1839262 Members
10112 Online
110137 Solutions
New Discussion

Re: SMTP Route Through

 
RF Thomas
Frequent Advisor

SMTP Route Through

All of our users need to send emails through our corporate SMTP server that is an IA64 OpenVMS system from their home computers.

We have set-up Good-Clients and placed node names/IP addresses into this list. The problem is that most ISP's do not set-up statis addresses or node names, so when these change the SMTP.CONFIG file must be edited to reflect the changes.

Does anyone have a better solution? Each user does have a unique VMS acocunt, but the SMTP server does not appear to utilize this for route through traffic.
15 REPLIES 15
Hoff
Honored Contributor

Re: SMTP Route Through

VPN or ssh into the box. This could be directly, or via an outboard firewall / VPN router? By raising a direct tunnel (and setting the client up to use it for all traffic), everything goes in and out via your mail server, too.

The TCP/IP Services package is comparatively limited in its support for modern SMTP-related features and mechanisms; I'd investigate one of the third-party IP stacks, or an alternative mail server.
RF Thomas
Frequent Advisor

Re: SMTP Route Through

To change the TCP/IP stack is not a viable option for us. The VPN/SSH also is not a desireable option.

I omitted part of the "puzzle", we travel all over the world and many times are connecting through customer networks. The allowable protocols can be very restricted.

We have installed a web based mail server on the OpenVMS system, but web based mail message creation has limited functionality and does not integrate well with OUTLOOK.
Hoff
Honored Contributor

Re: SMTP Route Through

AFAIK, this case is basically deadlocked between policy restrictions and product limitations, then.

Here, I'd start to investigate alternatives to the SMTP server you're using, and I'd certainly suggest you make your product requirements known to HP here. This given that the current configuration is not meeting your requirements here, nor was your previous quest for spamassassin or analogous apparently fruitful. One of the other common pieces of this - ClamAV - is around as an add-on, however.

If you can't use a VPN or tunnel, then Gmail or other such (directly or as a route-through) might be an option, and HP often helps its customers move to Microsoft Exchange server, for instance. OpenVMS Engineering has featured the Quintara SecureServer product, and the Process IP stacks are certainly in wide use on OpenVMS.

Yes, I know, (still) not the answer you wanted... Sorry.
RF Thomas
Frequent Advisor

Re: SMTP Route Through

Thanks for the helpful responses. We would prefer to avoid MICROSOFT Exchange.

We'll have to start looking more closely at LINUX.
Willem Grooters
Honored Contributor

Re: SMTP Route Through

Have you looked at Communigate-pro (http://www.communigate.com/). As far as I tested it (some years ago), it runs as "Exchange on OpenVMS", so it may well fit your needs.
Willem Grooters
OpenVMS Developer & System Manager
Wim Van den Wyngaert
Honored Contributor

Re: SMTP Route Through

You could use putty (free) to tell the server in a secure way (SSH) which IP address the PC has. And then modify the SMTP config. And have some kind of timeout system to remove them again (or reset it at midnight). Of course this would require an extra action at boot or a click of the user.

fwiw

Wim
Wim
Willem Grooters
Honored Contributor

Re: SMTP Route Through

[quote]
Of course this would require an extra action at boot or a click of the user.
[/quote]
Not just that. You'll have to restart SMTP.
Willem Grooters
OpenVMS Developer & System Manager
Hoff
Honored Contributor

Re: SMTP Route Through

If I'm going to ssh or VPN into the network, I'm going to ssh or VPN into the firewall, and connect from there through to the server. This gives me a LAN-based IP address, among other benefits.

I regularly use these tools to connect from the local Mac OS X client boxes through onto various OpenVMS boxes and onto other server boxes. These approaches can also permit DECwindows X connections and displays sent back from OpenVMS out onto the Mac client, for instance.

If you're interested in discussing a particular implementation of this approach, contact me off-line.
RF Thomas
Frequent Advisor

Re: SMTP Route Through

We are probably mistaken in many aspects, but the following is our understanding with respect to the various responses:

1) CommunigatePRO does not seem to support OpenVMS, at least it is not mentioned as a supported system.
2) To obtain IP addresses, our users log onto the VMS server using a telnet client. They then enter $SHOW TERM and the IP address is displayed. This is then added to the Good-Clients list. We probably should automate such using a script on the PC's and a DCL command file on the VMS mail server. Maybe using PHP and APACHE?
3) SMTP does not need to be restarted when changes are made to the SMTP.CONFIG file that impact GOOD_CLIENTS. The changes are picked-up "on the fly".
4) We will look into VPN through our firewall router. As I understand VPN, each connection is a unique network, so each PC would have to map to a unique network, I suppose that the network masks could be set to minimize the number of nodes possible in each network. Since almost all of our users connect via NAT (and our router utilizes NAT), the VPN functionality needs to be in the firewall/router, or special software is required on both sides. Additionally we will have ensure that out firewall supports a large enough number of VPN's.
5) We have attempted to use X-Windows through VPN's. Unless one has local high performance connections the performance was unacceptable. To get reasonable performance LBX (Low bandwidth X) needs to be installed. HP has a kit for this for VMS. We did not have enough resources (time) to get things working acceptably.
Andy Bustamante
Honored Contributor

Re: SMTP Route Through


A few random thoughts

4) Each VPN connection can be either client to your network (software client to firewall/vpn specialty device) or LAN to LAN (firewall to firewall, VPN device to VPN device). Cisco has some very nice options or
there are open source utilities avialable.

5) It depends. I've used X-Windows over 128 k point to point circuit with excellent results. Not sure that a modem connection would support the same. What does "local high performance" mean to you?

Most sites I'm aware of have moved to insisting on VPN connections or allowing limited access from known network addresses.

Andy
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
Hoff
Honored Contributor

Re: SMTP Route Through

Most of (all of?) the pain here is due to the need to hack around comparative weaknesses in the local SMTP server package. Replace that, and I'd expect your experiences will improve.

Here's some HP OpenVMS information on the Communigate Pro package:
http://h71000.www7.hp.com/solutions/mail.html

Information from Stalker:
http://site.stalker.com/news/c-news_article_01252005.html

I'm running a VPN and a firewall that gives me an IP address on the target LAN, analogous to what a DHCP server provides for a secured WiFi connection onto a LAN. Viewed from the perspective of the local network services, the box looks like it's on the LAN.

Typical telnet exposes the username and password credentials in cleartext over the link. ssh is better here.

There are reasonable and inexpensive VPN-capable firewall options available, as well as the commercial offerings across a range of prices.

I can't speak for the current Microsoft Windows clients and options available here as I've migrated off that platform. I do know that there's been a cottage industry in making Windows VPNs easier to use, and I expect there are some reasonable choices available now and Windows Vista or the recently-announced Windows 7 beta may well have improvements in the base OS. Linux on any of the typical HP client boxes also has full VPN capabilities, as does Mac OS X. Any of these client platforms becomes yet easier to deal with when you own the target firewall, too.

And most any remote graphical-based solution based on X or ARD or RDP or VNC does require network bandwidth, yes.
Willem Grooters
Honored Contributor

Re: SMTP Route Through

[quote]
CommunigatePRO does not seem to support OpenVMS, at least it is not mentioned as a supported system
[/quote]

The main pages indeed don't mention OpenVMS as a supported system. However, AFAIK the software is avaialble AND SUPPORTED on OpenVMS. I asked for confirmation.
Willem Grooters
OpenVMS Developer & System Manager
RF Thomas
Frequent Advisor

Re: SMTP Route Through

We will investigate VPN's and other alternatives, but there is a significant learning curve for which I can not allocate staff time.

In the interim, our users access our system through their browsers to perform various functions (development wiki, sales/crm, ...). It seems to be straight forward to write a web based secure script to update the good-clients list as needed.
Willem Grooters
Honored Contributor

Re: SMTP Route Through

CommunigatePro: OpenVMS support has been confirmed:

Hello Willem,

> * Is OpenVMS still a supported Operating system?

Yes.

>
> * If OpenVMS is still supported, OpenVMS should be added as a
> supported OS on the main pages.

Specifically what pages are you referring to on our site? I will
gladly report this to our webmaster. OpenVMS is certainly listed as a
platform on the download page for CommuniGate Pro here:

http://www.communigate.com/enterprise/download.html

Thank you.
Willem Grooters
OpenVMS Developer & System Manager
H_Bachner
Regular Advisor

Re: SMTP Route Through

First of all, I'd replace the Telnet client with an SSH client (like PuTTY) which does not send the password in plain text to your OpenVMS system. Especially if you do this from networks you can't control (your customers, hotel (W)LANs etc.). From your description, it sounds like the OpenVMS system is directly connected to the Internet and your users login from wherever they happen to be. Sending the username and password in plain text does not sound like a good idea.

> We will investigate VPN's and other alternatives, but there
> is a significant learning curve for which I can not allocate staff time.

I'd look at OpenVPN which can be configured in routing mode or bridge mode to fit your needs. It's simple to configure in point-to-point mode (for a relatively low number of clients), and a bit more work if you configure it in server mode to accept multiple connections with a single server-side configuration (you need certificates in this case).

I'm not aware of a version of OpenVPN running on OpenVMS so you'd better configure it on the router/firewall or set up a small Linux box within your network to handle OpenVPN.

I use it to connect my home network to the office network (where the tunnel is built up between the routers) and to connect from my notebook while on the road or at a customer site.

Hans.