smtpwire This program sits on the normal mail port - port 25 or port 587 for both plain and TLS/SSL (or sometimes 465 or 2525 are used) - and pretends to be a fully functional mail deamon. It allows ALL mail traffic for a server to be sucked in and treated like an incoming data stream like a wire service. If only a few logons on a particular server are required and NOT all, do NOT use this program but use your favourite *nix email program like 'sendmail' and just add 'sffmail' to the required logons in the '/etc/aliases' file. SMTPWIRE allows NO relays or other dodgy bits - all that is done in other Fip programs downstream (if you really need them of course). If you need outgoings, use 'ipsmtp' and point it - using the -h (hostname) switch - at your in-house email server. To get mail to your system you will need to sweet-talk the mail administrator to replay those logons you are interested in to the host running 'smtpwire'. A small FipHdr is added with date and time fields, sender and receiver logons before the file is passed on - normally to spool/xsmtp for 'ipchkmail' to sort out. The Sender is the FipHdr fields SA and the Receipient the DA FipHdr (and DZ to the no angle brackets-non-domain, stripped version) To install on a Unix box, you will need to take sendmail down first before replacing it (so please do make sure no-one else needs mail on that system !). It is usually started by : On Unix it is the 'sendmail' with the '-bd' switches running : ps -ef | grep sendm root 163 1 0 09:40:22 ? 0:00 /usr/lib/sendmail -bd -q1h On Solaris - /etc/rc2.d/S88sendmail Stop sendmail with 'S88sendmail stop' Then stop it from restarting by renaming this to something NOT starting with 'S99' On Linux - RedHat - /etc/rc.d/rc2.d/S80sendmail Stop sendmail with 'S80sendmail stop' Then stop it from restarting by renaming this to something NOT starting with 'S99' Note that on some flavours of Unix, 'smtpwire' needs to be started by someone with 'root' priviledges if the port number is less than 1024 - which port 25 normally is ! If using Unix/Linux, only one instance of smtpwire should be in the SYSTEM file and the -E 99 switch is used to determine the number of simultaneous inputs. There is an optional parameter file which will be the same as the -z input switch. It can contain any SSL settings : use-tls:yes/no/both The commands are for a ftp running over SSL/TLS on the remote server NOTE - smtpwiressl and NOT smtpwire must be used for SSL/TLS default is NO no - normal, standard SMTP on (normally) port 25 for the control yes - connect (on port 587) and use SSL for all transfers both - connect in plain and if the remote client sends a 'STARTTLS' command, use SSL for all subsequent transfers tls-auth: (XXX) AUTH type for TLS/SSL default: TLS Valid entries are TLS, SSL, TLS-C (whatever that is !) and something starting 'X-' which will be something homegrown ! NOTE that for all versions of SSL the method string is "SSL" (this string is case sensitive according to the RFC) eg tls-auth:SSL ssl-method: tls tls1 tls1.1 tls1.2 sslv2 sslv3 sslv2and3 Version number to use for TLS/SSL default: 999 for current default (2 or 3) (only the digits are significant, so add other text to make it readable) For 'modern' connection, pls do NOT use sslv2 ! as it is deemed insecure If default it will check the available list and pick the highest. The default is currently 23 which on a modern server is sslv3 and tls1_2 !) ssl-password: (password) ssl-passwd: (password) default: none Optional password if the handshake requires a shared secret ssl-cert: (name of a PEM certificate file) default: none ssl-root-cert: (name of a root PEM certificate file) defaunt: none Optional certificates - held in tables/ssl ssl-verify: yes/no verify certificates default: yes ssl-ciphers: (list) acceptable ciphers (use 'openssl ciphers' to list) default: "HIGH:!aNULL:!kRSA:!SRP:!PSK:!CAMELLIA:!RC4:!MD5:!DSS" ssl-display: yes/no display SSL connection details default: no round-robin: (number) default: none round-robin-fiphdr: (2 letter FipHdr field) default: none Round-Robin the output files and add the RR number to the fipHdr. Both parameters are required - the Number is the MAXimum. eg to leave the output in folder1 to folder9 round-robin:9 round-robin-fiphdr:RR and a suitable output folder might be outque:xchg\RR (when testing, rember to add an extra '\' for the shell if using input switch outque : -o xchg\\RR) Note that the round-robin number is NOT added automatically to any output folder - ie you MUST specify a FipHdr as in /fip/spool/2xml\RR output-queue: (full pathname or folder under /fip/spool) default: xsmtp (under /fip/spool) This is the same as the -o input switch This can be in fipseq and use the round-robin fiphdr : output-queue:avcheck\RR doneque: (full pathname in FipSeq) default: none This is the same as the -d input switch extra-fiphdr: (FipHdr fields in FipSeq) Add this to the FipHdr of each incoming file. default: none save-data-path: (pathname for data) This puts the data of the incoming data in a file in this folder and creates a FipHdr file that contains 2 FipHdrs containing the full path/filename SX: and FTP_EXTERNAL_FILE: (ipbalan uses SX and ipftp uses FTP_EXTERNAL_FILE) eq save-data-path:/fip/data/jpegs/\$e\$y\$i\$d/ Use this for big files that you do not want to copy around the Fip Spool area. balance-group; (Balance Group name) Balance group for balancing doneque balance-group-nohdr; (Balance Group name) Balance group for balancing doneque default: none / no balancing This is the same as the -J input switch This group MUST be in sys/BALANCE balance-folder: (folder under spool) Balance queue for balancing doneque This is the same as the -j input switch default: 2balance helo-host: (hostname in banner when remote connects) ehlo-host: (hostname in banner when remote connects) For bonefide systems this could be 'mail.(domainname)' or the actual hostname/FQDN default is notfip-(IPaddress in hex) allow: (IPaddress to allow) disallow: (IPaddress to block) use this for blacklist/whitelist certain addresses A zero '0' or '*' (star) can be used to indicate ALL eg 10.3.3.* or 10.3.3.0 disable-limit: (number) number of bad RCPT TO errors before IP address is blacklisted default: 30 unsuccessful attempts address-check-file: (filename) No default address-check-file1: (filename) No default address-check-file2: (filename) No default address-check-file3: (filename) No default the file must be in (E/D) (sep) email address (sep) (other info ...) NL or CR NL eg E|dot@fingerpost.co.uk|#AB:other information for other Fip Programs Check the incoming email address against a standing file of addresses. If it fails, the file is ONLY written to the doneque (if there is one) - the sender gets no indication. It also allows some flexibilty to merge schemes - perhaps unix logon and a further 'psuedo' list. The default - without any checks at all - is to allow any email address and assumes you will validated at a later Fip stage There can be 4 different address-checks files address-check-sep: (separator in FipSeq) Field sep in the check file default: colon '|' address-check-valid: (fiphdr info in fipseq) Extra FipHdr added to incoming files with VALID logons address-check-invalid: (fiphdr info in fipseq) Extra FipHdr added to incoming files with INvalid logons address-check-logon-fiphdr: (2 letter fiphdr in fipseq) The checks are done as exch RCPT is specified by the remote - it is temporarily in FipHdr field E1 This is Z field but can be modified using FipSeq to a different value replace:QZ E1 holidays.com=allwork.com address-check-logon-fiphdr:QZ Input Parameters : All Optional : -A : name of the archive file if not the -n name field default: 'name' -c : the chrset of the source (SC header field) default: ascii -C : always close the underlying socket default: no -d : done folder default: none This holds a copy of all incoming data files from every source The structure is (done folder) / (date)_(logon) eg 20110921_fip / (filename as written to the o utput folder) It can be purged with an entry in maintenance (zapfiplog) eg if '-d raw.smtpwire' and we want the last 30 days data /fip/bin/ipdelque -q/fip/spool/raw.smtpwire -i1 -a30 -D : the name of a DUPLICATE wire where 2 copies of the same file is required (SD header field). default: none -E : maximum number of threads default: 1 up to a max of 200 (not Win2k) Note this is also a hardware limit in that small systems may not be able to run more than 50 or so -f : Extra FIP header information default: none For fixed header info in FIP. eg -f #QA:AA#QB:BASIC As this flag is normally the last specified, its contents can be used to overwrite any unique fields such as DU, DP, SN etc. -h : hostname/internet address to select default: systemname on boot for servers with more than one card/address To specify ALL ipaddresses on this box : '-h +' -I : id of this instance default: ignored Where there are several copies of 'smtpwire' running (more relevant for Win2k) -j : balance queue for balancing doneque items default: 2balance -J : balance group for balancing doneque items default: -none- no balancing This group MUST be in sys/BALANCE -l : no logging at all default: file -L : log all connections and files default: no -n : name of service (same as -z) default: SMTPWIRE -o : Output folder in /fip/spool default: spool/xsmtp -O : Name of output format (DF field) default: SMTPWIRE -P : port number to use default: 25 for plain, 587 if TLS is specified -r : the name of a DIFFERENT routing table to 'name' (SR field : used by iproute) default: name -R : dump all raw data in a dump file in /fip/dump default: no -s : same as -h -SSL : Force HTTPS (ie TLS/SSL) default: no -w : max timeout with no data default: 60 secs ie between packets. Set to ZERO to disable or 10 (or more) secs -u : logon for files created if NOT that which was used to start 'smtpwire' default: same -V : HTTPS TLS/SSL method to use default: 23 for 2 or 3 -z : Name of the Parameter file in tables/wire default: same as -n -Z : do NOT archive any incoming files default: archive -v : Print the version number and exit It is good practice to test a new or modified smtpwire - if viewable from outside Try a tester such as : https://www.checktls.com/TestReceiver https://toolbox.googleapps.com/apps/checkmx/ openssl s_client -connect www.fip-comet.co.uk:25 -starttls smtp Version Control ;1u4 24sep15 minor cleanups ;b-f 23nov15 added blacklist in /fip/fix (e - allow 0 for range) ;f 16apr18 better TLS plus optional param file ;g-i 18jun18 fipseq + Exchange/QP and spc dot bugette ;j 18dec18 added round-robin and parse outque and -z can be diff to -n (for parameter file) and better use-tls support ;k-o 19dec18 added save-data-path: and balance-group/-nohdr/-queue and address-check and allow/disallow and better SSL ;p 30jan19 added address-check-file1-3 ;q 250-STARTTLS ;r minor ;st 3feb21 added extra-fiphdr ;u1-4 26nov21 added speedy on outque where it changes ;u4 fipSSLtimeout ;0z 23may00 original version ;a 18oct00 added -u plus bugette for MS EXCHG relays ;b-d 15nov00 MSexchg seems to allow multiple Senders !! - 503 already have sender now ignored ;e 29oct01 WINNT filenames better ;f 21jul03 better handling of to/from names; added DZ ;g-i 26jul03 added -C; added -w; better logging of incoming files allow multiple incoming files in one connection ;j-p speedy, -I wireId added ;n donque added, parse added ;o added S5 (remaddr) S6 (thsaddr) and S7 (thshost) ;q-s added -B for balance any done queue items ;t 24jun15 started STARTTLS ;u-z bugette - return MUST CRNL (copyright) 2024 and previous years FingerPost Ltd.