Frustrated. FInding that smtpd.cfg is an important file, and cannot find any docs for it on the internet or in the knowledgebase. Bits and pieces in messages here, indicating that someone knows what should be done here...
First off, I have my domain and subdomains, and am hosting other domains. so consider:
foo.com
test.foo.com
bar.org
test.bar.org
bar.net
Now the default smtpd.cfg has some rules to prevent open relaying at the end of the file. But I read that smtpd.cfg is processed linearly and the 'open relay reject' rules should come first! So I move those above all my other lines:
Now I really don't want to assign multiple IP addresses to support stunnel and smtp. Will have to study tips on preventing that from being an open relay...
It seems the first two lines after my drop open relays are:
AUTH_SUCCESS header
AUTH_SUCCESS accept all
But I read in one message here that AUTH_SUCCESS accept all is 'redunant'. With what?
Then I want to accept my internal addresses:
RELAY accept 127.0.0.1
RELAY accept 1.2.3.4/26 # I do have 64 pub addresses
RELAY accept 192.168.
Now I want to allow remote users to send mail:
RELAY accept .foo.com
RELAY accept .bar.org
RELAY accept .bar.net
RELAY Log_Reject ALL
But I am already accepting when AUTH Successful? So If I require auth for smtp, do I need any of these accepts?
And if I do, I have seen that the above are for subdomains. What I would really need is:
RELAY accept .foo.com
RELAY accept foo.com
RELAY accept .bar.org
RELAY accept bar.org
RELAY accept bar.net
RELAY Log_Reject ALL
One should not be learning this by trying and watching scalix become an open relay becuase of bad rules or users not able to send mail....
smtpd.cfg howto
Moderators: ScalixSupport, admin
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
Page 28 of the Scalix Administration Guide is the start of a small section about configuring the SMTP Relay.
In that section, there is reference to page 215 ( SMTP Authentication and Anti-spam Protection) which gives a detailed listing of the configuration in smtpd.cfg.
The rules as shipped with Scalix prevents the SMTP Relay from being an open relay.
Based on the tone of the message, are you saying that you tried with the default rules and didn't achieve what you wanted ?
In a standard Scalix installation where all users are on the Scalix server, the RELAY accept rules are there to prevent people sending messages outside of the domains. They are not there to define what domains you are accepting mail for. As discussed in other posts, all that is required for RECEIPT of mail is that there is a match in the SYSTEM directory.
If you want mail that has NO match in the SYSTEM directory to be passed on to another server, you DO need the RELAY accept rules but you must make sure that your DNS setup prevents a routing loop with MX records.
I strongly advise against adding more rules to that to allow remote users to send mail. The simplest solution is to get them to authenticate with the SMTP Relay. As mentioned before, there is an implicit rule which says that any authenticated user can send outside of the domain.
For any RELAY accept line that is configured with domain names instead of IP addresses, you have to ensure that reverse DNS is working otherwise those rules are pointless.
AUTH_SUCCESS accept all is redundant because of the implicit rule I talked about earlier.
What you are doing with the internal addresses is correct but, as for everything, the wider you open your rules to allow relaying, the more susceptible you become.
Cheers
Dave
In that section, there is reference to page 215 ( SMTP Authentication and Anti-spam Protection) which gives a detailed listing of the configuration in smtpd.cfg.
The rules as shipped with Scalix prevents the SMTP Relay from being an open relay.
Based on the tone of the message, are you saying that you tried with the default rules and didn't achieve what you wanted ?
In a standard Scalix installation where all users are on the Scalix server, the RELAY accept rules are there to prevent people sending messages outside of the domains. They are not there to define what domains you are accepting mail for. As discussed in other posts, all that is required for RECEIPT of mail is that there is a match in the SYSTEM directory.
If you want mail that has NO match in the SYSTEM directory to be passed on to another server, you DO need the RELAY accept rules but you must make sure that your DNS setup prevents a routing loop with MX records.
I strongly advise against adding more rules to that to allow remote users to send mail. The simplest solution is to get them to authenticate with the SMTP Relay. As mentioned before, there is an implicit rule which says that any authenticated user can send outside of the domain.
For any RELAY accept line that is configured with domain names instead of IP addresses, you have to ensure that reverse DNS is working otherwise those rules are pointless.
AUTH_SUCCESS accept all is redundant because of the implicit rule I talked about earlier.
What you are doing with the internal addresses is correct but, as for everything, the wider you open your rules to allow relaying, the more susceptible you become.
Cheers
Dave
-
rgmhtt
- Posts: 70
- Joined: Wed Jan 04, 2006 4:37 pm
- Location: Oak Park
Quick reply
Thanks.
I missed page 28. See why. Looking for the wrong thing.
My admin for foo.org has not been able to send mail from his location on his network. So I began this trip into smtpd.cfg (based on the knowledgebase pointing me to that file in the first place, see at least I did try it first!).
Before I added the address rules, I had no trouble sending from one of my 192.168 addresses (read RFC 1918, and you may see that I know 'net 10' all too well ;) ). So I suspected that SMTP Auth was working. There was that one accept for my domain in the smtpd.cfg that made me think I needed to add an accept for the other domains.
Before I make ANY changes, I am going to work with that admin on getting some logs to see if he is really trying smtp auth.
Oh, I have a mail personality that sends mail from my server that is FROM my work domain. It would seem that once I amtp auth, I can send any email with any FROM?
It is SOOOOO much 'fun' going from theory to support! All those IETF meetings.....
Thanks.
I missed page 28. See why. Looking for the wrong thing.
My admin for foo.org has not been able to send mail from his location on his network. So I began this trip into smtpd.cfg (based on the knowledgebase pointing me to that file in the first place, see at least I did try it first!).
Before I added the address rules, I had no trouble sending from one of my 192.168 addresses (read RFC 1918, and you may see that I know 'net 10' all too well ;) ). So I suspected that SMTP Auth was working. There was that one accept for my domain in the smtpd.cfg that made me think I needed to add an accept for the other domains.
Before I make ANY changes, I am going to work with that admin on getting some logs to see if he is really trying smtp auth.
Oh, I have a mail personality that sends mail from my server that is FROM my work domain. It would seem that once I amtp auth, I can send any email with any FROM?
It is SOOOOO much 'fun' going from theory to support! All those IETF meetings.....
Who is online
Users browsing this forum: No registered users and 13 guests