Hi,
I'm trying to set up a virtual pop server, and I've run into a problem that
I can't solve. I've been talking with a knowledgeable friend and qmail
advocate, and I have him stumped. He recommended that I forward my problem
to this list, in the hope of finding a solution.
Rather than restate everything and probably get something wrong, my
discussion with him follows.
qmail is running, I can inject mail into it and it will be delivered. I
also have a few accounts set up on it, and mail is being properly delivered
to them. I can also mail directly from the command line on the machine.
The problem: domain.org is the domain that is set up on qmail.
[EMAIL PROTECTED] is a valid account on the system. If I try to send mail
to any host not listed in control/rcpthosts, it
bounces with a 553, "sorry that domain isn't in my list of allowed rcpthosts".
I thought, "That looks suspiciously like a FAQ". Sure enough. question
5.4 seemed relevant, reproduced here for reference:
-------------------------------------------------------------------------------
5.4. How do I allow selected clients to use this host as a relay? I see
that qmail-smtpd rejects messages to any host not listed in
control/rcpthosts.
Answer: Three steps. First, install tcp-wrappers, available separately,
including hosts_options. Second, change your qmail-smtpd line in
inetd.conf to
smtp stream tcp nowait qmaild /usr/local/bin/tcpd
/var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd
(all on one line) and give inetd a HUP. Third, in tcpd's hosts.allow,
make a line setting the environment variable RELAYCLIENT to the empty
string for the selected clients:
tcp-env: 1.2.3.4, 1.2.3.5: setenv = RELAYCLIENT
Here 1.2.3.4 and 1.2.3.5 are the clients' IP addresses. qmail-smtpd
ignores control/rcpthosts when RELAYCLIENT is set. (It also appends
RELAYCLIENT to each envelope recipient address. See question 5.5 for an
application.)
--------------------------------------------------------------------------------
I found a message in the mail archives that says that removing rcpthosts
will open up the machine, but this is of course not a solution. I moved
rcpthosts as a test, and all messages are delivered properly.
My /etc/inetd.conf line reads:
smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env
/var/qmail/bin/qmail-smtpd
and my /etc/hosts.allow line reads:
tcp-env: 209.218.13.127: setenv = RELAYCLIENT
209.218.13.127 is the ip address of my linux box here at home, behind which
my Windows box running Eudora (crash.domain.com) lives.
Looking at tcpdmatch, I can't understand why this is being declined:
[root@sonata tcp_wrappers_7.6]# /usr/sbin/tcpdmatch -d tcp-env 209.218.13.127
client: address 209.218.13.127
server: process tcp-env
access: granted
>Let's see if I understand what you are doing.
>
>You have a machine which I will call mail.domain.org. You have setup
>qmail as the MTA. If you use a program on that machine to send mail from
>[EMAIL PROTECTED] to [EMAIL PROTECTED], it works. If you go over
>to otherDomain.com and send mail to [EMAIL PROTECTED], it gets delivered.
>
>Correct so far?
This is correct.
>Now you take a windows box, crash.otherDomain.com, and you configure
>Eudora to get mail from mail.domain.org through POP3, and to use
>[EMAIL PROTECTED] as the sender, and that mail.domain.org will be your SMTP
>host.
>
>This doesn't work. Right?
I can pop mail off the server using the [EMAIL PROTECTED] account just
fine with Eudora. Mail sent to any valid address in domain.org is
delivered properly. The problem comes in sending mail to any domain not
listed in control/rcpthosts from any @domain.org account, when the mail
originates from the Windows box. mail.domain.org refuses to accept the
message for delivery with the mentioned error.
(
Here's a handy chart in case anyone is having a problem following that mess:
The domain other.com is in control/rcpthosts. The domain other2.com is not.
Originating Machine Sender Recipient Result
mail.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] success
mail.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] success
mail.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] success
crash.other.com [EMAIL PROTECTED] [EMAIL PROTECTED] success
crash.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] success
crash.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] success
crash.domain.org [EMAIL PROTECTED] [EMAIL PROTECTED] failure
)
>Things to note:
>
>1. qmail does not include a POP3 or IMAP daemon. Tell qmail to use
>mailboxes instead of maildirs and use any daemon, or let qmail use
>maildirs and get a POP3 or IMAP daemon that understands them.
I'm running the qmail-pop3d daemon, and it appears to be working fine.
>2. qmail doesn't want to be insecure out of the box, so it doesn't allow
>relaying. What you want is to set up relaying for the relevant external
>boxes that you want to use mail.baldmonkey.org as their smarthost.
That's what I think I'm doing by adding that odd line to
/etc/hosts_allow. I'm referencing question 5.4 in the FAQ, which seems to
address my problem.
I think that the problem might be that I don't have hosts_options enabled
in my tcp-wrappers. I'm running a 7.6 RedHat RPM, and I don't know if
hosts_options is enabled or not. I'm assuming that it is not, based on the
docs in the source distribution. Unfortunately. I can't get version 7.5
to compile, and I can't find version 8.
This is the error that I get after running 'make linux' on the 7.6 dist:
-DBROKEN_SO_LINGER -Dvsyslog=myvsyslog -DALWAYS_HOSTNAME -c diag.c
cc -O -DFACILITY=LOG_MAIL -DHOSTS_ACCESS
-DPARANOID -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_
CALLS_STRTOK -DDAEMON_UMASK=022 -DREAL_DAEMON_DIR=\"/usr/sbin\"
-DPROCESS_OPTIONS -DSEVERITY=LOG_
INFO -DRFC931_TIMEOUT=10 -DHOSTS_DENY=\"/etc/hosts.deny\"
-DHOSTS_ALLOW=\"/etc/hosts.allow\"
-DBROKEN_SO_LINGER -Dvsyslog=myvsyslog -DALWAYS_HOSTNAME -c percent_m.c
percent_m.c:17: conflicting types for `sys_errlist'
/usr/include/stdio.h:553: previous declaration of `sys_errlist'
make[1]: *** [percent_m.o] Error 1
make[1]: Leaving directory `/usr/local/src/tcp_wrappers_7.6'
make: *** [linux] Error 2
That's everything. I again apologize for the length of the post, but I
wanted to include every snippet of information that I have so far. I've
just subscribed to the list, so if anyone who replies could be so kind as
to cc me so I don't miss any messages, I'd appreciate it.
Many thanks,
Todd Finney
