Panagiotis Atmatzidis wrote, On 05/30/14 05:58:
My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD
server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will
relay mail to the Internet for the client with the following single rule:
>>
>> accept from local for any relay
No it will not accept emails from 10.0.9/24 or x.x.10/24
The problem is that the mail server *is* accepting/relaying mail from
the client which is on a different subnet. So this behavior doesn't seem
correct.
I discovered that authentication may be changing the behavior of "from
local". But I'm not getting intuitive error messages (see below) from
smtpd, so I'm unsure of the exact behavior. I just want confirmation of
the meaning of "from local" with regards to successfully authenticated
clients regardless of their locality from the server.
Here is my entire conf that allows the behavior described above:
### /etc/mail/smtpd.conf ###
table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table users "/etc/mail/users"
pki tm certificate "/etc/ssl/mail.targetmeister.com.crt"
pki tm key "/etc/ssl/private/mail.targetmeister.com.key"
listen on localhost
listen on mail port smtp tls pki tm
listen on mail port submission tls-require pki tm auth <passwd>
accept from local for local alias <aliases> deliver to mbox
accept from any for domain <domains> virtual <users> \
deliver to maildir "/var/spool/vmail/%{dest.domain}/%{dest.user}"
accept from local for any relay
### END ###
And here is the session output from smtpd when a client on a different
subnet from the server submits an email for relay *with authentication*
on submission port 587:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Accepted authentication for user xx...@pachl.us on session
49c757a0a5705603
smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603:
from=<xx...@pachl.us>, to=<xx...@devio.us>, size=219, ndest=1, proto=ESMTP
smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session
e5969f5c34763839...
smtp-out: Connected on session e5969f5c34763839
smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-out: Server certificate verification failed on session e5969f5c34763839
relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839,
from=<xx...@pachl.us>, to=<xx...@devio.us>, rcpt=<->, source=10.0.9.20,
relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as
A9B071B5B88
smtp-out: Closing session e5969f5c34763839: 1 message sent.
But, if I make authentication optional (auth-optional) on submission
port and authentication on the client is turned off, I get the following
session output:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acb7b5bf97b: "RCPT
TO:<xxx...@devio.us>" => 550 Invalid recipient
smtp-in: Received disconnect from session 26c46acb7b5bf97b
smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acc2bed96ec: "RCPT
TO:<xxx...@devio.us>" => 550 Invalid recipient
As you can see, it does not relay the mail. It instead gives me a "550
Invalid recipient" error, which doesn't seem apropos. It seems the error
should mention a failure in authentication, permission, or credentials.
Bottom line is, it seems successful authentication makes a client
"local". Is this correct?
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org