Re: Does the current ucspi-tcp support hostnames in tcp.smtp?
Charles Cazabon [EMAIL PROTECTED] writes: Chris Johnson [EMAIL PROTECTED] wrote: On Tue, Apr 17, 2001 at 05:57:52PM -0700, Frank Precissi wrote: My question: Does ucspi-tcp support hostnames? If so, would they be added as: domain.com:allow,RELAYCLIENT="" or .domain.com:allow,RELAYCLIENT="" I would guess that this would work. To confirm it, I'd try it and see what happens. This is not the correct syntax. From http://cr.yp.to/ucspi-tcp/tcprules.html (I've marked hostname related rules with a *): Addresses tcpserver looks for rules with various addresses: 1. $TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is set; * 2. $TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO is set and $TCPREMOTEHOST is set; 3. $TCPREMOTEIP; * 4. =$TCPREMOTEHOST, if $TCPREMOTEHOST is set; 5. shorter and shorter prefixes of $TCPREMOTEIP ending with a dot; * 6. shorter and shorter suffixes of $TCPREMOTEHOST starting with a dot, preceded by =, if $TCPREMOTEHOST is set; * 7. =, if $TCPREMOTEHOST is set; and finally 8. the empty string. tcpserver uses the first rule it finds. You should use the -p option to tcpserver if you rely on $TCPREMOTEHOST here. We use =.domain.com:allow,RELAYCLIENT="" =domain.com:allow,RELAYCLIENT="" to allow anything ending with "domain.com" to relay, and also allow the machine named "domain.com" itself to relay. I've never used this feature either, but the original poster should beware that allowing relaying based on hostname is insecure; the sender does (or can) have control over their reverse DNS resolution, and can therefore make their IP address resolve to a hostname in your domain, and proceed to spam the internet silly through your system. You then get added to ORBS, RBL, RSS, etc. Use the "-p" option to prevent this. It checks the reverse DNS to get a hostname, then looks up the hostname to make sure that one of the addresses is the original address. It takes care of the issue above. From http://cr.yp.to/ucspi-tcp/tcpserver.html: * -p: Paranoid. After looking up the remote host name in DNS, look up the IP addresses in DNS for that host name, and remove the environment variable $TCPREMOTEHOST if none of the addresses match the client's IP address. * -P: (Default.) Not paranoid. --ScottG.
Does the current ucspi-tcp support hostnames in tcp.smtp?
Hi Qmail gurus! Ive been running for about 6 months or so on a small network that houses about 3 class C's. The tcp.smtp file was easy and self explanitory. Now a 60,000 user sendmail *shudder* machine has been dropped in my lap, and I want to install qmail on it. My only hangup is the tcp.smtp file.. Since they are still on the old mbox format, I cannot use relay-ctrl with pop3d.. :( Back in nov/dec of last year you could *not* use a domain name in the tcp.smtp file to allow relaying, it was all IP based. I see in the ucspi-tcp CHANGELOG: 2311 ui: switched to prot; so setgid() is preceded by setgroups(). ui: tcpserver supports -U. --ui: tcpserver supports hostname rules. --- ui: tcprulescheck now uses environment variables. I have searched the archives and the website to find only IP examples for the tcp.smtp file. LWQ and the tcpserver manpages only have IP addressed in the tcp.smtp file... Nobody seems to have any other info on hostname based relaying rules. My question: Does ucspi-tcp support hostnames? If so, would they be added as: domain.com:allow,RELAYCLIENT="" or .domain.com:allow,RELAYCLIENT="" Believe me, I would much rather just add the class C's, but we partnered with a much larger (and crappier) company to offer nationwide dialup access, and I dont want to add all of *their* class C's. I would really like to take the old sendmail access file and chop it up into a sutable tcp.smtp file for qmail to use. Hopefully im not the only idiot asking this question. Thanks much! qmail rox! Frank
Re: Does the current ucspi-tcp support hostnames in tcp.smtp?
On Tue, Apr 17, 2001 at 05:57:52PM -0700, Frank Precissi wrote: My question: Does ucspi-tcp support hostnames? If so, would they be added as: domain.com:allow,RELAYCLIENT="" or .domain.com:allow,RELAYCLIENT="" I would guess that this would work. To confirm it, I'd try it and see what happens. Chris PGP signature
Re: Does the current ucspi-tcp support hostnames in tcp.smtp?
Chris Johnson [EMAIL PROTECTED] wrote: On Tue, Apr 17, 2001 at 05:57:52PM -0700, Frank Precissi wrote: My question: Does ucspi-tcp support hostnames? If so, would they be added as: domain.com:allow,RELAYCLIENT="" or .domain.com:allow,RELAYCLIENT="" I would guess that this would work. To confirm it, I'd try it and see what happens. I've never used this feature either, but the original poster should beware that allowing relaying based on hostname is insecure; the sender does (or can) have control over their reverse DNS resolution, and can therefore make their IP address resolve to a hostname in your domain, and proceed to spam the internet silly through your system. You then get added to ORBS, RBL, RSS, etc. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---