Scalix Forums

I'd like to change our Scalix deployment so that it only accepts email from pre-approved ip addresses / networks and authenticated users, am I right in saying that all I need to do is remove the two lines relating to bob.com and enter RELAY accept statements for the required ip addresses and networks?

Thanks in advance

EXTENSIONS=AUTH,DSN,8BITMIME
AUTH_SUCCESS accept ALL
ANONYMOUS discard
RELAY accept 127.0.0.1
RELAY accept bob.bob.com
RELAY accept .bob.com
RELAY Log_Reject ALL
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
DEBUG_LOG=TRUE

Hi!

The RELAY lines mentioned in the smtpd.cfg file in your server:


allows users only from these server(s) to be able to use this email server for receiving messages from external hosts, i.e. users outside this domain would not be able to use this mail server for spamming or similar activity. The best way to test this is using telnet to your mailserver using the port number 25. I am still not sure what you are trying to do.

Please reply what Scalix version you are using and what OS you have used for Scalix Server.

Thanks,
Subir

georgew wrote:am I right in saying that all I need to do is remove the two lines relating to bob.com and enter RELAY accept statements for the required ip addresses and networks?

If you only want to accept ingress mail from certain hosts, remove the accept lines with domain names, and replace them with the hosts you wish to receive mail from.

So yes, you are correct.

Chris

Thanks Chris, that's worked a treat :)

glad to hear it ;p

Chris

Is there anyway I can keep a check on the sources we are receiving emails from the reason they were accepted as I still appear to have a few leaking through.

Thanks

How should I understand that? Do you mean, that this is an internet host, and unauthorized source addresses are trying to mail over it? What's leaking through exactly?

Thanks,

Chris

that's exactly it, we have a single server deployment using messagelabs as our mx and therefore only need to receive emails inbound from there specified ip addresses and subnets. The service as whole is working wonderfully however some spam still seems to be sneaking through by communicating directly with our inbound host even though it appears to be from a blocked ip.

I don't understand your network setup.

So you have something like

INET --- Firewall --- Relay --- Scalix

or how it is set together?

Where are unauthorized connections coming from and how are they getting there?

What if you add

ORIGINATOR accept 111.111.111.111
ORIGINATOR reject all

At the top of the file. You'd need to add a new line for each machine sending you mail. I suspect this is only messagelabs, so there won't be too many of them. NOTE that they will almost certainly have more than 1.

You can check to see who is failing with the command

omshowlog -s smtp -l 5

This will give a long list of people trying to relay, but being denied.

Is THAT what you're trying to accomplish?
Kev.

Am I right in assuming that this means I should only have RELAY statements in place for trusted internal hosts & authenticated users while the messagelab networks which act as out MX's should be set up a ORIGINATOR's ?

For outgoing MX's, you don't need to do anything here - omsmtpd only handles incoming traffic. You might want to set originator to your incoming MXs to lock down here. You will only need to setup relaying for internal hosts that should be able to relay through your scalix machine and don't authenticate. Those who authenticate will be allowed to relay by default.

Florian.