Dario Rossi <[EMAIL PROTECTED]> wrote:
> CC>You're preventing connections to port 25 completely? CC>Please post the
> CC>contents of your smtp.rules file to be more clear on exactly CC>what you
> CC>are allowing/disallowing.
>
> the rule is :
>
> 127.:allow,RELAYCLIENT=""
Okay, you're not denying connections at all. You're setting the RELAYCLIENT
only if the remote IP address is 127.*.*.* .
> I put the domain foo.com in rcpthosts.
> Now qmail will accept mails for *@foo.com.
> I put a rule in tcpservers to allow relaying only from localhost and
> my LAN hosts.
> Now i telnet to another host, not autorised to do relaying; from here:
>
> telnet my qmail machine port 25
>
> 220 <welcome message>
> helo cippalippa.org
> 250 <welcome message>
> mail from:k
> 250 Ok
> rcpt to:[EMAIL PROTECTED]
> 250 OK
> data
> 354 go ahead
> PRRRRTTT
> .
> 250 ok 976727180 qp 4190
> quit
>
> Well i think this is not fair.
> Infact anyone could send mails to [EMAIL PROTECTED], [EMAIL PROTECTED] and any other
> standard address, being completely anonymous.
The mail transaction above is not an example of (unauthorized) relaying.
By putting the domain in rcpthosts, you have told qmail-smtpd "I am willing
to accept mail from anyone which has an envelope recipient of
[EMAIL PROTECTED]"
If foo.com is in your locals file, the message will be delivered locally.
If foo.com is in your virtualdomains file, it will be treated as a virtual
domain and delivered to a local user.
If foo.com is in neither locals nor controls, qmail will attempt to deliver
it to the highest priority MX for foo.com, and therefore serving as a
secodary MX for foo.com.
> I think i missed something in configuration or otherwise i didnt understand
> well how qmail works.
Yes, it's a problem with your understanding of qmail. To receive mail
from the world at large, you have to allow everyone to connect to your
SMTP port. You should then accept/reject mail based on the envelope
recipient -- accepting mail which is for addresses in your local domain(s)
and virtual domains (if any), and possibly a few others for which you
provide backup MX service, and rejecting everything else.
Then, in addition, you can set the RELAYCLIENT variable as you did above
for certain IP addresses (typically those on your company LAN or private
network), to allow only those IP addresses to relay mail to anywhere else
in the world through your server. In this case you are serving as a
"smarthost" for dumb clients (like MUAs on Windows machines, etc).
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
-----------------------------------------------------------------------
