While this solution should work, it does carry a potential security
risk. If the web servers are on a private subnet with the mail servers,
the risk is pretty much negligible though. The most secure solution is
to have your web servers authenticate themselves.
I don't bother with sendmail, as it's pretty antiquated, difficult to
configure, and postfix is a drop-in replacement for sendmail
functionality. If postfix is available on the servers in question, you
can use postfix instead of sendmail.
Here is a quickie guide to configuring postfix to relay securely to a
toaster (substitute appropriate values where appropriate):
# cd /etc/pki/tls/certs
# make postfix.pem
# cd /etc/postfix
# echo "mail.domain.com:587 [email protected]:password" \
>sasl_passwd
# chmod 600 sasl_passwd
# postmap sasl_passwd
Edit /etc/postfix/main.cf settings:
myorigin = domain.com
#mydestination =
mynetworks_style = host
relayhost = mail.domain.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/postfix.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
It's as simple as that to be secure.
P.S. Anyone care to add this to the wiki? ;)
Andreas Galatis wrote:
Hi Mike,
for my webservers, sending mail via toaster as relayserver I have the
following rule in /etc/tcprules.d/tcp.smtp:
ip.of.server.dotted:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private",RBLSMTPD="",NOP0FCHECK="1"
The server may relay, no authentication required.
If you use spamdyke you should add the ip's in the whitelist-ip file too.
Andreas
Am Thursday 29 October 2009 05:31:47 schrieb Mike Canty:
To All,
I now have in place three Qmail Toaster Servers in three different
locations. These servers are part of individual networks, or whish there
are other CentOS and RedHat servers.
I am having issues with mail from the other servers as these are running
Sendmail by default. The problem lies in the fact that I can send messages
from the Sendmail servers to the Toasters Servers, as long as they are
within the same network and they are not an alias/forward account.
The real issue is CHKUSER does its job too well and it rejects messages
from the Sendmail servers, if it's to be sent to another account or
network. This is the type of error I get...
@400000004ae9186406b54edc CHKUSER rejected sender: from
<[email protected]::> remote
<backup.mydomain.com:unknown:77.60.23.95> rcpt <> : invalid sender MX
domain
I understand that there are issues with servers that are not really
configured as a full Mail server, but what can I do to rectify this error.
Can someone please let me know what I need to do to the sendmail.cf file to
get around this. Or what needs to be done to the Qmail Toaster settings to
allow the "incorrect MX" issue.
Cheers
Mike Canty
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
