds a copy of all incoming data files from every source
        The structure is
            (done folder) / (date)_(logon) eg 20110921_fip / (filename as written to the
o
utput folder)
        It can be purged with an entry in maintenance (zapfiplog)
        eg if '-d raw.smtpwire' and we want the last 30 days data
            /fip/bin/ipdelque -q/fip/spool/raw.smtpwire -i1 -a30
    -D : the name of a DUPLICATE wire where 2 copies of the same
        file is required (SD header field).     default: none
    -E : maximum number of threads              default: 1
        up to a max of 200 (not Win2k)
        Note this is also a hardware limit in that small systems may not be able to
run more than 50 or so
    -f : Extra FIP header information           default: none
        For fixed header info in FIP. eg -f #QA:AA#QB:BASIC
        As this flag is normally the last specified, its contents
        can be used to overwrite any unique fields such as DU, DP,
        SN etc.
    -h : hostname/internet address to select        default: systemname on boot
        for servers with more than one card/address
        To specify ALL ipaddresses on this box : '-h +'
    -I : id of this instance                default: ignored
        Where there are several copies of 'smtpwire' running (more relevant for
Win2k)
    -j : balance queue for balancing doneque items    default: 2balance
    -J : balance group for balancing doneque items    default: -none- no balancing
        This group MUST be in sys/BALANCE
    -l : no logging at all                  default: file
    -L : log all connections and files          default: no
    -n : name of service (same as -z)           default: SMTPWIRE
    -o : Output folder in /fip/spool            default: spool/xsmtp
    -O : Name of output format (DF field)           default: SMTPWIRE
    -P : port number to use                 default: 25 for plain, 587 if TLS is specified
    -r : the name of a DIFFERENT routing table to 'name'
        (SR field : used by iproute)            default: name
    -R : dump all raw data in a dump file in /fip/dump  default: no
    -s : same as -h
    -SSL : Force HTTPS (ie TLS/SSL)          default: no
    -w : max timeout with no data               default: 60 secs
        ie between packets. Set to ZERO to disable or 10 (or more) secs
    -u : logon for files created if NOT that
        which was used to start 'smtpwire'      default: same
    -V : HTTPS TLS/SSL method to use            default: 23 for 2 or 3
    -z : Name of the Parameter file in tables/wire      default: same as -n
    -Z : do NOT archive any incoming files          default: archive
    -v : Print the version number and exit

It is good practice to test a new or modified smtpwire - if viewable from
outside
Try a tester such as :
    https://www.checktls.com/TestReceiver
    https://toolbox.googleapps.com/apps/checkmx/

    openssl s_client -connect www.fip-comet.co.uk:25 -starttls smtp

Version Control
;1u4    24sep15 minor cleanups
    ;b-f 23nov15 added blacklist in /fip/fix (e - allow 0 for range) ;f 16apr18
better TLS plus optional param file
    ;g-i 18jun18 fipseq + Exchange/QP and spc dot bugette
    ;j 18dec18 added round-robin and parse outque and -z can be diff to -n (for
parameter file) and better use-tls support
    ;k-o 19dec18 added save-data-path: and balance-group/-nohdr/-queue and
address-check and allow/disallow and better SSL
    ;p 30jan19 added address-check-file1-3 ;q 250-STARTTLS ;r minor ;st 3feb21
added extra-fiphdr
    ;u1-4 26nov21 added speedy on outque where it changes ;u4 fipSSLtimeout
;0z 23may00 original version
    ;a 18oct00 added -u plus bugette for MS EXCHG relays
    ;b-d 15nov00 MSexchg seems to allow multiple Senders !!
        - 503 already have sender now ignored
    ;e 29oct01 WINNT filenames better
    ;f 21jul03 better handling of to/from names; added DZ
    ;g-i 26jul03 added -C; added -w; better logging of incoming files
        allow multiple incoming files in one connection
    ;j-p speedy, -I wireId added ;n donque added, parse added ;o added S5
(remaddr) S6 (thsaddr) and S7 (thshost)
    ;q-s added -B for balance any done queue items
    ;t 24jun15 started STARTTLS ;u-z bugette - return MUST CRNL

(copyright) 2024 and previous years FingerPost Ltd.