Ways to authorize mail relay

Thu, 01 Aug 2002 08:32:46 -0700 

> > > In other implementations such as qmail is a list of all IP
> > > Addresses that are authenticated. After one hour the IP
> > > Adresses will be deleted
> > Are you sure that you're not confusing SMTP AUTH with SMTP after POP?
> Yes, youre right. But this procedure can be used for both or not?

Well, my idea (and Peter plans to make a stopgap change in the meantime)
tags internal mail so that it carries authentication with it out of
SMTPHander.  What you are talking about would be a modification of
POP3Handler to manage a cache of recent login IP addresses, which could be
checked by a matcher.  Something like:

  ... all local e-mail delivered by now ...

  <mailet match="RemoteAddrInNetwork=127.0.0.1[,other local net]"
class="ToProcessor">
          <processor> RemoteDelivery </processor>
  </mailet>

  <mailet match="SenderAuthenticated" class="ToProcessor">
          <processor> RemoteDelivery </processor>
  </mailet>

  <mailet match="SMTPafterPOP" class="ToProcessor">
          <processor> RemoteDelivery </processor>
  </mailet>

  <mailet match="All" class="ToProcessor">
          <processor> RelayingDenied </processor>
  </mailet>

would allow locally generated e-mail, SMTP AUTH e-mail, and SMTP-after-POP
e-mail to be sent on, whereas all other e-mail would be denied.  If another
scheme for relay authorization is devised, it would fit into this overall
scheme.

To implement SMTP-after-POP, we could create a TimedSet class to contain a
set of values that are automatically removed by the set based upon timeout
criteria.  This would relieve client code from needing to understand how to
manage the SMTP-after-POP cache.  Something like:

        TimedSet ipCache = new TimedSet(<defaultTimeToLive>);
        ipCache.add(remoteIP); or ipCache.add(remoteIP, <specificTimeToLive>);

could be added to doPASS (although a singleton pattern is needed, not an
local value.  Later, the SMTPafterPOP matcher would call
ipCache.contains(mail.getRemoteAddr()), and permit the e-mail to be relayed
if the call returns true.

        --- Noel


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to