jueves, 17 de noviembre de 2011

How to relay outbound email from legacy network devices using Google Mail or Google Apps (gmail) mail servers

How to relay outbound email from legacy network devices using Google Mail or Google Apps (gmail) mail servers.

Google's mail servers use TLS (SSL) encryption that require authentication before they will relay mail.

Many legacy network devices, such as Canon, Ricoh, and Toshiba copier/scanner/multifunction devices, do not support authenticated SSL login to a SMTP server.
The following solution documents a very simple, low impact solution. By using the open source hMailServer to act as a Windows-based SMTP relay, companies can successfully switch to Google Apps without losing the ability to scan and email documents directly from their multi-function devices. This solution also works well for automated backup utilities such as SyncBack and BackupExec, that send automated reports via simple SMTP.

Download hMailServer from  http://www.hmailserver.com 

Select a machine that will be on and accessible 24/7 from any necessary device on the network.

Perform a standard install. Drive space should be minimal as this system will act strictly as a relay server, and only cache undeliverable messages.

Set an admin password for the console and be sure not to lose it as this admin panel will be accessed very infrequently after successful deployment.

Configure a GMail/Google Apps account for outbound use. Skip to step 6 if you have already done this, otherwise, for Google Apps:

Login to your Google Apps control panel as an administrator (typically http://google.com/a/yourdomain.com).
Create a dedicated account for outbound scans/reports/etc, such as scans@yourdomain.com and Save.

* Important * Login to your new account through the Google Apps interface for your domain, as if you were a new user, and perform the CAPTCHA verification for the account and test the inbox functionality.

Logout and note these credentials for the next steps.

Open the Administration console for hMailServer and make the following configuration changes in hMailServer:

[Domains | Add...] Add a new local domain. For example, local.yourdomain.com and Save.

[Domains | local.yourdomain.com | Accounts | Add...] Add a new local account. For example, scans@local.yourdomain.com and Save.

[Settings | Protocols | SMTP | Delivery of e-mail] make the following changes:
[Local host name] = yourserver.yourdomain.com (pretty much irrelevant)
[Remote host name] = smtp.gmail.com
[Remote TCP/IP port] = 465
[Server requires authentication] = Checked
[User name] = scans@yourdomain.com (or yourdomainscans@gmail.com, etc.)
[Password] = <as chosen>
[Use SSL] = Checked

[Settings | Advanced | IP Ranges] Add...
[Name] = Firewalled subnets
[Priority] = 20
[Lower IP] - [Upper IP] = Inclusive local subnet that includes network devices that need to relay.
[Anti-Spam] = Cleared
[Anti-Virus] = Cleared
[Require SMTP Authentication]
[Local to local e-mail addresses] = Cleared
[Local to external e-mail addresses] = Cleared
[External to local e-mail addresses] = Cleared
[External to external e-mail addresses] = Cleared

Open the configuration page for your multi-function device or automated system that needs to relay.
Select the IP address (or resolvable host name) of the computer on which you installed hMailServer as the mail server.

If necessary set the username as scans@yourdomain.com and the password <as chosen>.
It is not required to set a username and password if the device does not support it.

Send a test e-mail to an external address and verify receipt.

If you're having problems getting the relay to work, here are some things to try:
Configure a standard mail client with the local (scans@local.yourdomain.com) address and password, and point it at the hMailServer.

Send a message to an external address and check the non delivery report.
Open the Administration console and enable logging as follows:

[Settings | Logging | Enabled] = Checked
[Log | Application] = Checked
[Log | SMTP] = Checked
[Log | TCP/IP] = Checked

<Show Logs>
Send a test e-mail and check the logs. Typical errors include incorrect credentials, or a mistyped port on the outbound relay page.

This is a VERY INSECURE installation if not firewalled. This server will relay anything sent to it on behalf of your google email account. It is imperative that this operates only behind a secure firewall, does not have access from the outside world of any kind, and uses strict IP filtering on the subnet pages. Keep in mind that malware that looks for open relays on you local network will be able to forward with impunity through this relay. hMailServer supports many advanced options to minimize this behavior, but that is beyond the scope of this document.
These techniques can be slightly modified to provide relay services through virtually any other ISP or mail service, including Yahoo! Mail, AOL Mail, MSN Mail, ISP Mail, Web Mail, etc. Multiple accounts can also be set up to provide different outbound identities as needed for different devices or applications.

No hay comentarios:

Publicar un comentario