At 23:34 7/01/99 -0600, Aijaz A. Ansari wrote:
>However, I cannot send mail from within MSOE to domain names that I do
>not host (specifically anyone at interaccess.com). I get the common
>`sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)'
>error. The FAQ suggests I
>a) run qmail-smtpd under tcpserver (I don't think I am now) and
>b) Create /etc/tcp.smtp containing
> 1.2.3.6:allow,RELAYCLIENT=""
> 127.:allow,RELAYCLIENT=""
> ... and so on.
This is not the only way to do this, but is probably best and worth the
effort. You could use inetd and TCPwrappers to do a similar job (but it
does rely on inetd). The info is in the FAQ, just look for hosts.allow and
TCPwrappers.
>1) To do this, do I have to know in advance what the IP addresses for
> which I want to allow relaying are?
Normally yes. There are patches to open relaying on the reciept of a
successful POP3 password authentication (which avoids the open relaying
system). Another (similar in ways) patch allows people to send mail back to
the server via POP. Check http://www.qmail.org/ for more info on both of
these alternatives.
>2) The only user who needs POP3 now is my sister-in-law. If her
> dialup provider (MegsInet) assigns her a variable IP address, would
> I have to effectively allow all IP addresses? Is that a huge
> Netiquette/security no-no?
You can either get her to configure her mail to go through the smtp mail
host at MegsInet (which may or may not re-write the mail headers - beware
of this, might stuff up replies and mailing lists), or...
If you're reasonably happy with her provider (ie: they've provided you no
spam and aren't known for it) you could allow their IP classes using the
above system. You do not have to give 'everyone' relaying access.
Most likely the place will dynamically assign IP's out of one or 2 (or more
if they are really big) class C's, so you might have to add multiple
statements to either your tcp server rules or hosts.allow to compensate it.
It's not too big a risk, and it will get the problem out of the way for
now. Just remember to actually do something about it soon, the sooner the
better.
>3) If I can get away with doing it, am I better off not allowing
> POP access at all? I am not planning on being an ISP who offers a
> ton of POP3 accounts. I could probably acquaint my sister-in-law
> with the wonders of pine. :)
POP isn't that bad, but a secure POP like APOP is better. Keeping those
passwords out of the hands of packet sniffers does wonders for security.
*grin*
Stuart Young - [EMAIL PROTECTED] - [EMAIL PROTECTED]
(aka Cefiar) - http://amarok.glasswing.com.au/
[All opinions expressed in the above message are my]
[own and not necessarily the views of my employer..]
