CommuniGate Pro
Version 6.3
 

Help Me

This section lists the most common problems with the CommuniGate Pro installations, and it provides the suggestions that should help you to solve those problems.

Security

Is my Server an open relay?

Open Relay is an SMTP (or SIP) server configured in such a way that it allows anyone on the Internet to send e-mail (or make calls) through it, not just mail destined to or originating from known users. If you receive a lot of mail/spam from unknown origin, but the targets are your local users, then it has nothing to do with relaying; relaying means sending through your server to external targets.

With the default settings CommuniGate Pro is configured NOT to be an open relay, it relays only e-mails (calls) submitted by senders who had authenticated.
Relaying for non-authenticated senders is possible if the sender had connected from an address from the Client IP Addresses list, so make sure there are no excessive addresses there; ideally that list should be empty and all your users must authenticate when sending. If you receive all mail from a gateway - do NOT add the gateway address to the Client IP Addresses list, but add it to UnBlacklistable (White Hole) IP Addresses list.

In SMTP Relaying page make sure:

  • the "Relay to any IP Address: If Received from:" is set to clients or nobody
  • the "Relay to Client IP Addresses: If Sent to:" is set to simple or none
  • the "Relay to Hosts We Backup:" is disabled

An Account was compromised and my server is being used for mass mailing. What can I do?

Someone had learned/guessed the password of an Account and uses that Account to send spam. Note that this case has nothing to do with open relaying.

Open the Mail page in the WebAdmin Monitors realm, and open the Queue page. There you should see a lot of messages with similar size and contents.

  • Open one of such messages to learn the compromised Account name and the sender's IP address.
  • Click the Reject All Sender's Messages button.
  • Open the compromised Account Settings page.
    • Reset or disable the password to prevent new logins.
    • Temporary disable the Mail service to stop submitting mail from existing logins.
  • Use the Reject All Sender's Messages button to clean the Queue. The messages which are being processed may not be rejected, so you may need to repeat this step several times.

In order to lower the chances of the users' passwords becoming compromised:

  • Make sure all users use encrypted connections (SSL/TLS) when commuicating with the server. That will prevent hackers from learning passwords via network sniffers.
  • Force users to have enough long and complex passwords which cannot be guessed easily.
  • Force Two-factor Authentication, if possible.
  • Impose tighter limits in to prevent brute-force attacks.
  • Enable the Hide 'Account Unknown' messages to hinder address harvesting.

To reduce the damage caused by compromised Accounts, and to make them to be less attractive for hackers:

  • Impose tighter limits for "Outgoing Mail Limit", "Outgoing Recipients Limit" and "Max Recipients per Message" in Outgoing Mail Transfer Settings.
    That will reduce the rate a hacker will be able to send messages.
  • Impose "'From' Address Restrictions" and "'From' Name Restrictions" in Outgoing Mail Transfer Settings.
    That will give the hackers less freedom for spoofing the message origin.
  • If your customers are to use WebMail/Pronto only and no external SMTP clients, then in the Enabled Services disable the Relay service.
    That will disallow hackers to use SMTP which is the most convenient way to submit messages.

WebAdmin

I have rerouted the Postmaster account and now I cannot log in as the Postmaster

CommuniGate Pro applies routing rules not only to addresses in incoming messages, but to all addresses it processes. If you have rerouted the postmaster account to some other account abc, then all attempts to log in as the postmaster will cause the Server to try to open the abc account. If you provide the correct password (i.e. the abc account password), you will be able to log in, but you will have the access rights granted to the abc account, not to the postmaster account.

You still can log into the postmaster account even if the postmaster name is redirected to a completely different address. Use the following name instead of the postmaster name:

abcd@postmaster.local
This address is always routed to the account postmaster. Use the regular postmaster account password with this string.

For more details on the .local routing, check the Local Delivery Module section.

I have deleted the Postmaster account

If you have deleted the postmaster account, stop the Server and start it again.

If the CommuniGate Pro Server does not find the postmaster account during the startup process, it creates a new one. Check the postmaster account files to get the new postmaster password, in the same way you used when you installed the CommuniGate Pro Server.

I have created a secondary Domain and now I cannot log into WebAdmin

When you connect to CommuniGate Pro via a browser, the Server checks the domain name you have specified in the browser URL. If that name matches the name of one of your Secondary Domains, the WebAdmin Interface of that Domain is opened, rather than the Server WebAdmin Interface.

To open the Server WebAdmin Interface, use the Main Domain Name in your browser URL. If that name does not have a DNS A-record or its record points to a different server, use the Server IP Address in the browser URL.

If all Server IP Addresses were assigned to secondary Domains, you can try to use ANY domain name that points to the CommuniGate Pro Server, and does not match any of the Secondary Domain names.

If all Server IP Addresses were assigned to secondary Domains and all DNS domain names pointing to your server are names of your secondary Domains or secondary Domain Aliases, then use the following URL:

http://sub.domain.com:8010/MainAdmin
https://sub.domain.com:9010/MainAdmin
where sub.domain.com is any name pointing to your server computer or any of its IP addresses.

When I try to log in, I get the "access from your network is denied" error

Open the Network pages in the WebAdmin Settings realm, and open the Client IPs page. The Logins from Non-Client IP Addresses option is set to prohibit, so users can connect to the Server only from the addresses listed in the Client IP Addresses field (on the same page).

If the Client IP Addresses field was left empty, you still can connect to the Server if you launch your browser on the Server computer itself, and connect locally, using the http://127.0.0.1:8010 URL.

If you have not entered anything into the Client IP Addresses field, or if you cannot connect from the IP Addresses listed in that field, and you cannot connect to the server locally, using the http://127.0.0.1:8010 URL, then:

  • stop the CommuniGate Pro Server;
  • open the {base}/Settings/IPAddresses.settings file and change the ClientOnly option from YES to NO, and save the updated file.
  • start the CommuniGate Pro Server again.

SMTP Receiving

My Server does not accept mail from my Web script/applet

When the SMTP module receives messages, it tries to route the address specified in the Mail From command (the message 'Return-Path' address). If the domain name in that address is a name of the Server local Domain and the specified Account (or other Object) is not found in that Domain, the Router returns an error code and the SMTP module refuses to accept the message.

You should reconfigure your script/applet to use either an empty Return-Path (<>) for generated messages, or to use an E-mail address of some existing Account. If the script/applet cannot be reconfigured, you can create an Alias for any existing Account.

If, for example, your script/applet submits messages to your server with the <webform@mydomain.com> Return-Path address, and you do not have the webform Account in the mydomain.com Domain, you may want to create the webform alias for the postmaster Account. If delivery of a submitted message fails, the error report will be sent to the postmaster Account.


SMTP Sending

My Server cannot send mail to some host using SSL/TLS

When the CommuniGate Pro SMTP module connects to a mail host/relay and tries to establish a secure (SSL/TLS) connection, it receives the host Certificate and check the name in that certificate. That name should match either the name of the domain the mail should go to, or the MX relay name for that domain name.

When a remote server hosts several domains on the same IP address, it always sends out only one certificate, because the server cannot learn to which domain the incoming messages will go to and thus it cannot present the Certificate for that particular domain. As a result, your (sending) server may refuse to proceed.

If the server mainhost.com also hosts client1.com and client2.com domains, and the MX records for all 3 domains point to the same name and to the same IP address on that server, the server will always present only one Certificate - usually, the mainhost.com Certificate.

To allow your CommuniGate Pro Server to send mail securely to client1.com and client2.com domains, you should specify 2 Domain-level Router records:

client1.com = client1.com@mainhost.com._via
client2.com = client1.com@mainhost.com._via

These records will place mail to client1.com and client2.com domains into the mailhost.com SMTP queue. You should place the mainhost.com name into the Send Encrypted list of the SMTP module, and the server will connect to the mailhost.com server, check its certificate (it should contain either the mailhost.com name or the name of the relay the SMTP module connected to), and then the SMTP module will establish a secure (SSL/TLS) connection with that server and it will send mail to recipients in the client1.com and client2.com domains via that secure connection.


Access

WebUser connections return the pink page saying "we do not provide Web Access to this Domain"

It is very important to understand that the domain name something.com and mail.something.com are completely different domain names. If your CommuniGate Pro Server has the main Domain mycompany.dom, and you are trying to connect to it by typing http://mail.mycompany.com:8100 in your Web browser, you will get the page saying that the CommuniGate Pro Server does not provide access to the mail.mycompany.com Domain.

In most cases, you want the domain names mail.mycompany.com, webmail.mycompany.com, etc. to be just other names (aliases) of the mycompany.com CommuniGate Pro Domain. To specify this, open the mycompany.com Domain Settings page and find the Aliases table. In an empty field, enter the mail.mycompany.com name and click the Update button. Now the CommuniGate Pro Server will know that mail.mycompany.com domain name is just a different name for the mycompany.com Domain it serves. Connection requests specifying the mail.mycompany.com domain name will connect to the mycompany.com CommuniGate Pro Domain, and messages sent to a username@mail.mycompany.com address will be delivered to the account username in the mycompany.com domain.

Note: The WebAdmin interface opens the Server Administrator Interface if the name specified in the browser URL is not a CommuniGate Pro Domain name. This is why connections to the WebAdmin port (8010) can work, while the connections to the WebUser port (8100) return the "pink page".

WebUser sessions are disconnected almost immediately after login

When a user connects to your server via a "multi-homed HTTP proxy" (used by large ISPs such as AOL), TCP connections come to the CommuniGate Pro Server from several different IP addresses of those proxy servers. If the Require Fixed Network Address option is enabled in the Account WebUser Preferences, user browser connections can be rejected. Disable the Require Fixed Network Address option for those users that connect via "multi-homed proxy" servers. If most of your users connect via those proxy servers, you may want to disable this setting in the Domain Account Defaults or in the All-Server Account Defaults.

What does the "unassigned local network address" error mean

Your CommuniGate Pro server computer has one or several IP (network) addresses assigned to it. Those addresses can be assigned to CommuniGate Pro Domains, and the Domains WebAdmin page shows all Domains with the IP addresses assigned to them.

Usually, the Main Domain has the Assigned IP Addresses setting set to All Available, so all IP Addresses not assigned to secondary Domains are automatically assigned to the Main Domain. If none of your Domains has the Assigned IP Addresses setting set to All Available, then some of your Server IP addresses may be not assigned to any Domain.

When a user connects to the server using a POP or IMAP client and provides just the account name (without the domain name), or when a secure (SSL/TLS) connection has to be established, the CommuniGate Pro Server takes the local IP address the user has connected to and tries to find the Domain that address is assigned to. If that IP address is not assigned to any CommuniGate Pro Domain, then the "unassigned local network address" error is generated.

Open the WebAdmin Settings->General page to see all the Local IP Addresses of your Server. You may have to click the Refresh button to see all addresses. The unassigned IP Addresses are displayed in red.


Directory

Microsoft LDAP (Outlook and Outlook Express) users cannot find Directory records

Most of LDAP clients (including the Microsoft Outlook products) contain a setting specifying the Directory subtree that should be used for search operations. In Outlook Express, this setting can found in Tools->Accounts->Directory Service, on the Advanced stub. It is called Search Base and it should contain the DN for the user domain (by default, that DN is cn=domainname).

If this setting field is left empty, Outlook products silently replace it with the c=country_code string, and search operations fail (unless your Directory has the c=country_code subtree).

If you do want to search the entire Directory with an Outlook product, enter the word top into the Search Base setting field.

Attempts to update Account Settings result in the directory record with the specified DN is not found error

This error appears when the Directory Integration option is enabled. This option tells the CommuniGate Pro Server to update the Account record in the Central Directory every time the Account Settings are updated. If the Directory does not contain a record for that account, the error message is returned. Account records may be missing in the Directory if the Accounts were created when the Directory Integration option was disabled.

To fix the problem, open the Domain Settings and find the Directory Integration panel. Click the Delete All button. It will remove all Domain object records from the Directory. Then click the Insert All button. The CommuniGate Pro Server will create a Directory record for the Domain, and then it will create Directory records for all Domain Objects (Accounts, Groups, Mailing Lists).

Note: if the Domain contains more than 100,000 Accounts, the Insert All operation can take several minutes.


Date and Time

Time stamps in messages sent or received with CommuniGate Pro are several hours off

This problem is caused by an incorrect Time Zone setting on the server and/or on the client machines. To check the Time Zone setting value on the server machine, open the General page in the Settings realm of the CommuniGate Pro WebAdmin Interface. The Server Time field should contain the correct Date and Time values and the correct Time Zone value: -0800 means '8 hours behind the GMT', +0800 means '8 hours ahead of GMT'.

If the Time Zone value is incorrect, fix the OS settings that specifies that value, and re-open the General page to verify the Time Zone value.


Logs

Every time I access the WebAdmin interface, a Failure-type ROUTER record appears in the Log

The WebAdmin interface adds the LoginPage@ string to the domain name you specify in your browser URL field and tries to route the resulting address as any other E-mail address. If routing fails, the WebAdmin Interface defaults to the main domain and to the Server WebAdmin Interface, but the failure record appears in the Router Log:

ROUTER failed to route 'LoginPage@mail'
Usually this happens when you use a non-qualified domain name (like mail) instead of the qualified domain name (mail.mycompany.com). You should either use the qualified domain name in your browser URLs, or you should add the mail Domain Alias to the mail.mycompany.com CommuniGate Pro Domain.

What do these DNR-16538(xxx.xx.x.xx.rss.mail-abuse.org) A:host name is unknown records mean?

When your SMTP module uses RBLs to check the IP address of the server that tries to send any mail to your server, it converts that server aa.bb.cc.dd IP Address into the dd.cc.bb.aa.rbl-server-name domain name, and tries to resolve this name using the DNS system. If the sending server is not a known offender, and its address is not included into the RBL database, this composed domain name will NOT exist in the DNS system, and the DNR module will report this with a Problem-level Log record.

If you use RBL servers, you may want to restrict the DNR module Log Level to Major & Failures events only.


Miscellaneous

What is that non-standard UDP port the CommuniGate Pro Server opens on my system?

This is a DNR (Domain Name Resolver) socket. The port number is selected by the OS, and it can change if you restart the CommuniGate Pro Server. This socket is used to send requests (UDP packets) to DNS servers and to receive responses from those servers.

Other applications (servers, browsers, etc.) use the same type of sockets to resolve domain names, but they usually open and close those UDP sockets quickly, so you may not notice them in your netstat output. CommuniGate Pro opens the DNR UDP socket when it starts, and uses that socket for all DNR requests, closing the socket only when the Server shuts down.

How can I make my formmail-type CGI work with CommuniGate Pro?

Formmail and similar CGIs are used to send E-mail messages from regular Web Server HTML forms. Implemented in the form of a Perl script, these CGIs use the legacy sendmail program to send the composed messages.

On most platforms, CommuniGate Pro software installer does not replace the legacy sendmail program, though the package does contain the sendmail replacement program. In order to use that program, you should modify your Perl script: you should find all references to the sendmail program (usually the default path used is /usr/sbin/sendmail), and replace them with the {application directory}/sendmail references.

For example, if CommuniGate Pro and your CGI are installed on a MacOS X system, where the CommuniGate Pro application directory is /usr/sbin/CommuniGatePro/, the CGI script /usr/sbin/sendmail strings should be replaced with the /usr/sbin/CommuniGatePro/sendmail strings.


CommuniGate Pro Guide. Copyright © 2024, AO SBK