I have a similar question, but perhaps the answer is not so easy.
I use ucspi with great success, but I have a user whose ISP is a university,
and I'm not sure I want to open up access to the university's entire subnet.
However, the user gets a dynamic IP every time he connects. How can I allow
him SMTP access without opening the door to the entire university? Granted,
the chance that the university students are spammers looking for open relay
servers is small, but I'd like to avoid taking that chance if I can.
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 1999 9:52 PM
Subject: Re: rcpthosts
> Jim,
>
> Is this machine accessible via The Net, or is it behind a firewall?
>
> If it's behind the firewall, you are set. Just open the darned thing
> up, and be done with it.
>
> If this is available from The [evil] Net, and you don't want to relay
> for the world, you can do two things.
>
> Option 1
> ==============
> Use a different port (port 444 instead of port 25), but have the
> qmail-smtpd that runs on that port accept and relay any mail--this
> falls into the security through obscurity ballgame, and will be frowned
> upon by most qmail-list folks (and I wouldn't recommend, although you
> could do this)....
>
> So, you create this line in inetd.conf:
>
> 444 stream tcp nowait root /tmp/relay-kludge.sh
>
> and create this file (/tmp/relay-kludge.sh) with 755 perms (or something
> more restrictive):
>
> #!/bin/sh
> #
> #
> export RELAYCLIENT=""
>
> /var/qmail/bin/qmail-smtpd
>
>
> And you tell your users to use that port (444) for all of their SMTP
> sessions.
>
> or
>
> Option 2
> ============
> You can run ucspi, which has built-in support for IP-based selective
> relaying.
>
>
> Perhaps you wish not to "complicate" things by running ucspi, but I
> believe quite strongly that it is the best solution in this regard.
> This will also allow you to have finely grained control over what other
> IPs are allowed to relay through your machine, not only your users, but
> also.....a friend who has a static IP, let's say....or maybe you are on
> the road one day, and you need to allow yourself an "open relay"....you
> could shell in and make the change, and then you have a relay....
>
> It's really not a great deal more work to install the ucspi package,
> and it works with qmail (and a dozen other programs) so very well, that
> it's worth the effort to install and configure it. (Frankly for me,
> it's not about load/concurrency, but configurability....that's why I
> prefer tcpserver--part of the ucspi package--so much.)
>
> If you'd like some example lines, or an introduction to tcpserver,
> respond to me off the list, and I'll give you a few pointers.
>
> -Martin
>
> -------
> On 2 Dec, Jim Hall wrote:
> : My clients are trying to mail outside the LAN, and receiving an 553
error
> : "im sorry that domain isnt in my list of rcpthosts".
> :
> : is there any way to allow my clients to mail anyone outside my LAN
without
> : running ucspi-tcp? I only have 6 clients, and do not have high loads,
so im
> : sure inetd can handle the process.
> :
> : Thanks in advance,
> : Jim
> :
>
> --
> Martin A. Brown --- SecurePipe Communications --- [EMAIL PROTECTED]
>
