On Mon, 20 Jan 2003 07:35:50 -0500 Mark Weaver <[EMAIL PROTECTED]> wrote:
> Todd Lyons wrote: > > Mark Weaver wrote on Sat, Jan 18, 2003 at 06:05:27AM -0500 : > > > >>>>cause nuttin is getting through...I'm gonna shoot dis damn thing! > >>> > >>>basics... your having a "relay" problem which is OK since you don't > >want>>to be an open-relay... the trick is to figure out how to allow > >those>>domains through that are legit in your case... for me, it > >wasn't until I> > >>thanks Pierre...I "definately" have some more reading to do. I've > >gotta >digest this stuff and get inside Postfix's head. > > > > > > This is the thing to remember. You don't want to enable "relay by > > domain". Why? Ok, you're at domain "weaver.com" for example. You > > allow anybody who has an email account with you to relay through your > > machine. > > > > Ok, I say I'm "[EMAIL PROTECTED]" and I send my 2 million spams how to > > make your sex better. Since it's from "@weaver.com", your mail server > > happily relays all 2 million messages PLUS gets all the bounces. > > > > I hope you can see how fallible that is. > > > > The correct solution is pop-before-smtp or (best) authenticated SMTP. > > > > Blue skies... Todd > > Hi Todd, > > Thats what Pierre was saying. (the pop-before-smtp) the thing is for > what ever reason I don't seem to be able to wrap my brain around that > just yet. I don't know why, but it's just not making any sense yet. Without pop-before-smtp, you are just another IP address on the 'net trying to use your box as an open-relay. Since SMTP is essentially unauthenticated, anyone could spoof your user@domain. Without pop-before-smtp, you'd have to config your postfix with your current dial-in IP address to allow mail from there each time you connect to the net... pop-before-smtp does this automatically. It simply requires anyone wanting to relay mail through your server to first authenticate themselves by doing a successful POP login (mail get is optional AFAIK). Once you've successfully logged in via POP, the pop-before-smtp daemon will give the *IP address* from which the user logged in 30 minutes to send mail. The gotchas are: - reconnects on a dial-up will not terminate the timer; so someone getting the 'net port you just dropped *could* use your remaining time -- like parking on remaining meter time. Fortunately, that's a rather obscure risk. - you'll often forget to "check mail" first before sending a message - when you reconnect, you may get a new IP, so you should re-check mail to enable this new address while the old one continues to timeout. - pop-before-smtp relies on the system logs, so I found that it's a good idea to run a cron task to restart the daemon regularly to ensure it's still reading the *current* log file -- logrotate will switch log files; but pop-before-smtp won't notice... HTH, Pierre
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
