How to allow authenticated SMTP from RBL blocked IPs?

[TRACKS]

Tracks,

Your issue is different. You wanted to whitelist IPs, while Afassl needs to allow authenticated users from blacklisted IPs.

Actually my issue is the same I am using DNSBL which was blocking my authenticated users because their IP was in the DSNBL since the connection is filtered with DNSBL prior to authentication the only way to allow the user to send mail is to white list the IP or IP range.

If someone has a better way please do tell.

[edrean]

I also have DNSBL setup and exactly the same is happening to me. Users don't have an opportunity to authenticate if their IP's aren't in the allowed RELAY list (while listed in the DNSBL). I have certain users that uses dial-up (with dynamic IPs) from anywhere in the world and needs to use the smtp server as a relay. How can I allow them to authenticate while still allowing DNSBL's to check for listed dynamic IP's?

Basically it boils down to allowing DNSBL listed IP's to relay provided that they authenticate successfully!! This should be possible, but how??

Actually my issue is the same I am using DNSBL which was blocking my authenticated users because their IP was in the DSNBL since the connection is filtered with DNSBL prior to authentication the only way to allow the user to send mail is to white list the IP or IP range.

Remember TRACKS, one doesn't know what the user's IP is going to be so it cannot be added to a whitelist...

[Valerion]

Do you use sendmail or the Scalix SMTP Relay as your email listener? If sendmail, then that is the issue, I have not successfully gotten SMTP auth with it to work. Maybe make the SMTP relay listen on a different port (587 is a good one) with the submission service and authenticate to that instead.

If it is the SMTP Relay, then an authenticated connection should bypass all relevant rejection rules, as it is an implicit rule located before the user-defined ones.

[edrean]

Thanks for the reply Valerion!

I'm using the Scalix SMTP Relay. Sendmail is only for outgoing mail.
Scalix Server 11.1.0.10849

An extract of my smtpd.cfg (changed real hostname to hostfqdn.com) :

Code: Select all

...
SMTPFILTER=TRUE

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept 192.168.1.0
RELAY accept .hostfqdn.com
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

SUBMIT Log_accept 196.
# Reject and log submission from addresses listed in bl.spamcop.net
SUBMIT Log_reject DNSBL,sbl-xbl.spamhaus.org,ALL
SUBMIT Log_reject DNSBL,bl.spamcop.net,ALL
SUBMIT Log_reject DNSBL,dnsbl.sorbs.net,ALL
SUBMIT Log_reject DNSBL,l2.spews.dnsbl.sorbs.net,ALL

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL
....


With this config if you try to connect to port 25 from a dial-up connection it will just give you the 500 Error and subsequently disconnect without allowing the client to give any input. This happens, of course, because of the 'blacklisted' dynamic IP's on the DNSBL's.

You will note that I added a "SUBMIT Log_accept 196." line to temporarily allow clients from 196 addresses to relay after auth. Thus, with this setup, if you are coming from a dynamic IP which doesn't start with 196 then you will not be given the opportunity to authenticate. Any ideas??

Please also let me know if you require any other info or a larger portion of the smtpd.cfg file.

Cheers!

[Valerion]

Mmm .. strange. I think this needs to be reported at http://bugzilla.scalix.com - seems like SUBMIT takes preference above the implicit AUTH_SUCCESS rule.

Maybe try putting in an explicit

Code: Select all

AUTH_SUCCESS Accept
AUTH_MISMATCH Reject

will help? Otherwise one of the Scalix people may want to comment on this.

[edrean]

I put the explicit

Code: Select all

AUTH_SUCCESS Accept
AUTH_MISMATCH Reject


into my smtpd.cfg, restarted smtpd and when I try to telnet to the server on port 25 from a dynamically assigned public IP it immediatly gives me a "550 Denied" and promptly closes the connection.

I am considering submitting this at Scalix bugzilla, unless anyone has anything else for me to try.

[edrean]

I have submitted this bug as Bug #15859. Go add yourselves to the CC list if you want to keep updated. Hopefully we'll get this sorted