>-----Message d'origine----- >De: [EMAIL PROTECTED] >A: xmail@xmailserver.org >Date: 24/04/08 05:21 >Objet: [xmail] Re: Lockdown xMail > >Dear Francis - > >> Effectively, it seems the "MailAuth" feature does not take into >> account the 'WhiteList' parameter in the smtp.ipprop.tab file. >> >> But should it be the case as the smtp.ipprop.tab "Whitelist" is >> supposed to be used to change ip checks ? > >Davide is the one who suggested the smtp.ipprop.tab option to me >as I did not really use this tab before. >
As programs are more and more complex when adding features, it is frequent to miss/forget some 'old' internal implementations details :) >I originally tried adding entries to smtprelay.tab which did not work >either. > >> For now, Hal, I think you could use your firewall to block any >'external' >> attempts to go to you Postini dedicated xmail server ip and ports ;) > >The problem is that I use xMail as part of my ISP service therefore >customers are using xMail as their outbound eMail MTA on Port 25 >from all over the place on the net therefore it is not possible to block >the port. > >Even if I could use my firewall to block access; Postini does not have >a feature to change the forwarding IP Port for the Relay nor any kind >of Authorization that I know of. > Can you add another IP to your xmail server ? If so, add it to xmail inbound cmd line parameters, then for this ip add a rule in your firewall to block any traffic except postini server. (If postini is on the same server as xmail, you could add 127.0.0.1 to xmail inbound, then ask postini to send to ip 127.0.0.1. No firewall rules at all needed then.) >> IMOO another smtp.ipprop.tab parameter like "MailAuth=0" should >> be created (to not change/mix 'ip checks' rules) > >IMOO I think of this as a Relay function so I think the smtprelay.tab is >the place for the information. The docs define the purpose is to allow >hosts or networks to use the server as relay. > Yes it could be an alternative placement for this parameter for 'relay'. But, adding it also to ipprop could allow to accept specific clients without auth but with relay not allowed. MailAuth=0 in smtp.relay : accept this ip to relay without auth MailAuth=0 in smtp.ipprop : accept this ip without auth for local delivery only So the two implementations could be nice :) >Agains the docs say using SmtpConfig-IP makes "authentication require[d] >to send mail to the server. Please note that by setting this value >everything >requires authentication, even for sending to local domains, and this is >probably >not what you want." > >However, I'm not sure why SmtpConfig-IP is locked down so hard? > The problem is not in SmtpConfig-IP rules if you can use specific rules to 'open the door a little', the problem is that actually 'open the door a little' is missing in xmail (some MailAuth=0 in some places) :) (Notice that using some other ip and/or ports, and some firewall rules, you can do the job.) >Maybe, another way to think about this is that a parameter needs to be >added to SmtpConfig-IP to determine if the smtp.ipprop.tab or >smtprelay.tab >should override the "MailAuth". For example: > >"SmtpConfig-64.74.149.27,25" "MailAuth" "ipprop" >"SmtpConfig-64.74.149.27,25" "MailAuth" "relay" > IMOO not enough secure, as the flags here will be valid for all the entries in the corresponding files. Using MailAuth=0 in the 'good' places (ipprop and relay) seems to be better. >Any further suggestions Francis? > >I just can't believe that as popular as Postini has become that I'm the >first >one trying to get xMail integrate with it! Anyone done this before? > Seems xmail users prefer alternative solutions :) (and many exist) Personnaly I use xmail with blacklists, then glst filter, then xmail with av filters. Simple to implement, and more than 95% spams and viruses down at first and second stage without 'big' filtering mecanisms/products/gaz machines :) >Davide what is our next step? > >I could really use a patched version of xMail to test. > >Thanks, >Hal Dell >ePodWorks.net, Inc. >Managing Partner > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
