After understood the Gilles’ advices, I fixed the issues by finding the right ruleset :
action distribuer mbox alias <aliases> action relayer relay match auth from any for any action relayer match from any for domain example.org action distribuer Now, I’m able to send and receive emails with my osmtpd 6.4 server. Last question. Is there any to risk to be an open relay with the rule #1? I expect the auth mechanism avoid any bad usage of my server. Do I right ? BR, François. > Le 2 déc. 2018 à 13:27, Gilles Chehade <[email protected]> a écrit : > > On Sun, Dec 02, 2018 at 01:05:56PM +0100, Fran??ois wrote: >> Thanks Gilles for your quick answer. >> >> Based on your recommendations, I have now only this 3 match rules : >> >> match from any mail-from <indesirables> for any reject >> match auth from local action relayer >> match auth from any action distribuer >> > > you also need a for on the last rules > > not specifying from implies from local, > not specifying for implies for local. > > > you should most definitely have something along the lines of: > > match auth from local for [...] > match auth from auth for [...] > > > >> Below how the server reacts when I try to send an email from my laptop >> connected at the same osmtpd server network to an outside email domain >> (redarmor.net) : >> >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >> NETADDR in table static:<anyhost> -> found >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as >> DOMAIN in table static:<anydestination> -> found >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check ?? >> [email protected]" as MAILADDR in table static:indesirables -> 0 >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >> NETADDR in table static:<localhost> -> 0 >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >> NETADDR in table static:<anyhost> -> found >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as >> DOMAIN in table static:<localnames> -> 0 >> Dec 2 12:43:12 gabrielle smtpd[1459]: no rule matched >> >> And when I sent an email from outside domain (redarmor.net) to my domain >> (example.org) : >> >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >> NETADDR in table static:<anyhost> -> found >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as >> DOMAIN in table static:<anydestination> -> found >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "[email protected]" as >> MAILADDR in table static:indesirables -> 0 >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >> NETADDR in table static:<localhost> -> 0 >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >> NETADDR in table static:<anyhost> -> found >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as >> DOMAIN in table static:<localnames> -> 0 >> Dec 2 12:47:02 gabrielle smtpd[1459]: no rule matched >> >> As explained in my first email, this two examples leads to the error message >> result="550 Invalid recipient ??. >> >> I will try a configuration which set explicitly the source for the ?? >> relayer ?? action like this : action ?? relayer" relay src <sources> >> helo-src <helonames> with a table sources set with the local network. >> >> BR, Fran??ois. >> >> >> >> >>> Le 2 d??c. 2018 ?? 12:26, Gilles Chehade <[email protected]> a ??crit : >>> >>> On Sun, Dec 02, 2018 at 11:46:45AM +0100, Fran??ois wrote: >>>> Hello All >>>> >>>> I'm trying to move from Opensmtpd 6.0.2p1 to 6.4.0p2 my email server >>>> hosted at home. >>>> I'm running Linux on Raspberry Pi. >>>> >>>> I didn't face any issue with the release 6.0.2. But after migrated the >>>> smtpd.conf file in 6.4.0p2 format, I'm not able to send or receive emails >>>> properly through smtp protocol. >>>> >>> >>> [...] >>> >>>> >>>> Here after an extract of my smtpd.conf : >>>> >>>> listen on 127.0.0.1 >>>> listen on $lan_addr tls-require pki mail.example.org hostname >>>> mail.example.org >>>> listen on $lan_addr smtps pki mail.example.org auth hostname >>>> mail.example.org mask-src >>>> listen on $lan_addr port 587 tls-require pki mail.example.org auth >>>> hostname mail.example.org mask-src >>>> >>>> table aliases file:/etc/aliases >>>> table indesirables { "@qq.com ?? } >>>> >>>> action distribuer mbox alias <aliases> >>>> action relayer relay >>>> >>>> match from any mail-from <indesirables> for any reject >>>> match for local action distribuer >>>> match for any action relayer >>>> >>>> I don't understand my mistake. For information, I compiled the binaries >>>> from the sources, maybe I missed to set something in the Makefile. >>>> Thanks in advance for your support. >>>> >>> >>> The problem is that in 6.0.x authenticated users are considered as local >>> sessions and therefore match you last two rules, but this was not right, >>> it led to some configuration being impossible to express. >>> >>> Starting with 6.4.x, authenticated users are no longer considered local, >>> and rules must explicitly match them: >>> >>> match auth from any [...] >>> >>> The 'auth' criteria is no longer related to the locality, so you're able >>> to write rules that match differently the authenticated users which come >>> from your machine or from others: >>> >>> match auth from local [...] >>> match auth from any [...] >>> >>> Your new ruleset should have one or two additional match rules I guess. >>> >>> Also, while at it, it is now also possible to match non-network sessions >>> with: >>> >>> match from socket [...] >>> >>> This used to only be matched by from local but can now also be matched a >>> bit more precisely. >>> >>> >>> -- >>> Gilles Chehade @poolpOrg >>> >>> https://www.poolp.org tip me: https://paypal.me/poolpOrg >>> >>> -- >>> You received this mail because you are subscribed to [email protected] >>> To unsubscribe, send a mail to: [email protected] >>> >> >> >> -- >> You received this mail because you are subscribed to [email protected] >> To unsubscribe, send a mail to: [email protected] >> > > -- > Gilles Chehade @poolpOrg > > https://www.poolp.org tip me: https://paypal.me/poolpOrg > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
