One thing that might be confusing Steve, is the messages that qmail sends to you when you're not allowed to relay. Instead of saying "you're not allowed to relay" it says "sorry, that domain isn't in my list of allowed rcpthosts" This can be misleading, thinking that you have to put every domain you want to send to in rcpthosts.
SMTP is basically, one server (or client) passing off a message to another server. The rcpthosts file in qmail is a list of domains qmail will accept mail for, from ANY ip address on the internet. qmail is assuming that any domain in rcpthosts is a local one. It doesn't have to be, but that's sort of the assumption. So when I send an email to your server, to a domain that's local to you, qmail will happily accept and deliver it. But, let's say I try to send _through_ your server out to somebody elses, say... yahoo.com. That's relay. I'm relaying a message from my computer, to your server, and asking your server not to deliver it locally, but to send it off to somebody else. If your server allows this type of activity from anyone, your server is open relay, because it will happily relay any message from anyone, to any other server on the net. There are several ways to control relay. The easiest, and most basic way, is by IP address. qmail has a tcp.smtp.cdb file, which is a compiled version of the tcp.smtp text file that you write (cdb is a simple, fast, file system based database format). That file contains a list of rules for qmail-smtpd to follow, such as what IP's to allow and/or deny, and also what variables to pass on with their connections. One of these variables is RELAYCLIENT. If the IP gets passed on with this RELAYCLIENT variable, then qmail will allow that IP to relay through the server. If it doesn't, qmail won't allow it to relay. Managing a strictly IP based relay is a full time job sometimes, so they created programs and protocols to make it a bit easier. The basis of relay is this. You only want to allow people who are your customers and/or clients to relay through the server. People you have some form of control and/or communication with, in order to control spam and other forms of relay abuse. vpopmail supports a feature it calls "roaming users" which is pop before smtp. A client pops their mail, vpopmail records their ip address and time stamps it, then adds it to the relay automatically. The IP's are selectively removed from the relay every X minutes, as defined when you compile vpopmail. Another option is to support the SMTP-AUTH patch. qmail doesn't support this by default, so you'll need to download a patch for qmail and patch your source. But this protocol allows users to send a username and password across in order to verify their authenticity. There are several patches out for qmail that allow support for this, but I recommend: http://members.elysium.pl/brush/qmail-smtpd-auth/ If you plan on using it, read the FAQ, it explains how to impliment it with vpopmail. Sorry for the long winded email, but I hope that helps to clear things up. SMTP can be confusing ;). -Clayton -----Original Message----- From: David Richardson [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 5:26 AM To: [EMAIL PROTECTED]; Steve Schofield Subject: Re: [vchkpw] Newbie trying to figure vpopmail to popb4smtp. Steve, the SMTP-AUTH functionality is added to qmail as a patch. With SMTP-AUTH and VPOPmail, you are able to authenticate virtual domain users into a _temporary_ mode to run your system as a relay based upon their IP being added by VPOPmail into a "table" of recently authenticated IPs. This IP list expires fairly quickly and only makes eligible those hosts who have authenticated. Your system is never a fully open relay. Qmail's rules about locals, rcpthosts, etc are always obeyed by qmail. Vpopmail adds the IPs to a faked holding table of auth'd ips (oversimplification???) Read up on the SMTP-AUTH patch, you'll get the hang of it. Vpopmail rocks for serving virtual domains. Squirrelmail can be applied really easily to a working vpopmail implementation - and it doesn't change anything about your relay settings (to my limited knowledge). Dave. ---------- Original Message ---------------------------------- From: "Steve Schofield" <[EMAIL PROTECTED]> Date: Wed, 26 Feb 2003 02:20:31 -0500 >i'm trying to configure my vpopmail + squirrelmail + qmail to not be an >open relay. The only way i've found to control this is put restricted >domains in the rcptshosts file. A concept of popb4smtp seems to be >slipping through my fingers. I've read the /usr/local/vpopmail/docs >switches. From the doc's, it will dynamically add the user so they can >relay. --enable-roaming-users=y \ >--enable-relay-clear-minutes=${RELAYCLEAR} >Once I tried to implement. When I test this concept out, its an open >relay. What am I missing? Once frustrated newbie! > > >*----------------------------------------* >* Steve Schofield >* [EMAIL PROTECTED] >* >* Microsoft MVP - ASP.NET >* http://www.aspfree.com >* >*----------------------------------------* > > >