Selective Relaying and tcprulescheck
Greetings All, I have reinstalled qmail EXACTLY via the documentation in LWQ EXCEPT for installation of the daemontools. I am using daemontools 0.76 and I used the referenced Web page in the README to install. I have tried all manner of run files supplied by members of the list - and thank you Robin and others who sent their run files to me. Still, I cannot get selective relay to work. qmail is either promiscuous or a virgin but their ain't no inbetween when it comes to relaying. I did notice in my search of the Web that people were reporting detailed output from running tcprulescheck /etc/tcp.smtp.cdb. Here's the contents of my tcp.smtp file (cut and pasted): 127.:allow,RELAYCLIENT= 192.168.10.:allow,RELAYCLIENT= Yet, when I run tcprulescheck, I get this: [root@cilinux /etc]# tcprulescheck /etc/tcp.smtp.cdb default: allow connection [root@cilinux /etc]# If I run tcprulescheck /etc/tcp.smtp.cdb 192.168.10. I get the same output as above. I have compiled my rules by both invoking tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp enter and qmailctl cdb enter Is the minimal output I am seeing from tcprulescheck normal or do I have a problem there? And if it's a problem - what do I do to fix it? Thanks, Scott Zielsdorf Senior Technical Support Consultant Computer Instruments IVR Solutions Support Group Voice: 913.492.1888 x8862 Fax: 913.492.1483
Re: Selective Relaying and tcprulescheck
Hi Scott, you have to set and probably export (someone correct me if i am wrong here) $TCPREMOTEIP before invoking tcprules check. then, tcprulescheck will tell you what will happen to a connection from the ip in $TCPREMOTEIP. for example if your tcp.smtp file is: 127.:allow,RELAYCLIENT= 192.168.10.:allow,RELAYCLIENT= :deny (- default) and you put 192.168.10.5 in $TCPREMOTEIP then it well tell you rule : allow connection if you put 63.195.102.4 i.e, then it will tell you: rule : deny connection hope that helps you. check the refernce page for tcprulescheck: http://cr.yp.to/ucspi-tcp/tcprulescheck.html Regards, Philipp Scott Zielsdorf writes: 127.:allow,RELAYCLIENT= 192.168.10.:allow,RELAYCLIENT= Yet, when I run tcprulescheck, I get this: [root@cilinux /etc]# tcprulescheck /etc/tcp.smtp.cdb default: allow connection [root@cilinux /etc]# If I run tcprulescheck /etc/tcp.smtp.cdb 192.168.10. I get the same output as above. I have compiled my rules by both invoking tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp enter and qmailctl cdb enter Is the minimal output I am seeing from tcprulescheck normal or do I have a problem there? And if it's a problem - what do I do to fix it? Thanks, Scott Zielsdorf Senior Technical Support Consultant Computer Instruments IVR Solutions Support Group Voice: 913.492.1888 x8862 Fax: 913.492.1483 Philipp Steinkrüger Technik Oberberg Online Tel.: +49 2261 814240 Fax: +49 2261 814919 www.oberberg.net [EMAIL PROTECTED]
Re: Selective Relaying and tcprulescheck
Scott Zielsdorf [EMAIL PROTECTED] wrote: I did notice in my search of the Web that people were reporting detailed output from running tcprulescheck /etc/tcp.smtp.cdb. Here's the contents of my tcp.smtp file (cut and pasted): 127.:allow,RELAYCLIENT= 192.168.10.:allow,RELAYCLIENT= Which implies :allow . Yet, when I run tcprulescheck, I get this: [root@cilinux /etc]# tcprulescheck /etc/tcp.smtp.cdb default: allow connection [root@cilinux /etc]# If I run tcprulescheck /etc/tcp.smtp.cdb 192.168.10. I get the same output as above. How are you calling tcprulescheck? It needs the environment variable. Try the following: TCPREMOTEIP=192.168.10.4 tcprulescheck /etc/tcp.smtp.cdb Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
RE: Selective Relaying and tcprulescheck
Thanks Philipp and Charles for the help on this. Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. So when qmail does the reverse look up, it can't resolve the IP. Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? Thanks. -Original Message- From: Philipp Steinkrüger Sent: Wednesday, August 01, 2001 10:33 AM you have to set and probably export (someone correct me if i am wrong here) $TCPREMOTEIP before invoking tcprules check. then, tcprulescheck will tell you what will happen to a connection from the ip in $TCPREMOTEIP.
RE: Selective Relaying and tcprulescheck
At 11:14 01.08.2001 -0500, Scott Zielsdorf wrote: Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. so far, so good. but tell me, what does the TCPREMOTEIP Variable have to with DNS ? So when qmail does the reverse look up, it can't resolve the IP. yes, but where's the problem ? Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? fix what ? everything will work, even without ptr records... -- --/-/-- Lukas Beeler [EMAIL PROTECTED] ---\-\-- \ \ My HomePage: URL:http://www.projectdream.org / /
Re: Selective Relaying and tcprulescheck
Scott Zielsdorf [EMAIL PROTECTED] wrote: Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. So when qmail does the reverse look up, it can't resolve the IP. This shouldn't be a problem if you're setting RELAYCLIENT by IP address instead of by hostname/domainname. Even if you're operating tcpserver in paranoid mode, it only unsets TCPREMOTEHOST if forward and reverse lookups don't match. Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? You can stay on DHCP; simply add PTR records for the IP addresses the DHCP server hands out. Is it possible that your workstations are being NATed so that the IP address the mail server sees is not one of the ones you've configured for relaying? Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Re: Selective Relaying and tcprulescheck
On Wed, Aug 01, 2001 at 11:14:43AM -0500, Scott Zielsdorf wrote: Thanks Philipp and Charles for the help on this. Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. So when qmail does the reverse look up, it can't resolve the IP. Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? Thanks. What, precisely, needs 'fixing'? Reverse lookup is not a requirement. Reverse lookup does not 'resolve IPs' -- it gives a PTR to an A record for the host. TCPREMOTEIP is set based on the connection -- the address is known, not looked up. What problem are you trying to solve? GW
RE: Selective Relaying and tcprulescheck
At 11:37 01.08.2001 -0500, Lukas Beeler wrote: At 11:14 01.08.2001 -0500, Scott Zielsdorf wrote: Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. so far, so good. but tell me, what does the TCPREMOTEIP Variable have to with DNS ? Ummm...nothing, at this stage, I would guess. So when qmail does the reverse look up, it can't resolve the IP. yes, but where's the problem ? The problem is RELAYCLIENT doesn't get set and therefore the relaying rules in tcp.smtp.cdb do not get invoked - apparently. The headers in testing show the dialogue between any workstation on my net with qmail smtp as HELO (machine name) (unknown) So, I am *assuming* that even though I have -H (Do Not Look Up Remote Host Name) set in the run file invoking smtp that somesort of lookup is being done and when it can't resolve I get the Sorry...you're not in my rcpthosts file message. Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? fix what ? everything will work, even without ptr records... Alas, NOTHING works with respect to selective relaying. Is it maybe a Linux net configuration issue? And to re-iterate from an earlier post, I have followed installation to the letter from LWQ. Thanks, Scott
RE: Selective Relaying and tcprulescheck
At 12:00 01.08.2001 -0500, Scott Zielsdorf wrote: At 11:37 01.08.2001 -0500, Lukas Beeler wrote: So when qmail does the reverse look up, it can't resolve the IP. yes, but where's the problem ? The problem is RELAYCLIENT doesn't get set and therefore the relaying rules in tcp.smtp.cdb do not get invoked - apparently. the rules in tcp.smtp have to be set for ip adresses and not for domain names so if you set them correctly they WILL get invoked.. The headers in testing show the dialogue between any workstation on my net with qmail smtp as HELO (machine name) (unknown) yes, because the machine doesnt have a PTR record, but that shouldnt make a problem So, I am *assuming* that even though I have -H (Do Not Look Up Remote Host Name) set in the run file invoking smtp that somesort of lookup is being done and when it can't resolve I get the Sorry...you're not in my rcpthosts file message. it looks like your tcp.smtp file is set up incorrectly. tcpserver gets the remote ip adress from the connection handshake, and thats not any kind of look up Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? fix what ? everything will work, even without ptr records... Alas, NOTHING works with respect to selective relaying. Is it maybe a Linux net configuration issue? And to re-iterate from an earlier post, I have followed installation to the letter from LWQ. selective relaying does not need reverse lookups, it i IP based. i have an private lan running [10.10.1.x adresses] whitout any server that is authoritive for 10.10.in-addr.arpa, and it still works, of course. i have the following line in tcp.smtp 10.10.:allow,RELAYCLIENT= as you see, we have ip adresses there, and they have nothing to do with PTR records.. -- --/-/-- Lukas Beeler [EMAIL PROTECTED] ---\-\-- \ \ My HomePage: URL:http://www.projectdream.org / /
Re: Selective Relaying and tcprulescheck
Scott Zielsdorf writes: Thanks Philipp and Charles for the help on this. Once I set the TCPREMOTEIP variable I did see the rule which now leads me to the discovery that my Windows workstations - which are DHCP clients - do not have entries in my DNS. So when qmail does the reverse look up, it can't resolve the IP. Short of going off DHCP and putting all my workstations in my DNS, is there any way to fix this? reverse lookop is not the problem. you habe IPs in your tcp.smtp file. you can add a export NODNSCHECK= in the qmail-startup file before invoking the smtpd, but thats not the problem. what about charles idea about NAT ? did you telnet to port 25 from one of the clients and watch the qmail logfile ? can you cut and paste a logged try ? regards, philipp Philipp Steinkrüger Technik Oberberg Online Tel.: +49 2261 814240 Fax: +49 2261 814919 www.oberberg.net [EMAIL PROTECTED]
Selective Relaying/tcprules check SOLVED!
All,
I am STUPID. I did not know and consequently did not mention that my qmail
was running on my Redhat 7 running xinetd and NOT inetd. xinetd is, as far
as I can find, not covered in the LWQ or 1.03 Install procedure. I installed
tcpserver as LWQ said I should but the xinetd.d/smtp config file was in
charge and it was NOT calling tcpserver but using itself which meant that
tcp.smtp.cdb was not being invoked.
Found this on a web page, I forget where, but it has saved my butt. Thanks
to the guy who posted this:
xinetd.d/smtp config file:
{
flags = NAMEINARGS
socket_type = stream
wait= no
user= qmaild
server = /usr/sbin/tcpd
server_args = /var/qmail/bin/tcp-env
/var/qmail/bin/qmail-smtpd
disable = no
}
I rebooted and now selective relaying is working like a champ.
Thanks for all the responses and suggestions to my stupid problem, it has
been quite a learning experience.
Scott Zielsdorf
Senior Technical Support Consultant
Computer Instruments IVR Solutions Support Group
Voice: 913.492.1888 x8862 Fax: 913.492.1483
Re: Selective Relaying/tcprules check SOLVED!
At 15:58 01.08.2001 -0500, Scott Zielsdorf wrote: I am STUPID. nope. inetd / xinetd is stupid I did not know and consequently did not mention that my qmail was running on my Redhat 7 running xinetd and NOT inetd. inetd sucks xinetd is, as far as I can find, not covered in the LWQ or 1.03 Install procedure. yes and why ? because it suxx. Use daemontools instead, you would have MUCH less problems. convert your existing inetd services to daemontools, iam sure you will be confident with the result. -- --/-/-- Lukas Beeler [EMAIL PROTECTED] ---\-\-- \ \ My HomePage: URL:http://www.projectdream.org / /
Re: Selective Relaying/tcprules check SOLVED!
On Wed, Aug 01, 2001 at 03:58:01PM -0500, Scott Zielsdorf wrote: I am STUPID. xinetd.d/smtp config file: I rebooted and now selective relaying is working like a champ. Senior Technical Support Consultant Taking this four lines together, the first line makes a lot of sense... Who on earth gave you root? Hint: man kill
RE: Selective Relaying/tcprules check SOLVED!
LOL! I love abuse! I gave myself root, my box. I'm a SCO guy or was. First linux I've ever logged into. Three days ago. Not by choice. So... I don't care if XINET sucks - which from what I read else where that is debatable (XINET replaces INET) - and I don't care that Robin lifted his leg and pissed on me, it was all worth it. Now I can go back to tending my other hardware and not have to do this linux email job! And, I likely quoted Robin wrong. Don't care either. Using my own words against me...hey...I'm on top of the world at the moment. It may change tomorrow but tomorrow's a whole 'nother day. Thanks again. -Original Message- From: Robin S. Socha [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 01, 2001 4:05 PM To: Qmail List Subject: Re: Selective Relaying/tcprules check SOLVED! On Wed, Aug 01, 2001 at 03:58:01PM -0500, Scott Zielsdorf wrote: I am STUPID. xinetd.d/smtp config file: I rebooted and now selective relaying is working like a champ. Senior Technical Support Consultant Taking this four lines together, the first line makes a lot of sense... Who on earth gave you root? Hint: man kill
RE: Selective Relaying/tcprules check SOLVED!
At 16:20 01.08.2001 -0500, Scott Zielsdorf wrote: LOL! I love abuse! i not I gave myself root, my box. I'm a SCO guy or was. First linux I've ever logged into. Three days ago. Not by choice. So... if it is your box, why did you install an OS you don't like ? I don't care if XINET sucks - which from what I read else where that is debatable (XINET replaces INET) and daemontools/tcpserver fully replace xinetD and inetD - and I don't care that Robin lifted his leg and pissed on me, it was all worth it. thats good so.. he makes that by everybody.. i would wonder if he would'nt try to piss on djb ;) Now I can go back to tending my other hardware and not have to do this linux email job! why did you start to do something you don't like ? And, I likely quoted Robin wrong. you can't do anything right, if robin decides otherwise Don't care either. Using my own words against me...hey...I'm on top of the world at the moment. what did you smoke ? ;) It may change tomorrow but tomorrow's a whole 'nother day. it's just an advise to use daemontols instead of *inetd -- --/-/-- Lukas Beeler [EMAIL PROTECTED] ---\-\-- \ \ My HomePage: URL:http://www.projectdream.org / /
Re: Selective relaying problem
On 2001.07.27 10:54 Michele Schiavo wrote: Help me i use Xinetd and I'm not to be able to set RELAY client. Ah! Gross! Abort! Abort! Seriously, run tcpserver, you will like it alot better. I actually do remember I had xinetd working on one of our nameservers at one time; but it took be a good five hours crawling through archives (many in German :-P) to figure it out. -- Nick (Keith) Fish Network Engineer Triton Technologies, Inc. 1-800-837-4253
Re: Selective relaying problem
Help me i use Xinetd and I'm not to be able to set RELAY client. Scott == Scott Zielsdorf [EMAIL PROTECTED] writes: I have just installed qmail 1.03 on a Redhat 7x box. I cannot get selective relaying to work. I *have* read FAQ 5.4 and scoured the web archives for people with similar problems but I still can't get a resolution. How are you starting qmail-smtpd? (ie the tcpserver line). And what instructions did you follow to setup qmail? (www.lifewithqmail.org - recommended reading. No - ESSENTIAL reading.) or the INSTALL doc? If you followed the INSTALL doc, try re-installing qmail by following the lifewithqmail doc. In any case, answer the first question and we'll see what we can do... -- There is no reason anyone in the right state of mind will want a computer in their home. - Ken Olson, President of Digital Equipment Corp, 1977
Re: Selective relaying problem
On Fri, Jul 27, 2001 at 02:54:49PM +, Michele Schiavo wrote: Help me i use Xinetd and I'm not to be able to set RELAY client. I don't use xinetd myself, but man xinetd.conf says you're wrong. (Hint: Search for the env attribute.) -- Adrian HoTinker, Drifter, Fixer, Bum [EMAIL PROTECTED] ListArchive: http://marc.theaimsgroup.com/?l=qmail Useful URLs: http://cr.yp.to/qmail.html http://www.qmail.org http://www.lifewithqmail.org/ http://qmail.faqts.com/
R: Selective relaying problem
Is there any particular reason to start qmail from xinetd? You will be able to solve your problem with tcpserver in few minutes. What kind of selective relaying are you searching for? Static or dynamic? --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 0744 5441330 Fax. +39 0744 5441372 -Messaggio originale- Da: Michele Schiavo [mailto:[EMAIL PROTECTED]] Inviato: venerdì 27 luglio 2001 16.55 A: Brett Randall Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Oggetto: Re: Selective relaying problem Help me i use Xinetd and I'm not to be able to set RELAY client. Scott == Scott Zielsdorf [EMAIL PROTECTED] writes: I have just installed qmail 1.03 on a Redhat 7x box. I cannot get selective relaying to work. I *have* read FAQ 5.4 and scoured the web archives for people with similar problems but I still can't get a resolution. How are you starting qmail-smtpd? (ie the tcpserver line). And what instructions did you follow to setup qmail? (www.lifewithqmail.org - recommended reading. No - ESSENTIAL reading.) or the INSTALL doc? If you followed the INSTALL doc, try re-installing qmail by following the lifewithqmail doc. In any case, answer the first question and we'll see what we can do... -- There is no reason anyone in the right state of mind will want a computer in their home. - Ken Olson, President of Digital Equipment Corp, 1977
RE: Selective Relaying Problem
I send this reply back to the responder and forgot to email it to the list. ### How are you starting qmail-smtpd? (ie the tcpserver line). Out of the run file in /service/qmail-smtp. Here is the paste of the file: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd 21 This is being called from qmailctl inside the case statement svc -u /service/qmail-smtp. And what instructions did you follow to setup qmail? (www.lifewithqmail.org - recommended reading. No - ESSENTIAL reading.) or the INSTALL doc? If you followed the INSTALL doc, try re-installing qmail by following the lifewithqmail doc. In any case, answer the first question and we'll see what we can do... The install was done by a highly paid Linux/Qmail Consultant - who is stumped, which is cold comfort to me. I have questioned him at length on install procedures and he swears to have followed the INSTALL doc to a T. He has been knowledgable on other projects and I do have a good amount of faith in him and his work and while he does have reason to cover his butt because of his fees, I don't believe he is. # I am faced with the prospect of re-installation which I will do myself this time - but I would rather not have to if there was some other solution. However, on the subject of re-installation, and forgive me because I have not researched this in the archives, do I need to de-install qmail before reinstalling or can I simply overwrite it? And another newbie type question: I checked out GNUS's homepage. I am a slave to Outlook. I would like to break the bonds but, uh, I didn't see anything about a release for NT Server. Is there one? How do I get it? Thanks, Scott Zielsdorf Senior Technical Support Consultant Computer Instruments IVR Solutions Support Group
Re: Selective Relaying Problem
goto /etc/tcprules.d edit qmail-smtpd read 'man tcprules' on how to use tcprules Once you make the appropiate edits you want to do the following. from the tcprules.d directory tcprules qmail-smtpd.cdb qmail-smtpd.tmp qmail-smtpd If it gives you a command/file not found then tcprules isn't aliased so execute it like this /usr/local/bin/tcprules qmail-smtpd.cdb qmail-smtpd.tmp qmail-smtpd After that restart qmail-smtpd which is gennerally /etc/rc.d/init.d/qmail-smtpd.init restart --JT - Original Message - From: Scott Zielsdorf [EMAIL PROTECTED] To: Qmail List [EMAIL PROTECTED] Sent: Friday, July 27, 2001 11:21 AM Subject: RE: Selective Relaying Problem I send this reply back to the responder and forgot to email it to the list. ### How are you starting qmail-smtpd? (ie the tcpserver line). Out of the run file in /service/qmail-smtp. Here is the paste of the file: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd 21 This is being called from qmailctl inside the case statement svc -u /service/qmail-smtp. And what instructions did you follow to setup qmail? (www.lifewithqmail.org - recommended reading. No - ESSENTIAL reading.) or the INSTALL doc? If you followed the INSTALL doc, try re-installing qmail by following the lifewithqmail doc. In any case, answer the first question and we'll see what we can do... The install was done by a highly paid Linux/Qmail Consultant - who is stumped, which is cold comfort to me. I have questioned him at length on install procedures and he swears to have followed the INSTALL doc to a T. He has been knowledgable on other projects and I do have a good amount of faith in him and his work and while he does have reason to cover his butt because of his fees, I don't believe he is. # I am faced with the prospect of re-installation which I will do myself this time - but I would rather not have to if there was some other solution. However, on the subject of re-installation, and forgive me because I have not researched this in the archives, do I need to de-install qmail before reinstalling or can I simply overwrite it? And another newbie type question: I checked out GNUS's homepage. I am a slave to Outlook. I would like to break the bonds but, uh, I didn't see anything about a release for NT Server. Is there one? How do I get it? Thanks, Scott Zielsdorf Senior Technical Support Consultant Computer Instruments IVR Solutions Support Group
Selective relaying problem
I have just installed qmail 1.03 on a Redhat 7x box. I cannot get selective relaying to work. I *have* read FAQ 5.4 and scoured the web archives for people with similar problems but I still can't get a resolution. I want to use this box (Redhat) strictly as an SMTP server for staff inside the company. Workstations in the office are on the 192.168.10 net and we use DHCP and NAT. In the /etc/tcp.smtp file I have the following entries (this is a paste from the file): 192.168.10.:allow,RELAYCLIENT= :allow In /var/qmail/control I have the following settings: me cilinux.instruments.com defaultdomain instruments.com locals localhost rctphosts plusdomain are EMPTY In examining the headers from mail sent to myself through my primary mail server, the HELO dialogue properly identifies my machine name and the IP Address. In examining the headers from mail sent locally to the qmail box, the HELO dialogue identifies my machine name but instead of seeing the IP, I see unknown which leads me to believe that tcp.smtp.cdb is not being executed because my IP cannot be determined by qmail. If this is the case, why? And yes, I have ran qmailctl cdb after futzing with tcp.smtp and I have ran qmailctl restart extensively as I tinker with the settings. Anybody? I am getting a little desperate. Thanks. Scott Zielsdorf Senior Technical Support Consultant Computer Instruments IVR Solutions Support Group Voice: 913.492.1888 x402 Fax: 913.492.1483
Re: Selective relaying problem
Scott == Scott Zielsdorf [EMAIL PROTECTED] writes: I have just installed qmail 1.03 on a Redhat 7x box. I cannot get selective relaying to work. I *have* read FAQ 5.4 and scoured the web archives for people with similar problems but I still can't get a resolution. How are you starting qmail-smtpd? (ie the tcpserver line). And what instructions did you follow to setup qmail? (www.lifewithqmail.org - recommended reading. No - ESSENTIAL reading.) or the INSTALL doc? If you followed the INSTALL doc, try re-installing qmail by following the lifewithqmail doc. In any case, answer the first question and we'll see what we can do... -- There is no reason anyone in the right state of mind will want a computer in their home. - Ken Olson, President of Digital Equipment Corp, 1977
selective relaying
hi, as it seems I don`t really understand selective relaying. I configured qmail the way that I thought it only would relay for my localhost, but it also relays for the pcs on the local net. Here my config files: I use tcpserver to listen for smtp: tcp.smtp (before hashing it): - 127.0.0.1:allow,RELAYCLIENT= 192.168.0.6:allow,RELAYCLIENT= #the local IP :allow -- rcpthosts: -- hugenay #which is my local pc name localhost -- smtproutes: -- :192.168.0.6 :mailto.btx.dtag.de #which is the smtpserver of my provider, #that I user for relaying. So I thought, when a host connects to the smtp port, tcpserver will allow all, but only set RELAYCLIENT for the mentioned IPs, so rcpthosts will take effect. Is it the smtproutes files ? Any Ideas? johannes
Re: selective relaying
On Sun, Jul 15, 2001 at 09:07:39AM +0200, Johannes Huettemeister wrote: hi, as it seems I don`t really understand selective relaying. I configured qmail the way that I thought it only would relay for my localhost, but it also relays for the pcs on the local net. You forgot to mention (and describe precise) your problem. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: selective relaying
On Sun Jul 15, 2001 at 11:5120AM +0200, Henning Brauer wrote: On Sun, Jul 15, 2001 at 09:07:39AM +0200, Johannes Huettemeister wrote: hi, as it seems I don`t really understand selective relaying. I configured qmail the way that I thought it only would relay for my localhost, but it also relays for the pcs on the local net. You forgot to mention (and describe precise) your problem. hi henning, ok, I`ll give it another try: I`m looking for a reason, why my qmail server allows relaying for the other pcs on my local net. I tried to configure it only to relay for the localhost. I hope I included all necessary configuration files in my last mail. Summary: I don't want to run a relay server for other hosts than the computer qmail is running on, but actually it seems to me I do. johannes ps: and sorry for also sending PM, I forgot to tell mutt about this list :-)
Re: selective relaying
Hi, check out... http://www.palomine.net/qmail/relaying.html regards dushyanth On Sun Jul 15, 2001 at 11:5120AM +0200, Henning Brauer wrote: On Sun, Jul 15, 2001 at 09:07:39AM +0200, Johannes Huettemeister wrote: hi, as it seems I don`t really understand selective relaying. I configured qmail the way that I thought it only would relay for my localhost, but it also relays for the pcs on the local net. You forgot to mention (and describe precise) your problem. hi henning, ok, I`ll give it another try: I`m looking for a reason, why my qmail server allows relaying for the other pcs on my local net. I tried to configure it only to relay for the localhost. I hope I included all necessary configuration files in my last mail. Summary: I don't want to run a relay server for other hosts than the computer qmail is running on, but actually it seems to me I do. johannes ps: and sorry for also sending PM, I forgot to tell mutt about this -- Dushyanth Harinath Archean Infotech Limited Ph No:091-040-3228666,6570704,3228674 http://www.archeanit.com - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/
Re: selective relaying
On Sun, Jul 15, 2001 at 01:03:34PM +0200, Johannes Huettemeister wrote: Summary: I don't want to run a relay server for other hosts than the computer qmail is running on, but actually it seems to me I do. You still failed to show us _why_ you think you are relaying. Show us a complete SMTP session where you think it is realying but shouldn't, and in the same mail post the contens of control/rcpthosts and your tcpserver's acces control file. ps: and sorry for also sending PM, I forgot to tell mutt about this list :-) Oh yeah, know that ;-)) -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: selective relaying
On Sun Jul 15, 2001 at 01:2932PM +0200, Henning Brauer wrote: You still failed to show us _why_ you think you are relaying. Show us a complete SMTP session where you think it is realying but shouldn't, and in the same mail post the contens of control/rcpthosts and your tcpserver's acces control file. Hi, you're totally right, I forgot top post the logs and outputs. So I telneted from a different host and ...: Relaying was rejected! So sorry for bothering around, right now I just have _no_ idea why I thought I'd run an open Relayserver. Strange thing, must be the headache I got all day... Thx sorry for useless traffic. regards johannes
selective relaying
I've read the relaying doc at http://www.palomine.net/qmail/selectiverelay.html, but still I can't get relaying based on ip going.. This is how I startup qmail, so it works with qmailmrtg - env - PATH=/var/qmail/bin:/usr/local/bin \ /usr/local/bin/tcpserver -x /etc/tcp.smtp.cdb -u 2850 -g 32750 0 smtp \ /var/qmail/bin/qmail-smtpd 21 | /var/qmail/bin/splogger smtpd 3 env - PATH=/var/qmail/bin:/usr/local/bin \ qmail-start ./Maildir/ | /usr/local/bin/setuidgid qmaill \ /usr/local/bin/multilog t n100 s100 /var/log/qmail from the document mentioned above it seems like all u need to do is to add this -x /etc/tcp.smtp.cdb to tcpserver for qmail-smtpd to make sure u have a properly formatted tcp.smtp.cdb file.. This is what my tcp.smtp.cdb looks like - 10.1.0.28.:allow,RELAYCLIENT= :allow I've ran tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp too.. hmm still it doesn't override the rcpthosts file..I try to control it via inetd but that doesn't sound like a good idea.. thanxs for the help.. :)
Re: selective relaying
On Tue, 10 Jul 2001, ~darkage wrote: from the document mentioned above it seems like all u need to do is to add this -x /etc/tcp.smtp.cdb to tcpserver for qmail-smtpd to make sure u have a properly formatted tcp.smtp.cdb file.. This is what my tcp.smtp.cdb looks like - Sounds like you are backwards...you need a tcp.smtp that is formatted correctly. I've ran tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp This then builds the .cdb so you actually edit /etc/tcp.smtp and make text changes there -- David Raistrick note: [EMAIL PROTECTED] email should be directed to [EMAIL PROTECTED] from now on.
Re: selective relaying
arrrghh.. your right, the little dot was the prob.. It must be late I didn't even notice the dot.. Thanxs for the help.. Its working perfect now.. (: silly me.. - Original Message - From: Chris Johnson [EMAIL PROTECTED] To: ~darkage [EMAIL PROTECTED] Sent: Monday, July 09, 2001 9:38 AM Subject: Re: selective relaying On Tue, Jul 10, 2001 at 02:35:36AM -0700, ~darkage wrote: 10.1.0.28.:allow,RELAYCLIENT= ^ You probably don't want that '.' there. You can use this: 10.1.0.28:allow,RELAYCLIENT= to allow just 10.1.0.28 to relay, or: 10.1.0.:allow,RELAYCLIENT= to allow the whole 10.1.0.* network to relay. Chris
Re: selective relaying
On Tue, 10 Jul 2001, ~darkage wrote: 10.1.0.28.:allow,RELAYCLIENT= having a trailing dot here is a problem since you are specifying all bits. /* Regards, Jason Kawaja, UF-ECE Sys Admin */
Re: selective relaying
~darkage [EMAIL PROTECTED] writes: [...] This is what my tcp.smtp.cdb looks like - 10.1.0.28.:allow,RELAYCLIENT= :allow Do you mean to say that's what your /etc/tcp.smtp file looks like? If that's really what's in /etc/tcp.smtp.cdb, that's your problem; it should be in /etc/tcp.smtp, and the tcprules command you list below will build /etc/tcp.smtp.cdb, which is a binary file. If it was just a typo, you'll need to post exactly what happens when you try to log (what you have looks right), and what the logs say when it happens. I've ran tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp too.. [...] Good luck! ScottG.
Selective relaying
I've got a box (peculiar.differentpla.net) running qmail, and qmail-pop3d. It's working fine when delivering email to local users, and users can collect their email via POP3. However, certain of my users connect via an ISP (Pipex Dial), and that ISP doesn't seem to allow you to send email via their server, unless you've authenticated with the POP server. This could be an erroneous assumption -- I'm trying to diagnose this problem over the phone, and it's entirely possible that ir's something else entirely. So, to recap: The user in question is using peculiar as the POP3 server, and smtp.dial.pipex.com as the SMTP server. They can't send email. I've suggested changing the SMTP server to peculiar, also. Now, as I understand it, this is effectively making myself an open relay -- which is a bad thing. What solutions are there to this problem? I'd like to allow people with local mailboxes (and POP3 access) to send email via peculiar as well. Hopefully, I'll be able to diagnose the problem more fully this weekend, but I'm still interested in how people do this. Cheers, Roger.
RE: Selective relaying
u can use relay-ctrl. what it does is smtp only after pop3. a local user retrieves mail via pop3. relay-ctrl saves his IP for 15minutes. during those 15minutes, he can use peculiar for smtp. After thosee 15mins, relay-ctrl deletes the IP. this way, your box will never be an open relay. U just have to instruct your users that they can only send after retrieving. i use this, and works great. check qmail's page for where to find the program. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: quinta-feira, 21 de Junho de 2001 23:37 To: [EMAIL PROTECTED] Subject: Selective relaying I've got a box (peculiar.differentpla.net) running qmail, and qmail-pop3d. It's working fine when delivering email to local users, and users can collect their email via POP3. However, certain of my users connect via an ISP (Pipex Dial), and that ISP doesn't seem to allow you to send email via their server, unless you've authenticated with the POP server. This could be an erroneous assumption -- I'm trying to diagnose this problem over the phone, and it's entirely possible that ir's something else entirely. So, to recap: The user in question is using peculiar as the POP3 server, and smtp.dial.pipex.com as the SMTP server. They can't send email. I've suggested changing the SMTP server to peculiar, also. Now, as I understand it, this is effectively making myself an open relay -- which is a bad thing. What solutions are there to this problem? I'd like to allow people with local mailboxes (and POP3 access) to send email via peculiar as well. Hopefully, I'll be able to diagnose the problem more fully this weekend, but I'm still interested in how people do this. Cheers, Roger.
Selective Relaying Question
Hi, I setup the tcp.smtp.cdb file and am calling it when I start tcpserver, but I am still getting errors when I try to relay mail from my internal network. Here is the call from my tcpserver startup script: (PATH=/usr/local/qmail/bin; /usr/local/bin/tcpserver -x/usr/local/etc/ip/tcp.smtp.cdb -v -c40 -u601 -g625 0 smtp qmail-smtpd 21 | splogger smtpd ) * It's all on one line in the script. Here is what I used to make the tcp.smtp.cdb file: 192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow After changing the tcp.smtp.cdb file I restarted both tcpserver and qmail. I'm running Red Hat 7.0, qmail (without using system accounts), and tcpserver. Any help would be appreciated. Thanks. --John -- John Anderson [EMAIL PROTECTED] Ceeva, Inc.
Re: Selective Relaying Question
"John" == John Anderson [EMAIL PROTECTED] writes: Here is what I used to make the tcp.smtp.cdb file: 192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow Um...OK!! MAYBE just try creating /etc/tcp.smtp with the above data in it, then either run '/etc/rc.d/init.d/qmail cdb' (if you installed as per LWQ), or type: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp And make it world readable by: chmod 644 /etc/tcp.smtp.cdb This SHOULD help you out somewhat. Considering that .cdb indicated BINARY format, not text format. Brett. -- "Hey, I know this! This is Unix!" - Jurassic Park
Re: Selective Relaying Question
John Anderson [EMAIL PROTECTED] wrote: I setup the tcp.smtp.cdb file and am calling it when I start tcpserver, but I am still getting errors when I try to relay mail from my internal network. What errors are you getting? Please show us the exact text of all error messages you receive, errors shown in the qmail logs, etc. Preferably duplicate the error by telnetting to port 25 from one of your clients which should be allowed to relay, and show us a transcript of an SMTP session failing; some MUAs helpfully hide all useful error messages. Here is what I used to make the tcp.smtp.cdb file: 192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow The first line is unnecessary; the second line covers it. Otherwise, it looks good. After changing the tcp.smtp.cdb file I restarted both tcpserver and qmail. How did you "change" the file? Did you change tcp.smtp, then run tcprules on it to create tcp.smtp.cdb? Please show us. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
RE: Selective Relaying Question
192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow My understanding is that ":allow" (the last line) will allow anybody to send email. Is it correct? Kirti -Original Message- From: John Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 04, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: Selective Relaying Question Hi, I setup the tcp.smtp.cdb file and am calling it when I start tcpserver, but I am still getting errors when I try to relay mail from my internal network. Here is the call from my tcpserver startup script: (PATH=/usr/local/qmail/bin; /usr/local/bin/tcpserver -x/usr/local/etc/ip/tcp.smtp.cdb -v -c40 -u601 -g625 0 smtp qmail-smtpd 21 | splogger smtpd ) * It's all on one line in the script. Here is what I used to make the tcp.smtp.cdb file: 192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow After changing the tcp.smtp.cdb file I restarted both tcpserver and qmail. I'm running Red Hat 7.0, qmail (without using system accounts), and tcpserver. Any help would be appreciated. Thanks. --John -- John Anderson [EMAIL PROTECTED] Ceeva, Inc.
Re: Selective Relaying Question
Kirti S. Bajwa [EMAIL PROTECTED] wrote: :allow My understanding is that ":allow" (the last line) will allow anybody to send email. Is it correct? No. This will allow anyone to connect to your SMTP server. Whether they can send mail or not depends on the contents of rcpthosts, the envelope recipient of the message they try to send, and whether the RELAYCLIENT environment variable is set. A default rule of :deny almost _never_ makes sense for the .cdb file controlling access to your SMTP daemon. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: Selective Relaying Question
John Anderson [EMAIL PROTECTED] wrote: Sorry, it seems that my first message was not as clear as I thought it was. Let me try again. Excellent, this is somewhat clearer. The above is the text format, I then ran this command: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp To make the binary. Good. What output does the following command produce? TCPREMOTEIP=192.168.1.1 tcprulescheck /etc/tcp.smtp.cdb Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: Selective Relaying Question
Hi, The above is the text format, I then ran this command: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp To make the binary. Good. What output does the following command produce? TCPREMOTEIP=192.168.1.1 tcprulescheck /etc/tcp.smtp.cdb I did this twice: # TCPREMOTEIP=192.168.1.1 ./tcprulescheck /etc/tcp.smtp.cdb rule 192.168.: set environment variable RELAYCLIENT= allow connection # TCPREMOTEIP=192.168.0.124 ./tcprulescheck /etc/tcp.smtp.cdb rule 192.168.: set environment variable RELAYCLIENT= allow connection It looks like I should be able to relay, but cannot. What should I try next? Thanks for the help so far. --John Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. --- -- John Anderson [EMAIL PROTECTED] Ceeva, Inc. 412.690.2300 x330
Re: Selective Relaying Question
John Anderson [EMAIL PROTECTED] wrote: The above is the text format, I then ran this command: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp To make the binary. In an earlier message, John wrote: Here is the call from my tcpserver startup script: (PATH=/usr/local/qmail/bin; /usr/local/bin/tcpserver -x/usr/local/etc/ip/tcp.smtp.cdb -v -c40 -u601 -g625 0 smtp qmail-smtpd 21 | splogger smtpd ) * It's all on one line in the script. So, the question is: is it /etc/tcp.smtp.cdb or /usr/local/etc/ip/tcp.smtp.cdb? -Dave
Re: Selective Relaying Question
On Wed, Apr 04, 2001 at 11:17:25AM -0400, John Anderson wrote: Here is what I used to make the tcp.smtp.cdb file: 192.168.:allow 192.168.:allow,RELAYCLIENT="" :allow The above is the text format, I then ran this command: tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp /etc/tcp.smtp It's interesting that you run this command on files in /etc but your startup script tells tcpserver that the .cdb file is in /usr/local/etc/ip .
Re: Selective Relaying Question
Hi, Charles Cazabon wrote: John Anderson [EMAIL PROTECTED] wrote: What output does the following command produce? TCPREMOTEIP=192.168.1.1 tcprulescheck /etc/tcp.smtp.cdb # TCPREMOTEIP=192.168.1.1 ./tcprulescheck /etc/tcp.smtp.cdb rule 192.168.: set environment variable RELAYCLIENT= allow connection Everything fine so far. It looks like I should be able to relay, but cannot. The .cdb file is correct; we've verified it. The problem is therefore one of the following: -you're not actually running qmail-smtpd from tcpserver (PATH=/usr/local/qmail/bin; /usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -v -c40 -u601 -g625 0 smtp qmail-smtpd 21 | splogger smtpd ) -your tcpserver invocation for qmail-smtpd is not referring to this .cdb I've got tcp.smtp.cdb in both /etc and /usr/local/etc/ip. I left a copy in /etc, changed the startup script, and restarted tcpserver. -tcpserver can't read this .cdb I chmoded the file to 777 -your connections are actually coming from IP address you haven't set the rules for In the last email I posted (with the results of tcprules), the second IP I tested is the IP of my box. Please post the script you're starting tcpserver/qmail-smtpd with. I think you did this early on, but I don't remember its contents. I posted the line for qmail-smtpd with, I can post the entire script if you'd like. Did you edit this script? If so, did you remember to stop and re-start tcpserver? Yes and Yes. Are there any log messages from tcpserver? This is it: Apr 4 12:51:48 localhost smtpd: 986403108.545991 tcpserver: status: 1/40 Apr 4 12:51:48 localhost smtpd: 986403108.546582 tcpserver: pid 18906 from 209.114.187.226 Apr 4 12:51:48 localhost smtpd: 986403108.563452 tcpserver: ok 18906 :209.114.187.227:25 :209.114.18 7.226::62174 Apr 4 12:51:48 localhost smtpd: 986403108.566188 tcpserver: end 18906 status 0 Apr 4 12:51:48 localhost smtpd: 986403108.566510 tcpserver: status: 0/40 Thanks. --John Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. --- -- John Anderson [EMAIL PROTECTED] Ceeva, Inc. 412.690.2300 x330
Re: Selective Relaying Question
* John Anderson [EMAIL PROTECTED] [010404 19:59]: TCPREMOTEIP=192.168.1.1 tcprulescheck /etc/tcp.smtp.cdb # TCPREMOTEIP=192.168.1.1 ./tcprulescheck /etc/tcp.smtp.cdb rule 192.168.: set environment variable RELAYCLIENT= allow connection Apr 4 12:51:48 localhost smtpd: 986403108.545991 tcpserver: status: 1/40 Apr 4 12:51:48 localhost smtpd: 986403108.546582 tcpserver: pid 18906 from 209.114.187.226 Apr 4 12:51:48 localhost smtpd: 986403108.563452 tcpserver: ok 18906 :209.114.187.227:25 :209.114.18 7.226::62174 Apr 4 12:51:48 localhost smtpd: 986403108.566188 tcpserver: end 18906 status 0 Apr 4 12:51:48 localhost smtpd: 986403108.566510 tcpserver: status: 0/40 I hope you weren't intentionally masking your IP addresses to the 192.168 stuff. If you did, the only one you fooled was yourself. The IP addresses in the logs are 209.114.187.226 (remote) amd 209.114.187.227 (local). 209.114 != 192.168. -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ PGP signature
Re: Selective Relaying Question
Ok, call me stupid. I forgot how our network was setup for a minute (Ok maybe longer). That fixed everything. Thanks everyone for all of the help! --John Johan Almqvist wrote: * John Anderson [EMAIL PROTECTED] [010404 19:59]: TCPREMOTEIP=192.168.1.1 tcprulescheck /etc/tcp.smtp.cdb # TCPREMOTEIP=192.168.1.1 ./tcprulescheck /etc/tcp.smtp.cdb rule 192.168.: set environment variable RELAYCLIENT= allow connection Apr 4 12:51:48 localhost smtpd: 986403108.545991 tcpserver: status: 1/40 Apr 4 12:51:48 localhost smtpd: 986403108.546582 tcpserver: pid 18906 from 209.114.187.226 Apr 4 12:51:48 localhost smtpd: 986403108.563452 tcpserver: ok 18906 :209.114.187.227:25 :209.114.18 7.226::62174 Apr 4 12:51:48 localhost smtpd: 986403108.566188 tcpserver: end 18906 status 0 Apr 4 12:51:48 localhost smtpd: 986403108.566510 tcpserver: status: 0/40 I hope you weren't intentionally masking your IP addresses to the 192.168 stuff. If you did, the only one you fooled was yourself. The IP addresses in the logs are 209.114.187.226 (remote) amd 209.114.187.227 (local). 209.114 != 192.168. -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ Part 1.2Type: application/pgp-signature -- John Anderson [EMAIL PROTECTED] Ceeva, Inc. 412.690.2300 x330
Re: Selective relaying -Nonstandard style, tough one. Anyone got any ideas? A challenge!
Orie wrote: I am hoping to set up a Qmail (my favorite) smtp gateway (our mail is already routing out one, exchange's sucks) that can somehow allow relaying based on "FROM" (Aka from [EMAIL PROTECTED]) or allow the relay based on a keyword in the message. Or perhaps someone has a better idea? Why not use AUTH SMTP patches? If your E-mail clients support authenticated SMTP (many do), then you don't need to add those clients to a relay list at all. See http://www.qmail.org/
Selective relaying -Nonstandard style, tough one. Anyone got any ideas? A challenge!
Lets see if I can explain this well. We currently have a piece of software that sends out mail. This piece of software is located on machines all around the US. These machines are used by our clients, who can send out mail on behalf of a user; [EMAIL PROTECTED] They connect to our exchange (BLAH) server, which is an open relay (yes, I explained why NOT to do this years ago) so that the machines out on the net CAN relay [EMAIL PROTECTED] They also never bothered to add security to those machines. The problem is, we need to lock down our open relay (people found us and are using us for relaying, thus getting us blocked... big surprise..) AND allow these machines to relay selectively without modifying the machines themselves. There are WAY to many (and variable) ips to manually add the ips of each machine. I am hoping to set up a Qmail (my favorite) smtp gateway (our mail is already routing out one, exchange's sucks) that can somehow allow relaying based on "FROM" (Aka from [EMAIL PROTECTED]) or allow the relay based on a keyword in the message. Or perhaps someone has a better idea? Many many thanks! -Elliott
Re: Selective relaying -Nonstandard style, tough one. Anyone got any ideas? A challenge!
On Thu, Mar 08, 2001 at 06:02:59PM -0800, Orie wrote: I am hoping to set up a Qmail (my favorite) smtp gateway (our mail is already routing out one, exchange's sucks) that can somehow allow relaying based on "FROM" (Aka from [EMAIL PROTECTED]) or allow the relay based on a keyword in the message. Or perhaps someone has a better idea? This patch will allow you to relay based on envelope sender address: http://www.palomine.net/qmail/relaymailfrom.html. You may consider combining this with tarpitting: http://www.palomine.net/qmail/tarpit.html. Both patches are combined here: http://www.palomine.net/qmail/tarpit+relaymailfrom.patch. Does your software send something special when it says HELO during the SMTP conversation? It should be too hard to patch qmail-smtpd to look for this and allow relaying only if it sees it. Chris PGP signature
Re: Selective relaying -Nonstandard style, tough one. Anyone got any ideas? A challenge!
On Thu, Mar 08, 2001 at 09:08:32PM -0500, Chris Johnson wrote: Does your software send something special when it says HELO during the SMTP conversation? It should be too hard to patch qmail-smtpd to look for this and allow relaying only if it sees it. s/should/shouldn't/ Chris PGP signature
Re: Selective relaying with tcpserver
Abdul Elhati writes: hi I'm using RedHat 6.2 + qmail + vpopmail I'm using 10.0 schema for my local network. I want all my local users to relay mail EXCEPT a specific IP address " e.g. 10.0.0.10 " 10.0.0.10:allow 10.0.:allow,RELAYCLIENT="" URL:http://cr.yp.to/ucspi-tcp/tcprules.html tcpserver uses the first rule it finds. Vince.
Re: Selective relaying with xinetd
Hi,
At 18:19 11.2.2001 -0500, Kari Suomela wrote:
I am still having a problem getting selective relaying to work. Here is
my smtp file:
service smtp
{
disable = no
socket_type = stream
protocol= tcp
wait = no
user = qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
env = RELAYCLIENT=
}
Acutally, this is not your SMTP file rather the section "SMTP" in
/etc/xinetd.conf.
The problem is that this creates a wide open relay. "only_from" doesn't
seem the right alternative, since it blocks incoming mail from other
addresses.
Sure ist does in your configuration. Unlike TCPSERVER, XINETD doesnt give
you the possibility to dynamically assign IP-Addresses to the
Environment-Variable "RELAYCLIENT".
How would I properly allow relaying from our local net, and block
others?
3 possible solutions:
1. Provide those IP-Adresses (to allow relay for) statically by XINETD
mechanisms (man xinetd.conf).
2. Keep your xinetd.conf settings (except for the RELAYCLIENT variable and
use Chris Johnson's RELAYCLIENT patch or my SPAMCONTROL patch.
3. Use XINETD for all Services/Daemons EXCEPT SMTP. Move to tcpserver instead.
Coexisting of XINETD and TCPSERVER is guarantueed.
For more detail see my QMAIL web page:
http://www.fehcom.de/qmail_en.html
cheers.
eh.
KS
KARICO Business Services
Toronto, ON Canada http://www.ksbase.com
... Postmen never die, they just lose their zip.
+---+
| fffhh http://www.fehcom.deDr. Erwin Hoffmann |
| ff hh|
| ffeee ccc ooomm mm mm Wiener Weg 8 |
| fff ee ee hh hh cc oo oo mmm mm mm 50858 Koeln|
| ff ee eee hh hh cc oo oo mm mm mm|
| ff eee hh hh cc oo oo mm mm mm Tel 0221 484 4923 |
| ff hh hhccc ooomm mm mm Fax 0221 484 4924 |
+---+
Re: Selective relaying with xinetd
Kari Suomela [EMAIL PROTECTED] wrote: CC Switch to tcpserver. I have looked at it and it seems overkill for a small server. As I also have pretty well everything else working ok under xinetd, I'd like to solve this last issue. It's not overkill. tcpserver is particularly well suited to small servers; it's less resource intensive than any of the alternatives. To allow SMTP-after-POP3, you'll have to selectively set the RELAYCLIENT environment variable only for a continuously changing set of IP addresses. I don't think xientd lets you do that (I could be wrong), so I don't think it's going to work. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Selective relaying with xinetd
I am still having a problem getting selective relaying to work. Here is
my smtp file:
service smtp
{
disable = no
socket_type = stream
protocol= tcp
wait = no
user = qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
env = RELAYCLIENT=
}
The problem is that this creates a wide open relay. "only_from" doesn't
seem the right alternative, since it blocks incoming mail from other
addresses.
How would I properly allow relaying from our local net, and block
others?
KS
É»
º KARICO Business Services º
º Toronto, ON Canada http://www.ksbase.com º
ȼ
... Postmen never die, they just lose their zip.
Re: Selective relaying with xinetd
Kari Suomela [EMAIL PROTECTED] wrote: I am still having a problem getting selective relaying to work. Here is my smtp file: Looks like xinetd. How would I properly allow relaying from our local net, and block others? Switch to tcpserver. Chances are you can get it set up correctly in thirty minutes or less if you follow Life with qmail, and there are more eyes here familiar with tcpserver configuration than with xinetd. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: Selective relaying with xinetd
As a very new qmail guy (1 day) I would recommend the url: http://www.palomine.net/qmail/selectiverelay.html Had me in and out in 10 minutes, switching from inetd to tcpserver (thanks chris Johnson if your on this list!). Only caveat I ran into was 127.0.0.1 (localhost) has to go in there too along with valid IP's if you need it, that goofed me up for 4-5 minutes doing tests with telnet localhost 25. -Jason Switch to tcpserver. Chances are you can get it set up correctly in thirty minutes or less if you follow Life with qmail, and there are more eyes here familiar with tcpserver configuration than with xinetd. Charles -- --- Charles Cazabon[EMAIL PROTECTED] GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Selective relaying with xinetd
Sunday February 11 2001 21:03, Charles Cazabon wrote to All: CC Looks like xinetd. How would I properly allow relaying from our local net, and block others? CC Switch to tcpserver. Chances are you can get it set up correctly CC in CC thirty minutes or less if you follow Life with qmail, and there CC are I have looked at it and it seems overkill for a small server. As I also have pretty well everything else working ok under xinetd, I'd like to solve this last issue. KS
Selective relaying with tcpserver
hi I'm using RedHat 6.2 + qmail + vpopmail I'm using 10.0 schema for my local network. I want all my local users to relay mail EXCEPT a specific IP address " e.g. 10.0.0.10 " is there anyway to setup the tcp.smtp file in order to get this result ?? regards Abdul
Selective relaying from internal network
I have a Qmail server that runs on a network of Windows PC's, all on 10.0.0.* and masqueraded behind a Linux router box that serves everything on a single public IP address. This linux router portforwards ports 25 and 110 on the external IP to the internal Qmail box. I don't currently have DNS working (properly) on the internal network, and the windows PC's all find each other by NetBIOS broadcasts.. So (the Qmail bit) If I want Qmail to accept incoming SMTP connections from any of the 'inside' Windows PC's, do I have to add 10.0.0. to /etc/tcp.smtp (as detailed in LWQ/Chris Johnson's document)? I am not in the office so I can't currently test it, and I don't want to have to talk a user through doing it ;-) I have external relaying working fine from my own 'at home' IP address. Cheers John
Re: Selective relaying from internal network
On Wed, 07 Feb 2001, John P wrote: I have a Qmail server that runs on a network of Windows PC's, all on 10.0.0.* and masqueraded behind a Linux router box that serves everything on a single public IP address. This linux router portforwards ports 25 and 110 on the external IP to the internal Qmail box. I don't currently have DNS working (properly) on the internal network, and the windows PC's all find each other by NetBIOS broadcasts.. So (the Qmail bit) If I want Qmail to accept incoming SMTP connections from any of the 'inside' Windows PC's, do I have to add 10.0.0. to /etc/tcp.smtp (as detailed in LWQ/Chris Johnson's document)? I am not in the office so I can't currently test it, and I don't want to have to talk a user through doing it ;-) I have external relaying working fine from my own 'at home' IP address. Cheers John you should have 10.0.0. in /etc/tcp.smtp regardless of whether dns works or not. also, until you get dns working for the internal computers, you can either: 1. set up the netbios portion of samba on the qmail box. 2. set up a wins server (if you have a spare NT server) 3. add 'mail.whatever.domainqmail.internal.ip.address' to c:\windows\hosts (plain text) either manually, with a batch file or as part of a logon script for the client machines. -- *** Matthew H Patterson Unix Systems Administrator National Support Center, LLC Naperville, Illinois, USA ***
How to setup selective relaying at qmail
Dear Qmail-ers, I want to setup selective relaying at my qmail servers but until now I still got open. My qmail server running on AIX v4.3.3 platform. How to implement POP-before-SMTP at qmail ? Thanks in advance. Best Regards, Paulus Hendarwan __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/
RE: How to setup selective relaying at qmail
How to implement POP-before-SMTP at qmail ? Look at open-smtp on www.qmail.org/top.html. The doco isn't very good (actually, it's crap but I think Russ was paid to make it by a client, then distributed it after without doco for free, so that's understandable). But take a look, and I hope you have some initiative, cos you're gonna need it... /BR Manager InterPlanetary Solutions http://ipsware.com/
Re: selective relaying: two smtpd´s?
On Fri, Jun 23, 2000 at 04:47:44PM +0200, Thilo Bangert wrote: i absolutely need to allow my pop3 users relaying, for which i want to use relay-ctrl (is there a better solution out there). but that would mean the You don't need TWO smtp daemons. Thats why it's called *relay* control. Just RFTM relay-control-age.8 and put the following line in (standard setup as referenced in relay-control manuals assumed) the file /etc/tcpcontrol/smtp.rules (starting at char postition 0) :allow \Maex -- SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake Research Development| mailto:[EMAIL PROTECTED] | up screaming and you Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0| realize you haven't D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
selective relaying: two smtpd´s?
Hi all, i am setting up a qmail server and am going to serve both smtp and pop3. this has probably been asked many times, but i could not find it in a faq. (please, give me guidance) i absolutely need to allow my pop3 users relaying, for which i want to use relay-ctrl (is there a better solution out there). but that would mean the smtp-port would be blocked for any connections, except those made available by relay-ctrl, so no mailserver could deliver email for my users. I figured, a way to get around this would be to have to qmail-smtpd´s running: one allowing selective relay by using rcpthosts (incoming smtp), and another being made available by relay-ctrl (outgoing smtp). Am i correct? If yes, is it possible practically. I only have one machine, but I do have several IP´s. If it is possible, how? thanks thilo
Re: selective relaying: two smtpd´s?
On Fri, Jun 23, 2000 at 04:47:44PM +0200, Thilo Bangert wrote:
Hi all,
i am setting up a qmail server and am going to serve both smtp and pop3.
this has probably been asked many times, but i could not find it in a faq.
(please, give me guidance)
i absolutely need to allow my pop3 users relaying, for which i want to use
relay-ctrl (is there a better solution out there). but that would mean the
smtp-port would be blocked for any connections, except those made available
by relay-ctrl, so no mailserver could deliver email for my users.
I figured, a way to get around this would be to have to qmail-smtpd´s
running: one allowing selective relay by using rcpthosts (incoming smtp),
and another being made available by relay-ctrl (outgoing smtp).
Am i correct?
If yes, is it possible practically. I only have one machine, but I do have
several IP´s. If it is possible, how?
thanks
thilo
How do you start qmail-smtpd? If you use inetd this is a little bit difficult.
One way to do that is: assign 2 ip-adresses to you mailserver. Use one
address to receive mail from outside with qmail, the other one for relaying.
You can even use qmail for both tasks.
We for example use xinetd to start qmail-smtp:
10.20.30.10 is for relaying your clients
10.20.31.11 is for receiving
Be 10.20.30.0/19 your network (where your clients are):
-
service smtp
{
id = mailout-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.10
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
only_from = 10.20.30.0/19
env = RELAYCLIENT=
}
service smtp
{
id = mailin-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.11
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
no_access = 10.20.30.0/19
}
--
Use rcpthosts to restrict qmail-smtpd to only receive for your domains
Setting the environment variable RELAYCLIENT when your clients access
qmail via 10.20.30.10 switch rcpthosts for them off. With only_from you
control that only hosts in your network can access qmail with RELAYCLIENT
set.
Of course, you can start relay-ctrl instead of qmail-send.
And xinetd is not the only superdaemon you could use (I think there is one
from Bernstein, too) but it is part of a lot of distributions.
Greetings
Wolfgang
Re: selective relaying: two smtpd´s?
- Original Message -
From: Wolfgang Walter [EMAIL PROTECTED]
To: Thilo Bangert [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 26, 2000 4:42 PM
Subject: Re: selective relaying: two smtpd´s?
On Fri, Jun 23, 2000 at 04:47:44PM +0200, Thilo Bangert wrote:
Hi all,
snip
i absolutely need to allow my pop3 users relaying, for which i want to
use
relay-ctrl (is there a better solution out there). but that would mean
the
smtp-port would be blocked for any connections, except those made
available
by relay-ctrl, so no mailserver could deliver email for my users.
I figured, a way to get around this would be to have to qmail-smtpd´s
running: one allowing selective relay by using rcpthosts (incoming
smtp),
and another being made available by relay-ctrl (outgoing smtp).
snip
How do you start qmail-smtpd? If you use inetd this is a little bit
difficult.
One way to do that is: assign 2 ip-adresses to you mailserver. Use one
address to receive mail from outside with qmail, the other one for
relaying.
You can even use qmail for both tasks.
We for example use xinetd to start qmail-smtp:
10.20.30.10 is for relaying your clients
10.20.31.11 is for receiving
Be 10.20.30.0/19 your network (where your clients are):
-
service smtp
{
id = mailout-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.10
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
only_from = 10.20.30.0/19
env = RELAYCLIENT=
}
service smtp
{
id = mailin-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.11
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
no_access = 10.20.30.0/19
}
--
Use rcpthosts to restrict qmail-smtpd to only receive for your domains
Setting the environment variable RELAYCLIENT when your clients access
qmail via 10.20.30.10 switch rcpthosts for them off. With only_from you
control that only hosts in your network can access qmail with RELAYCLIENT
set.
Of course, you can start relay-ctrl instead of qmail-send.
And xinetd is not the only superdaemon you could use (I think there is one
from Bernstein, too) but it is part of a lot of distributions.
Greetings
Wolfgang
You are right - but in your case you need to know the ip´s from your
clients. My clients could come from all over the world and I have no other
way than checking their poppassword to know that they are legitimite.
the superdaemon you are referring to is tcpserver and is part of the
deamontools-0.53 and it can in fact do the same as you setting does -
unfortuneatly this is not what I want. Thank you anyways. I think you got me
on the right path - thanks
thilo
Re: selective relaying: two smtpd´s?
On Mon, Jun 26, 2000 at 05:18:05PM +0200, Thilo Bangert wrote:
- Original Message -
From: Wolfgang Walter [EMAIL PROTECTED]
To: Thilo Bangert [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 26, 2000 4:42 PM
Subject: Re: selective relaying: two smtpd´s?
On Fri, Jun 23, 2000 at 04:47:44PM +0200, Thilo Bangert wrote:
Hi all,
snip
i absolutely need to allow my pop3 users relaying, for which i want to
use
relay-ctrl (is there a better solution out there). but that would mean
the
smtp-port would be blocked for any connections, except those made
available
by relay-ctrl, so no mailserver could deliver email for my users.
I figured, a way to get around this would be to have to qmail-smtpd´s
running: one allowing selective relay by using rcpthosts (incoming
smtp),
and another being made available by relay-ctrl (outgoing smtp).
snip
How do you start qmail-smtpd? If you use inetd this is a little bit
difficult.
One way to do that is: assign 2 ip-adresses to you mailserver. Use one
address to receive mail from outside with qmail, the other one for
relaying.
You can even use qmail for both tasks.
We for example use xinetd to start qmail-smtp:
10.20.30.10 is for relaying your clients
10.20.31.11 is for receiving
Be 10.20.30.0/19 your network (where your clients are):
-
service smtp
{
id = mailout-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.10
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
only_from = 10.20.30.0/19
env = RELAYCLIENT=
}
service smtp
{
id = mailin-smtpd
socket_type = stream
protocol= tcp
interface = 10.20.30.11
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
no_access = 10.20.30.0/19
}
--
Use rcpthosts to restrict qmail-smtpd to only receive for your domains
Setting the environment variable RELAYCLIENT when your clients access
qmail via 10.20.30.10 switch rcpthosts for them off. With only_from you
control that only hosts in your network can access qmail with RELAYCLIENT
set.
Of course, you can start relay-ctrl instead of qmail-send.
And xinetd is not the only superdaemon you could use (I think there is one
from Bernstein, too) but it is part of a lot of distributions.
Greetings
Wolfgang
You are right - but in your case you need to know the ip´s from your
clients. My clients could come from all over the world and I have no other
way than checking their poppassword to know that they are legitimite.
In this case do not start qmail-smtpd directly. Instead call a programm which
checks if the relaying host could authenticate and then starts qmail-smtpd (or
does the work itself). Remove the access_only lines and the no_access lines.
the superdaemon you are referring to is tcpserver and is part of the
deamontools-0.53 and it can in fact do the same as you setting does -
unfortuneatly this is not what I want. Thank you anyways. I think you got me
on the right path - thanks
thilo
Wolfgang
Re: selective relaying: two smtpd´s?
On Mon, Jun 26, 2000 at 05:18:05PM +0200, Thilo Bangert wrote: And xinetd is not the only superdaemon you could use (I think there is one from Bernstein, too) but it is part of a lot of distributions. Greetings Wolfgang You are right - but in your case you need to know the ip´s from your clients. My clients could come from all over the world and I have no other way than checking their poppassword to know that they are legitimite. So what You are looking for is 'pop before smtp'? There is a solution from Russel Nelson on www.qmail.org : 'relaying to any host which authenticates itself through a POP3 connection'. Gerrit. -- [EMAIL PROTECTED] innominate AG networking people fon: +49.30.308806-0 fax: -77 web: http://innominate.de pgp: /pgp/gp
Help (off topic?) with selective relaying from behind a WebRamp box
Selective relaying on my Qmail server works from many different evironments except this one. Recently acquired a small company who uses webramp M3 router/hub with two modems to connect to Mindspring. They can read POP3 from my machine but can't send mail through it. I really would like them to use our SMTP server. Selective relaying works for other sites using regular PPP connections and using a router behind a cable modem (using NAT for internal addresses on the client PC's). Anyone familiar with this problem using Webramp hardware? TIA, Rob Havens
I am trying to set up selective relaying...
Hello, everyone: I'm trying to set up selective relaying. When I first installed qmail I had the local hosts and their virtual domains in the 'rcpthosts' file. With the system set up like this I couldn't mail out (if the e-mail I was sending wasn't to a name in the rcpthosts file, it didn't arrive). I have tcpserver configured using the following rules file: 24.:allow,RELAYCLIENT="" 209.:allow,RELAYCLIENT="" 192.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" :deny (this is copied directly) tcpserver starts with an entry in rc.local: /usr/local/bin/tcpserver -u 503 -g 502 -c 50 0 smtp /var/qmail/bin/qmail-smtpd \ 21 | /var/qmail/bin/splogger smptd 3 it appears in ps output (also copied directly): USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.1 0.2 1148 68 ?S14:32 0:04 init [5] root 2 0.0 0.0 00 ?SW 14:32 0:00 [kflushd] root 3 0.0 0.0 00 ?SW 14:32 0:00 [kupdate] root 4 0.0 0.0 00 ?SW 14:32 0:00 [kpiod] root 5 0.0 0.0 00 ?SW 14:32 0:00 [kswapd] root 118 0.0 0.0 11440 ?SW 14:33 0:00 [apmd] bin262 0.0 0.9 1144 280 ?S14:33 0:00 portmap root 314 0.0 0.7 1348 216 ?S14:33 0:00 syslogd root 324 0.0 0.0 14040 ?SW 14:33 0:00 [klogd] daemon 339 0.0 0.9 1172 304 ?S14:33 0:00 /usr/sbin/atd root 354 0.0 0.6 1368 208 ?S14:33 0:00 crond root 373 0.0 0.5 1308 160 ?S14:33 0:00 inetd root 388 0.0 0.0 13600 ?SW 14:33 0:00 [lpd] qmails 418 0.0 0.7 1168 240 ?S14:33 0:00 qmail-send qmaill 421 0.0 0.6 1140 204 ?S14:33 0:00 splogger qmail root 422 0.0 1.1 1132 352 ?S14:33 0:00 qmail-lspawn |pre qmailr 423 0.0 1.1 1132 364 ?S14:33 0:00 qmail-rspawn qmailq 424 0.0 0.4 1124 124 ?S14:33 0:00 qmail-clean root 437 0.0 1.0 1180 332 ttyS0S14:33 0:00 gpm -t MouseMan xfs458 0.0 3.3 2560 1016 ?S14:33 0:00 xfs -port -1 root 473 0.0 0.0 21600 ?SW 14:33 0:00 [smbd] root 483 0.0 1.8 1740 584 ?S14:33 0:00 nmbd -D qmaild 513 0.0 0.5 1380 160 ?S14:33 0:00 /usr/local/bin/tc root 514 0.0 1.0 1128 324 ?S14:33 0:00 /var/qmail/bin/sp root 517 0.0 0.0 11240 tty1 SW 14:33 0:00 [mingetty] root 518 0.0 0.0 11240 tty2 SW 14:33 0:00 [mingetty] root 519 0.0 0.0 11240 tty3 SW 14:33 0:00 [mingetty] root 520 0.0 0.0 11240 tty4 SW 14:33 0:00 [mingetty] root 521 0.0 0.0 11240 tty5 SW 14:33 0:00 [mingetty] root 522 0.0 0.0 11240 tty6 SW 14:33 0:00 [mingetty] root 523 0.0 0.0 60080 ?SW 14:33 0:00 [prefdm] root 527 0.0 13.4 8880 4148 ?S14:33 0:01 /etc/X11/X -auth root 528 0.0 8.4 6172 2588 ?S14:33 0:00 -:0 sfbosch559 0.0 4.1 2284 1272 ?S14:35 0:00 imapd sfbosch560 0.1 4.0 2276 1236 ?S14:35 0:03 imapd root 573 0.0 2.9 1792 916 ?S14:39 0:01 telnetd: dsl-ch-l root 574 0.0 3.9 2316 1216 pts/0S14:39 0:00 login -- sfbosch sfbosch575 0.0 3.8 2060 1196 pts/0S14:39 0:00 -bash root 599 0.0 3.0 2016 944 pts/0S14:42 0:00 su root 600 0.0 4.0 2116 1248 pts/0S14:42 0:00 bash root 612 0.0 2.9 1792 916 ?S14:47 0:00 telnetd: dsl-ch-l root 613 0.0 3.9 2316 1216 pts/1S14:47 0:00 login -- sfbosch sfbosch614 0.0 3.8 2064 1192 pts/1S14:47 0:00 -bash sfbosch777 0.0 2.7 2512 860 pts/1R15:31 0:00 ps aux When I use tcprulescheck, the output is consistent with the rules I have set. My rcpthosts file is below (copied directly): vodacomm.ca vodacomm.com nucleus.com localhost.nucleus.com dsl-ch-l15-c80-n249-i138-cgy.nucleus.com Now: With the above rcpthosts file in place and the rules I have already listed, I am unable to send mail from allowed hosts to any host that is not in the rcpthosts file. The way I am currently working around this is to not have a rcpthosts file, but I am uncomfortable doing this. It seems to me I've made a mistake in the way I've configured tcpserver, but I can't be sure and I don't know exactly where I should be looking. Any ideas? -Stephen Bosch-
Selective relaying fixed
Thanks for your help =) - didn't add -x parameter to tcpserver invocation... Stephen Bosch
RE: Broken tcp_wrappers (resulting in selective relaying not work ing)
Stephen Mills [EMAIL PROTECTED] wrote: Well ive installed about 8 servers with selective relaying with tcpserver and they all work fine, but this one isnt, Ive went through everything I know and still can't resolve it... Post details and maybe we'll spot something you missed. I might just upgrade and trust (argh) redhats upgrade tool I'd be *very* surprised if an OS upgrade fixed your relaying problem. -Dave
RE: Broken tcp_wrappers (resulting in selective relaying not working)
Stephen Mills [EMAIL PROTECTED] wrote: Well ive installed about 8 servers with selective relaying with tcpserver and they all work fine, but this one isnt, Ive went through everything I know and still can't resolve it... Post details and maybe we'll spot something you missed. I might just upgrade and trust (argh) redhats upgrade tool I'd be *very* surprised if an OS upgrade fixed your relaying problem. Sure thing Dave. Here is my details : [root@proxy /]# cat /etc/tcp.smtp 203.17.254.:allow, RELAYCLIENT="" 192.168.1.:allow, RELAYCLIENT="" 127.:allow, RELAYCLIENT="" :allow [root@proxy /]# cat /etc/passwd | grep qmaild qmaild:!!:558:557::/var/qmail:/bin/bash [root@proxy /]# cat /etc/rc.d/rc.local | grep tcpserver tcpserver -x/etc/tcp.smtp.cdb -u558 -g557 0 smtp /var/qmail/bin/qmail-smtpd [root@proxy control]# ps ax | grep tcpserver 546 ? S0:13 tcpserver -x/etc/tcp.smtp.cdb -u558 -g557 0 smtp /var/qmail/ [root@proxy /]# cat /var/qmail/control/rcpthosts1 | grep lan1.com.au lan1.com.au exchange.lan1.com.au proxy.lan1.com.au Ive telneted to my mail server from a 203.17.254.* address : 220 How may I help you ? ESMTP MAIL 250 ok rcpt from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) As you can see, its totally just not letting specified hosts to relay... Ive totally out-resourced myself on this one :-) We hacked qmail-smtpd to enable only a given number of rcpt's to relay, but I recompiled qmail-smtpd from source and it didnt make a difference. --Stephen
RE: Broken tcp_wrappers (resulting in selective relaying not working)
sorry I forgot to change : [root@proxy /]# cat /var/qmail/control/rcpthosts1 | grep lan1.com.au to [root@proxy /]# cat /var/qmail/control/rcpthosts | grep lan1.com.au I renamed it to rcpthosts1 just so the file isnt read when I restart qmail.so ignore the 1 at the end..qmail reads in rcpthosts properly. -Original Message- From: Stephen Mills [mailto:[EMAIL PROTECTED]] Sent: Friday, February 04, 2000 12:16 PM To: 'Dave Sill' Cc: '[EMAIL PROTECTED]' Subject: RE: Broken tcp_wrappers (resulting in selective relaying not working) Stephen Mills [EMAIL PROTECTED] wrote: Well ive installed about 8 servers with selective relaying with tcpserver and they all work fine, but this one isnt, Ive went through everything I know and still can't resolve it... Post details and maybe we'll spot something you missed. I might just upgrade and trust (argh) redhats upgrade tool I'd be *very* surprised if an OS upgrade fixed your relaying problem. Sure thing Dave. Here is my details : [root@proxy /]# cat /etc/tcp.smtp 203.17.254.:allow, RELAYCLIENT="" 192.168.1.:allow, RELAYCLIENT="" 127.:allow, RELAYCLIENT="" :allow [root@proxy /]# cat /etc/passwd | grep qmaild qmaild:!!:558:557::/var/qmail:/bin/bash [root@proxy /]# cat /etc/rc.d/rc.local | grep tcpserver tcpserver -x/etc/tcp.smtp.cdb -u558 -g557 0 smtp /var/qmail/bin/qmail-smtpd [root@proxy control]# ps ax | grep tcpserver 546 ? S0:13 tcpserver -x/etc/tcp.smtp.cdb -u558 -g557 0 smtp /var/qmail/ [root@proxy /]# cat /var/qmail/control/rcpthosts1 | grep lan1.com.au lan1.com.au exchange.lan1.com.au proxy.lan1.com.au Ive telneted to my mail server from a 203.17.254.* address : 220 How may I help you ? ESMTP MAIL 250 ok rcpt from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) As you can see, its totally just not letting specified hosts to relay... Ive totally out-resourced myself on this one :-) We hacked qmail-smtpd to enable only a given number of rcpt's to relay, but I recompiled qmail-smtpd from source and it didnt make a difference. --Stephen
Re: Broken tcp_wrappers (resulting in selective relaying not work ing)
On Fri, Feb 04, 2000 at 12:16:28PM +1100, Stephen Mills wrote: [root@proxy /]# cat /etc/tcp.smtp 203.17.254.:allow, RELAYCLIENT="" ^ Remove the space before RELAYCLIENT. Chris
Re: Broken tcp_wrappers (resulting in selective relaying not working)
On Thu, Feb 03, 2000 at 11:24:41AM +1100, Stephen Mills wrote: Im running Redhat 5.1 on our main server here, and I read an article on the front page of qmail.org about hosts_options not compiled into tcp_wrappers which results in tcpserver not working properly and looking up the remote hosts IP address...It seems Redhat 5.1 and under has a broken tcp_wrappers Ive been using qmail for over 2 years now, and Ive gotten selective relaying to work on Redhat 5.2/6.0/6.1 and Slackware boxes... I have tried to recompile tcp_wrappers 7.6 with hosts_options installed but selective relaying still does not work, im copying the new "tcpd" file to inetd but it still doesnt work, ive also tried copying tcpd file from a Redhat 5.2 box that is working with selective relaying fine and no luck. My last resort is "upgrading" to Redhat 6.1 on the main server, but before doing so, maybe there is something Im not sure about. So, can anyone identify what Im doing wrong with tcp_wrappers ? This has been an ongoing problem and Im yet to resolve it. The standard answer to any question in which "inetd" appears is "use tcpserver instead." So here's my suggestion: use tcpserver instead. You get it as part of Dan's ucspi-tcp-0.84 package, available at http://cr.yp.to. To configure it for selective relaying, see http://www.palomine.net/selectiverelay.html. It's easy to set up--certainly a lot easier than upgrading your whole OS. See the archives for all the reasons why tcpserver is better. Chris
RE: Broken tcp_wrappers (resulting in selective relaying not working)
I am using tcpserver, what I dont understand is that tcp_wrappers _makes_ (contains) tcpd. [root@proxy tcp_wrappers_7.6]# ls tcpd* -al -rwxrwxr-x 1 root root18933 Jan 17 14:57 tcpd This is why Im puzzled as to why the suggestion on the qmail.org page suggests to recompile tcp_wrappers --Stephen -Original Message- From: Chris Johnson [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 03, 2000 11:32 AM To: Stephen Mills Cc: '[EMAIL PROTECTED]' Subject: Re: Broken tcp_wrappers (resulting in selective relaying not working) On Thu, Feb 03, 2000 at 11:24:41AM +1100, Stephen Mills wrote: Im running Redhat 5.1 on our main server here, and I read an article on the front page of qmail.org about hosts_options not compiled into tcp_wrappers which results in tcpserver not working properly and looking up the remote hosts IP address...It seems Redhat 5.1 and under has a broken tcp_wrappers Ive been using qmail for over 2 years now, and Ive gotten selective relaying to work on Redhat 5.2/6.0/6.1 and Slackware boxes... I have tried to recompile tcp_wrappers 7.6 with hosts_options installed but selective relaying still does not work, im copying the new "tcpd" file to inetd but it still doesnt work, ive also tried copying tcpd file from a Redhat 5.2 box that is working with selective relaying fine and no luck. My last resort is "upgrading" to Redhat 6.1 on the main server, but before doing so, maybe there is something Im not sure about. So, can anyone identify what Im doing wrong with tcp_wrappers ? This has been an ongoing problem and Im yet to resolve it. The standard answer to any question in which "inetd" appears is "use tcpserver instead." So here's my suggestion: use tcpserver instead. You get it as part of Dan's ucspi-tcp-0.84 package, available at http://cr.yp.to. To configure it for selective relaying, see http://www.palomine.net/selectiverelay.html. It's easy to set up--certainly a lot easier than upgrading your whole OS. See the archives for all the reasons why tcpserver is better. Chris
Re: Broken tcp_wrappers (resulting in selective relaying not work ing)
On Thu, Feb 03, 2000 at 12:44:25PM +1100, Stephen Mills wrote: I am using tcpserver, what I dont understand is that tcp_wrappers _makes_ (contains) tcpd. [root@proxy tcp_wrappers_7.6]# ls tcpd* -al -rwxrwxr-x 1 root root18933 Jan 17 14:57 tcpd This is why Im puzzled as to why the suggestion on the qmail.org page suggests to recompile tcp_wrappers Don't worry about tcp_wrappers if you're using tcpserver. tcpd never enters into the picture with tcpserver. Chris
RE: Broken tcp_wrappers (resulting in selective relaying not work ing)
Well ive installed about 8 servers with selective relaying with tcpserver and they all work fine, but this one isnt, Ive went through everything I know and still can't resolve it :) the only mention is on that page about a problem with rh5.1 - its quite strange. I might just upgrade and trust (argh) redhats upgrade tool --Stephen On Thu, Feb 03, 2000 at 12:44:25PM +1100, Stephen Mills wrote: I am using tcpserver, what I dont understand is that tcp_wrappers _makes_ (contains) tcpd. [root@proxy tcp_wrappers_7.6]# ls tcpd* -al -rwxrwxr-x 1 root root18933 Jan 17 14:57 tcpd This is why Im puzzled as to why the suggestion on the qmail.org page suggests to recompile tcp_wrappers Don't worry about tcp_wrappers if you're using tcpserver. tcpd never enters into the picture with tcpserver. Chris
Selective relaying with selective queue delay?
Hi! Maybe the above doesn't explain much. Lets say I send a message to [EMAIL PROTECTED] and [EMAIL PROTECTED] And I want qmail to deliver to user1 immediately but user2 with a queue or delay. Is this possible? Thanks in advance.
Re: Selective relaying with selective queue delay?
On Thu, Dec 02, 1999 at 10:38:34AM +, Alfonso Armenta wrote: Hi! Maybe the above doesn't explain much. Lets say I send a message to [EMAIL PROTECTED] and [EMAIL PROTECTED] And I want qmail to deliver to user1 immediately but user2 with a queue or delay. Is this possible? Sure. Have mail for user2 delivered to a Maildir and use cron or the likes to do the delivery at a later time. But what's the use? Greetz, Peter. -- Peter van Dijk - student/sysadmin/ircoper/womanizer/pretending coder | | 'C makes it easy to shoot yourself in the foot; | C++ makes it harder, but when you do it blows your whole leg off.' | Bjarne Stroustrup, Inventor of C++
Selective relaying using LDAP.
Hi! Is it possible to have selective relaying, say SMTP-AUTH by authenticating users by a LDAP server? -- Stefan Krantz / [EMAIL PROTECTED] 4096/1024 Diffie-Hellman/DSS KeyID: 0x889714FD Fingerprint: 2DDB CB46 CC22 C6EA BEC5 4ABD CC07 9A37 8897 14FD
RE: Can anyone help with selective relaying/rcpthosts problem?
I am a dolt. On the drive home Friday night, I realized that rblsmtpd was running looking for its own tcprules.cdb file. You nailed it Steve. Thanks to you and Holger Häffelin for responding. -Rob Havens On 22 Nov 99, at 8:25, Steve Kapinos wrote: If your tcprulescheck does show he gets the relayclient variable, then one might assume you are not launching smtpd and tcpserver correctly. Paste the init script you are using to wrap smtpd with tcpserver. -Steve -Original Message- From: Rob Havens [mailto:[EMAIL PROTECTED]] Sent: Friday, November 19, 1999 5:29 PM To: [EMAIL PROTECTED] Subject: Can anyone help with selective relaying/rcpthosts problem? 1. Have testuser who has dialup account at provider.net, gets dynamic IP address when dials in. 2. Our company has domain newman.com. Want testuser to be able to send/receive mail using our Linux 2.2.5-15 server (RedHat6.0) and qmail1.03 running under tcpserver (uspci.tcp). 3. Set up user account "outofstate" on newman mail server. Installed Russell Nelson's checkpassword patch and Mirko Zeibig's script. 4. outofstate dials up to provider.net, uses pop3 to retrieve his mail...works. 5. tcprulescheck qmail-smtpd.cdb (hisIPaddress) reports: rule (hisIPaddress): set environment variable RELAYCLIENT= allow connection 6. outofstate sends message to [EMAIL PROTECTED] 7. outofstate sends message to [EMAIL PROTECTED] Outlook express reports: The message could not be sent because one of the recipients was rejected by the server. The rejected email address was [EMAIL PROTECTED] Subject 'test 34th time', Account 'Testmail', Server: 'mailserver.newman.com', Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)',Port 25, Secure (SSL);No, Server Error:553,Error Number 0x800CCC79 8. Any and all other users with newman.com subnet IP addresses can send mail to [EMAIL PROTECTED] ok. Other entries in qmail-smtpd.cdb are: 127.0.0.1:allow,RELAYCLIENT="" 9.9.9.:allow,RELAYCLIENT="" (for our subnet IP address range) Help please. Any suggestions?
Re: Can anyone help with selective relaying/rcpthosts problem?
Rob Havens schrieb: 1. Have testuser who has dialup account at provider.net, gets dynamic IP address when dials in. 2. Our company has domain newman.com. Want testuser to be able to send/receive mail using our Linux 2.2.5-15 server (RedHat6.0) and qmail1.03 running under tcpserver (uspci.tcp). 3. Set up user account "outofstate" on newman mail server. Installed Russell Nelson's checkpassword patch and Mirko Zeibig's script. 4. outofstate dials up to provider.net, uses pop3 to retrieve his mail...works. 5. tcprulescheck qmail-smtpd.cdb (hisIPaddress) reports: rule (hisIPaddress): set environment variable RELAYCLIENT= allow connection 6. outofstate sends message to [EMAIL PROTECTED] 7. outofstate sends message to [EMAIL PROTECTED] Outlook express reports: The message could not be sent because one of the recipients was rejected by the server. The rejected email address was [EMAIL PROTECTED] Subject 'test 34th time', Account 'Testmail', Server: 'mailserver.newman.com', Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)',Port 25, Secure (SSL);No, Server Error:553,Error Number 0x800CCC79 8. Any and all other users with newman.com subnet IP addresses can send mail to [EMAIL PROTECTED] ok. Other entries in qmail-smtpd.cdb are: 127.0.0.1:allow,RELAYCLIENT="" 9.9.9.:allow,RELAYCLIENT="" (for our subnet IP address range) Help please. Any suggestions? I assume you have allow as last entry in your qmail-smtpd.cdb. Otherwise your testuser should not be able to connect to your server using SMTP an send mail to your local users. So the thing you do is setting RELAYCLIENT="" for special IPs to allow relaying on your host, meaning Qmail will ignore rcpthosts file. Solution: You'll have to enter the IP-range of your provider so that the RELAYCLIENT variable is also set for your dialup-testuser. Otherwise qmail will check the rcpthosts file. Another way is to kill your rcpthosts file which will cause your server to be an open relay :-. CU Holger
Selective relaying on e-mail address?
I've already setup qmail to do selective relaying based on network/IP address using RELAYCLIENT. Is there a way such that I can have additional selective relaying based on the e-mail address? I'd like to restrict some local users from sending and receiving e-mail messages to and from the Internet. TIA, Mike
Re: Selective relaying and ORBS
Sorry to cause a worry. The problem turned out to be the % hack, but not on the qmail box. It acts as a relay for another box running sendmail. It was the sendmail doing the %hack and then forwarding the message back to the qmail box for deleviery. Thanks for the help all the same. John. John Newbigin wrote: I just received a message from the ORBS database. It seems that qmail has a bug.feature which allows relaying of messages in the form jn%it.swin.edu.au@[1.2.3.4] Where 1.2.3.4 is the IP address of my mail server, not for it.swin.edu.au. (I don't want everyone on the list to try it :). The machine should accept mail for 1.2.3.4, but the message is actualy sent to [EMAIL PROTECTED] The mail relay should only accept mail for [EMAIL PROTECTED] I have tcpd set up to allow relaying only from machines inside 1.2.3.0 Is there a way to dissable this feature/bug. If you want to test your system, use the telnet service from here http://maps.vix.com/tsi/ar-test.html I am sure that there are many people with a simalar setup which could pose a large spam risk. I would appreciate a speedy reply. John. -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn
Selective relaying and ORBS
I just received a message from the ORBS database. It seems that qmail has a bug.feature which allows relaying of messages in the form jn%it.swin.edu.au@[1.2.3.4] Where 1.2.3.4 is the IP address of my mail server, not for it.swin.edu.au. (I don't want everyone on the list to try it :). The machine should accept mail for 1.2.3.4, but the message is actualy sent to [EMAIL PROTECTED] The mail relay should only accept mail for [EMAIL PROTECTED] I have tcpd set up to allow relaying only from machines inside 1.2.3.0 Is there a way to dissable this feature/bug. If you want to test your system, use the telnet service from here http://maps.vix.com/tsi/ar-test.html I am sure that there are many people with a simalar setup which could pose a large spam risk. I would appreciate a speedy reply. John. -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn
Re: Selective relaying and ORBS
I just ran the telnet test on my test qmail setup. MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] 250 ok Relay test result Uh oh, host appeared to accept a message for relay. The host may reject this message internally, however Connection closed by foreign host. Qmail does reject it internally. Ken Jones Inter7 John Newbigin wrote: I just received a message from the ORBS database. It seems that qmail has a bug.feature which allows relaying of messages in the form jn%it.swin.edu.au@[1.2.3.4] Where 1.2.3.4 is the IP address of my mail server, not for it.swin.edu.au. (I don't want everyone on the list to try it :). The machine should accept mail for 1.2.3.4, but the message is actualy sent to [EMAIL PROTECTED] The mail relay should only accept mail for [EMAIL PROTECTED] I have tcpd set up to allow relaying only from machines inside 1.2.3.0 Is there a way to dissable this feature/bug. If you want to test your system, use the telnet service from here http://maps.vix.com/tsi/ar-test.html I am sure that there are many people with a simalar setup which could pose a large spam risk. I would appreciate a speedy reply. John. -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn
Re: Selective relaying and ORBS
I did some tests and the host 1.2.3.4 did indeed relay the message. I can't seem to connect to orbital.inter7.com to test it. Ken Jones wrote: I just ran the telnet test on my test qmail setup. MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] 250 ok Relay test result Uh oh, host appeared to accept a message for relay. The host may reject this message internally, however Connection closed by foreign host. Qmail does reject it internally. Ken Jones Inter7 John Newbigin wrote: I just received a message from the ORBS database. It seems that qmail has a bug.feature which allows relaying of messages in the form jn%it.swin.edu.au@[1.2.3.4] Where 1.2.3.4 is the IP address of my mail server, not for it.swin.edu.au. (I don't want everyone on the list to try it :). The machine should accept mail for 1.2.3.4, but the message is actualy sent to [EMAIL PROTECTED] The mail relay should only accept mail for [EMAIL PROTECTED] I have tcpd set up to allow relaying only from machines inside 1.2.3.0 Is there a way to dissable this feature/bug. If you want to test your system, use the telnet service from here http://maps.vix.com/tsi/ar-test.html I am sure that there are many people with a simalar setup which could pose a large spam risk. I would appreciate a speedy reply. John. -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn -- Information Technology Innovation Group Swinburne University. Melbourne, Australia http://uranus.it.swin.edu.au/~jn
Can anyone help with selective relaying/rcpthosts problem?
1. Have testuser who has dialup account at provider.net, gets dynamic IP address when dials in. 2. Our company has domain newman.com. Want testuser to be able to send/receive mail using our Linux 2.2.5-15 server (RedHat6.0) and qmail1.03 running under tcpserver (uspci.tcp). 3. Set up user account "outofstate" on newman mail server. Installed Russell Nelson's checkpassword patch and Mirko Zeibig's script. 4. outofstate dials up to provider.net, uses pop3 to retrieve his mail...works. 5. tcprulescheck qmail-smtpd.cdb (hisIPaddress) reports: rule (hisIPaddress): set environment variable RELAYCLIENT= allow connection 6. outofstate sends message to [EMAIL PROTECTED] 7. outofstate sends message to [EMAIL PROTECTED] Outlook express reports: The message could not be sent because one of the recipients was rejected by the server. The rejected email address was [EMAIL PROTECTED] Subject 'test 34th time', Account 'Testmail', Server: 'mailserver.newman.com', Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)',Port 25, Secure (SSL);No, Server Error:553,Error Number 0x800CCC79 8. Any and all other users with newman.com subnet IP addresses can send mail to [EMAIL PROTECTED] ok. Other entries in qmail-smtpd.cdb are: 127.0.0.1:allow,RELAYCLIENT="" 9.9.9.:allow,RELAYCLIENT="" (for our subnet IP address range) Help please. Any suggestions?
More selective relaying
My current tcpserver setting seem to be too weak... 197.117.124.:allow,RELAYCLIENT="" 195.116.249.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" :allow ...because the last rule allows to misuse my SMTP server by anobody (right?). But when I change the final ':allow' to ':deny', the only hosts, which can send mail to my domain are the above listed. It isn't completely clear to me, how to change the rule, to allow any host to send mail to my domain (195.117.124.*), but not to use my server for relaying to other, foreign domains? The docs aren't especially clear - haven't found any example pozdrawiam / regards Zbigniew Baniewski
Re: More selective relaying
Zbigniew Baniewski [EMAIL PROTECTED] writes: My current tcpserver setting seem to be too weak... 197.117.124.:allow,RELAYCLIENT="" 195.116.249.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" :allow ...because the last rule allows to misuse my SMTP server by anobody (right?). Nope. It allows anyone to send you mail, but since RELAYCLIENT isn't set, they can't use your server to mail other people. Looks fine to me. -- Russ Allbery ([EMAIL PROTECTED]) URL:http://www.eyrie.org/~eagle/
selective relaying
Hello. I just installed qmail after promoting it wherever I went on IRC, even freshmeat.net. Yes I had a good reason to do that. Now I got a real problem. How can I allow selective realying *without* blocking ports as sugested in the FAQ and *without* moving the smtpd to a "secret" port as DJB suggests on the web page, or doing PGP sig check. I don't like the pop3-auth- before-smtp implementations eighter. Yes I have tcp_wrappers. So what is my problem then? Well I want certain hosts I specify to override control/rcpthosts and to be able to send/relay mail. And again, I don't want to block port 25. Sendmail has this feature. And no I don't want sendmail, smail, exim, postfix or any other insecure and slow MTA which hangs Mutt in my tty! Why I don't want to block the smtp port? Because all my mail comes on that port. I would be losing mail if I blocked it, wouldn't I? Why I don't want a general relay? Because not long ago someone sent a flame message to [EMAIL PROTECTED] through my smtp server. I think this is a good reason, don't you? And no it wasn't the backdoored eggdrop on sodre.net that did it :). Just anoher evil guy.. For whom I want to relay? For the hosts behind the firewall. My mail server is also a NAT-firewall (IP-masquerade). And not only for them. I might want to relay for say freemail.ro or for 193.230.247.0/255.255.255.0 one day. For whom I don't want to relay? For the rest of the world, the evil spammers on internet. From whom am I receiving mail? From the rest of the world, the friendly users on the internet (hopefully). Nice people like you for instance. What did I do in this direction? Read the FAQ, read the qmail web page, got some patches, tried them, read some messages on the mailing list archieves. I also patched with qmail-1.03-relayclient.diff which adds two files: control/relayclients and conrtol/relaydomains. I edited these to include the internal adresses which are allowed to relay like this: control/relayclients -- 127.0.0.1 192.168.221.0/255.255.255.0 conrtol/relaydomains -- .karellen.itslinux.net Did I screw something up? It doesn't work :( I also wasted one entire day on this, missed some of my math preparation I should have done for my upcoming semestrial tests :(( *please*help* -- Karellen [EMAIL PROTECTED] If something just can't go wrong, it will go wrong anyway --Murphy
Re: selective relaying
FAQ: ftp://koobera.math.uic.edu/www/qmail/faq/servers.html#authorized-relay On Sat, Jan 09, 1999 at 08:16:43PM +0200, Karellen wrote: Hello. I just installed qmail after promoting it wherever I went on IRC, even freshmeat.net. Yes I had a good reason to do that. Now I got a real problem. How can I allow selective realying *without* blocking ports as sugested in the FAQ and *without* moving the smtpd to a "secret" port as DJB suggests on the web page, or doing PGP sig check. I don't like the pop3-auth- before-smtp implementations eighter. Yes I have tcp_wrappers. So what is my problem then? Well I want certain hosts I specify to override control/rcpthosts and to be able to send/relay mail. And again, I don't want to block port 25. Sendmail has this feature. And no I don't want sendmail, smail, exim, postfix or any other insecure and slow MTA which hangs Mutt in my tty! Why I don't want to block the smtp port? Because all my mail comes on that port. I would be losing mail if I blocked it, wouldn't I? Why I don't want a general relay? Because not long ago someone sent a flame message to [EMAIL PROTECTED] through my smtp server. I think this is a good reason, don't you? And no it wasn't the backdoored eggdrop on sodre.net that did it :). Just anoher evil guy.. For whom I want to relay? For the hosts behind the firewall. My mail server is also a NAT-firewall (IP-masquerade). And not only for them. I might want to relay for say freemail.ro or for 193.230.247.0/255.255.255.0 one day. For whom I don't want to relay? For the rest of the world, the evil spammers on internet. From whom am I receiving mail? From the rest of the world, the friendly users on the internet (hopefully). Nice people like you for instance. What did I do in this direction? Read the FAQ, read the qmail web page, got some patches, tried them, read some messages on the mailing list archieves. I also patched with qmail-1.03-relayclient.diff which adds two files: control/relayclients and conrtol/relaydomains. I edited these to include the internal adresses which are allowed to relay like this: control/relayclients -- 127.0.0.1 192.168.221.0/255.255.255.0 conrtol/relaydomains -- .karellen.itslinux.net Did I screw something up? It doesn't work :( I also wasted one entire day on this, missed some of my math preparation I should have done for my upcoming semestrial tests :(( *please*help* -- Karellen [EMAIL PROTECTED] If something just can't go wrong, it will go wrong anyway --Murphy
Re: selective relaying
On Sat, Jan 09, 1999 at 01:35:43PM -0500, Chris Johnson wrote: FAQ: ftp://koobera.math.uic.edu/www/qmail/faq/servers.html#authorized-relay Already did that. As I said before, I *don't* want to block the smtp port with tcp_wrappers or ucspi-tcp or whatever.
Re: selective relaying
On Sat, Jan 09, 1999 at 09:28:47PM +0200, Karellen wrote: On Sat, Jan 09, 1999 at 01:35:43PM -0500, Chris Johnson wrote: FAQ: ftp://koobera.math.uic.edu/www/qmail/faq/servers.html#authorized-relay Already did that. As I said before, I *don't* want to block the smtp port with tcp_wrappers or ucspi-tcp or whatever. You don't *block* the port with the ucspi-tcp example, you merely say which hosts you want to be able to relay. Relaying mail != delivering mail. You'll still get mail delivered to your server. -- Lars Balker Rasmussen, Software Engineer, Mjolner Informatics ApS [EMAIL PROTECTED]
Re: selective relaying
There's an example in the FAQ that states I can use tcp wrappers. I don't know where I'm mistaken: /etc/hosts.allow tcp-env: 193.230.247.73, 192.168.221.0/255.255.255.0: export RELAYCLIENT="" /etc/hosts.deny ALL:ALL man 5 hosts_access *snip* daemon_list : client_list [ : shell_command ] *snip* Is it mandatory that I switch to ucspi-tcp? (I know it's better).
Re: selective relaying | fixed
On Sat, Jan 09, 1999 at 10:03:52PM +0200, Karellen wrote: Ok. Thank you for your support. I managed to fix it and it seemed to be my tcp_wrappers misdocumentation. In case anyone is intersted here are the examples: /etc/hosts.allow tcp-env: 193.230.247.73, 192.168.221.0/255.255.255.0: export RELAYCLIENT="" /etc/hosts.deny ALL EXCEPT tcp-env:ALL # I really think this should be covered in the FAQ for idiots like me. I also wish to thank Mr. Timothy L. Mayo, his mail just arrived with a similar solution in hosts.allow: /etc/hosts.allow tcp-env: ALL
