Rules order in smtpd.cfg
Posted: Mon Dec 11, 2006 7:13 pm
Hi
Just been playing around with smtpd.cfg because we want to
- Allow Messagelabs to send mail in to our server for our domain
- Allow our remote workers to submit and relay ONLY if they authenticate
- Block everyone else
Initially I had some rules like this:
AUTH_SUCCESS accept ALL (to deal with remote users who have authenticated)
RELAY accept 127.0.0.1
RELAY accept <localhostname>
RELAY Reject_Log ALL (don't let anyone else relay)
so I then added lines like
SUBMIT accept Messagelabs IP 1
SUBMIT accept Messagelabs IP 2
etc etc, followed by
SUBMIT reject ALL
I found that - even though the SUBMIT lines were all BELOW the AUTH_SUCCESS line, the "SUBMIT reject ALL" line was blocking inbound mail even from remote users who were configured to authenticate correctly.
I noticed that they were being cut off instantly, as soon as they tried to make an SMTP connection, and before they had a chance to authenticate. Which kinda makes sense if you're trying to block by IP address - you know the IP address immediately so why bother trying authentication if the IP address is not one that is permitted?
So it's not quite true that the smtpd.cfg rules are followed from the top down until a match is found, is it? Our remote clients should have matched the AUTH_SUCCESS line at the top, but instead were being blocked by the "SUBMIT reject ALL" line at the bottom....?
Actually - I must be completely missing how these rules work, because the setup I thought was working isn't. My final set up was:
AUTH_SUCCESS accept ALL (to deal with remote users who have authenticated)
RELAY accept 127.0.0.1
RELAY accept <localhostname>
RELAY Reject_Log ALL (don't let anyone else relay)
SUBMIT accept Messagelabs IP 1
SUBMIT accept Messagelabs IP 2
ANONYMOUS reject all
But the log files showed that emails being submitted from one of the listed Messagelabs IP address was being rejected like this (from the logfile) :
Cli 9421/1 rcvd: 'HELO mail93.messagelabs.com'
Cli 9421/1 rcvd: 'MAIL FROM:<madeupname@fakedomain.com>'
Cli 9421/1 sent : 530 Authentication required
Accepted client 1 from 85.158.137.35 (mail134.messagelabs.com)
Cli 9421/1 rcvd: 'EHLO mail134.messagelabs.com'
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=LOGIN
250-DSN
250 8BITMIME
Cli 9421/1 sent : 530 Authentication required
So - why is it insisting on authentication, when I have a whole bunch of "SUBMIT accept" lines that include the two IP addresses shown? Surely as soon the IP address is checked and found to match one in the list, it should allow the email to be submitted without any further checking?
Just been playing around with smtpd.cfg because we want to
- Allow Messagelabs to send mail in to our server for our domain
- Allow our remote workers to submit and relay ONLY if they authenticate
- Block everyone else
Initially I had some rules like this:
AUTH_SUCCESS accept ALL (to deal with remote users who have authenticated)
RELAY accept 127.0.0.1
RELAY accept <localhostname>
RELAY Reject_Log ALL (don't let anyone else relay)
so I then added lines like
SUBMIT accept Messagelabs IP 1
SUBMIT accept Messagelabs IP 2
etc etc, followed by
SUBMIT reject ALL
I found that - even though the SUBMIT lines were all BELOW the AUTH_SUCCESS line, the "SUBMIT reject ALL" line was blocking inbound mail even from remote users who were configured to authenticate correctly.
I noticed that they were being cut off instantly, as soon as they tried to make an SMTP connection, and before they had a chance to authenticate. Which kinda makes sense if you're trying to block by IP address - you know the IP address immediately so why bother trying authentication if the IP address is not one that is permitted?
So it's not quite true that the smtpd.cfg rules are followed from the top down until a match is found, is it? Our remote clients should have matched the AUTH_SUCCESS line at the top, but instead were being blocked by the "SUBMIT reject ALL" line at the bottom....?
Actually - I must be completely missing how these rules work, because the setup I thought was working isn't. My final set up was:
AUTH_SUCCESS accept ALL (to deal with remote users who have authenticated)
RELAY accept 127.0.0.1
RELAY accept <localhostname>
RELAY Reject_Log ALL (don't let anyone else relay)
SUBMIT accept Messagelabs IP 1
SUBMIT accept Messagelabs IP 2
ANONYMOUS reject all
But the log files showed that emails being submitted from one of the listed Messagelabs IP address was being rejected like this (from the logfile) :
Cli 9421/1 rcvd: 'HELO mail93.messagelabs.com'
Cli 9421/1 rcvd: 'MAIL FROM:<madeupname@fakedomain.com>'
Cli 9421/1 sent : 530 Authentication required
Accepted client 1 from 85.158.137.35 (mail134.messagelabs.com)
Cli 9421/1 rcvd: 'EHLO mail134.messagelabs.com'
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=LOGIN
250-DSN
250 8BITMIME
Cli 9421/1 sent : 530 Authentication required
So - why is it insisting on authentication, when I have a whole bunch of "SUBMIT accept" lines that include the two IP addresses shown? Surely as soon the IP address is checked and found to match one in the list, it should allow the email to be submitted without any further checking?