Thanks a lot Matt for your quick answer. I will check the open relay checker you advice me. It should be fine also.
> Le 2 déc. 2018 à 21:52, Matt Schwartz <matt.schwart...@gmail.com> a écrit : > > No Francois, there is no risk of an open relay with the first rule > because the session must be authenticated with a username and > password. If you want, you can use an open relay checker like > https://mxtoolbox.com/diagnostic.aspx if you're really concerned. I > use the same rule you did and I passed the open relay check. > -Matt > On Sun, Dec 2, 2018 at 3:48 PM François <za...@redarmor.net> wrote: >> >> After understood the Gilles’ advices, I fixed the issues by finding the >> right ruleset : >> >> action distribuer mbox alias <aliases> >> action relayer relay >> >> match auth from any for any action relayer >> match from any for domain example.org action distribuer >> >> Now, I’m able to send and receive emails with my osmtpd 6.4 server. >> >> Last question. Is there any to risk to be an open relay with the rule #1? >> I expect the auth mechanism avoid any bad usage of my server. Do I right ? >> >> BR, François. >> >>> Le 2 déc. 2018 à 13:27, Gilles Chehade <gil...@poolp.org> a écrit : >>> >>> On Sun, Dec 02, 2018 at 01:05:56PM +0100, Fran??ois wrote: >>>> Thanks Gilles for your quick answer. >>>> >>>> Based on your recommendations, I have now only this 3 match rules : >>>> >>>> match from any mail-from <indesirables> for any reject >>>> match auth from local action relayer >>>> match auth from any action distribuer >>>> >>> >>> you also need a for on the last rules >>> >>> not specifying from implies from local, >>> not specifying for implies for local. >>> >>> >>> you should most definitely have something along the lines of: >>> >>> match auth from local for [...] >>> match auth from auth for [...] >>> >>> >>> >>>> Below how the server reacts when I try to send an email from my laptop >>>> connected at the same osmtpd server network to an outside email domain >>>> (redarmor.net) : >>>> >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >>>> NETADDR in table static:<anyhost> -> found >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as >>>> DOMAIN in table static:<anydestination> -> found >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check ?? >>>> franc...@example.org" as MAILADDR in table static:indesirables -> 0 >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >>>> NETADDR in table static:<localhost> -> 0 >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as >>>> NETADDR in table static:<anyhost> -> found >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as >>>> DOMAIN in table static:<localnames> -> 0 >>>> Dec 2 12:43:12 gabrielle smtpd[1459]: no rule matched >>>> >>>> And when I sent an email from outside domain (redarmor.net) to my domain >>>> (example.org) : >>>> >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >>>> NETADDR in table static:<anyhost> -> found >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as >>>> DOMAIN in table static:<anydestination> -> found >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "za...@redarmor.net" >>>> as MAILADDR in table static:indesirables -> 0 >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >>>> NETADDR in table static:<localhost> -> 0 >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as >>>> NETADDR in table static:<anyhost> -> found >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as >>>> DOMAIN in table static:<localnames> -> 0 >>>> Dec 2 12:47:02 gabrielle smtpd[1459]: no rule matched >>>> >>>> As explained in my first email, this two examples leads to the error >>>> message result="550 Invalid recipient ??. >>>> >>>> I will try a configuration which set explicitly the source for the ?? >>>> relayer ?? action like this : action ?? relayer" relay src <sources> >>>> helo-src <helonames> with a table sources set with the local network. >>>> >>>> BR, Fran??ois. >>>> >>>> >>>> >>>> >>>>> Le 2 d??c. 2018 ?? 12:26, Gilles Chehade <gil...@poolp.org> a ??crit : >>>>> >>>>> On Sun, Dec 02, 2018 at 11:46:45AM +0100, Fran??ois wrote: >>>>>> Hello All >>>>>> >>>>>> I'm trying to move from Opensmtpd 6.0.2p1 to 6.4.0p2 my email server >>>>>> hosted at home. >>>>>> I'm running Linux on Raspberry Pi. >>>>>> >>>>>> I didn't face any issue with the release 6.0.2. But after migrated the >>>>>> smtpd.conf file in 6.4.0p2 format, I'm not able to send or receive >>>>>> emails properly through smtp protocol. >>>>>> >>>>> >>>>> [...] >>>>> >>>>>> >>>>>> Here after an extract of my smtpd.conf : >>>>>> >>>>>> listen on 127.0.0.1 >>>>>> listen on $lan_addr tls-require pki mail.example.org hostname >>>>>> mail.example.org >>>>>> listen on $lan_addr smtps pki mail.example.org auth hostname >>>>>> mail.example.org mask-src >>>>>> listen on $lan_addr port 587 tls-require pki mail.example.org auth >>>>>> hostname mail.example.org mask-src >>>>>> >>>>>> table aliases file:/etc/aliases >>>>>> table indesirables { "@qq.com ?? } >>>>>> >>>>>> action distribuer mbox alias <aliases> >>>>>> action relayer relay >>>>>> >>>>>> match from any mail-from <indesirables> for any reject >>>>>> match for local action distribuer >>>>>> match for any action relayer >>>>>> >>>>>> I don't understand my mistake. For information, I compiled the binaries >>>>>> from the sources, maybe I missed to set something in the Makefile. >>>>>> Thanks in advance for your support. >>>>>> >>>>> >>>>> The problem is that in 6.0.x authenticated users are considered as local >>>>> sessions and therefore match you last two rules, but this was not right, >>>>> it led to some configuration being impossible to express. >>>>> >>>>> Starting with 6.4.x, authenticated users are no longer considered local, >>>>> and rules must explicitly match them: >>>>> >>>>> match auth from any [...] >>>>> >>>>> The 'auth' criteria is no longer related to the locality, so you're able >>>>> to write rules that match differently the authenticated users which come >>>>> from your machine or from others: >>>>> >>>>> match auth from local [...] >>>>> match auth from any [...] >>>>> >>>>> Your new ruleset should have one or two additional match rules I guess. >>>>> >>>>> Also, while at it, it is now also possible to match non-network sessions >>>>> with: >>>>> >>>>> match from socket [...] >>>>> >>>>> This used to only be matched by from local but can now also be matched a >>>>> bit more precisely. >>>>> >>>>> >>>>> -- >>>>> Gilles Chehade >>>>> @poolpOrg >>>>> >>>>> https://www.poolp.org tip me: https://paypal.me/poolpOrg >>>>> >>>>> -- >>>>> You received this mail because you are subscribed to misc@opensmtpd.org >>>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >>>>> >>>> >>>> >>>> -- >>>> You received this mail because you are subscribed to misc@opensmtpd.org >>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >>>> >>> >>> -- >>> Gilles Chehade >>> @poolpOrg >>> >>> https://www.poolp.org tip me: https://paypal.me/poolpOrg >>> >>> -- >>> You received this mail because you are subscribed to misc@opensmtpd.org >>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >>> >> >> >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
