[xmail] Re: Lockdown xMail

[CLEMENT Francis]

Effectively, it seems the MailAuth feature does not take into account the
'WhiteList' parameter in the smtp.ipprop.tab file.

But should it be the case as the smtp.ipprop.tab Whitelist is supposed to
be used to change ip checks ?

Davide ? any idea ?
IMOO another smtp.ipprop.tab parameter like MailAuth=0 should be created
(to not change/mix 'ip checks' rules)

For now, Hal, I think you could use your firewall to block any 'external'
attempts to go to you Postini dedicated xmail server ip and ports ;)

Francis



-Message d'origine-
De: [EMAIL PROTECTED]
A: xmail@xmailserver.org
Date: 23/04/08 05:57
Objet: [xmail] Re: Lockdown xMail 

 
Dear Clement Francis / Davide -

 First at all xmail doc for smtp.ipprop.tab syntax says :
  Address selection mask are formed by an IP address
 (network) plus the number of valid bits inside the network mask
 [...snip...]
 96.227.65.4/32  WhiteList=1

Yes, I was wondering if the parser would just assume that without
the slash it figure out that was were referencing a single node.

Well, I made the above change and it still does NOT work; in
other words I still get the 551 Server use forbidden error message.

Also, tested the xMail server against my local IP (10.0.0.25),
as I have a VPN connection to the eMail server as well and that
did NOT work as well.

And the answer is YES, when I test the 96. address I dropped
the VPN tunnel before testing.

I also thought of another idea to determine if xMail returns the
correct data I performed the following command:

ctrlclnt -s XX.XX.XX.XX -n  -u Y -p Z cfgfileget smtp.ipprop.tab

The command line program returned:

10.0.0.0/16   WhiteList=1
64.18.0.0/20  WhiteList=1
96.227.65.4/32WhiteList=1

Unless you have any further suggestions... What is our next step?

Thanks,
Hal Dell
ePodWorks.net, Inc.
Managing Partner

-
To unsubscribe from this list: send the line unsubscribe xmail in
the body of a message to [EMAIL PROTECTED]
For general help: send the line help in the body of a message to
[EMAIL PROTECTED]

[xmail] Re: Lockdown xMail

[Hal Dell]

Dear Francis -

 Effectively, it seems the MailAuth feature does not take into
 account the 'WhiteList' parameter in the smtp.ipprop.tab file.

 But should it be the case as the smtp.ipprop.tab Whitelist is
 supposed to be used to change ip checks ?

Davide is the one who suggested the smtp.ipprop.tab option to me
as I did not really use this tab before.

I originally tried adding entries to smtprelay.tab which did not work
either.

 For now, Hal, I think you could use your firewall to block any 'external'
 attempts to go to you Postini dedicated xmail server ip and ports ;)

The problem is that I use xMail as part of my ISP service therefore
customers are using xMail as their outbound eMail MTA on Port 25
from all over the place on the net therefore it is not possible to block
the port.

Even if I could use my firewall to block access; Postini does not have
a feature to change the forwarding IP Port for the Relay nor any kind
of Authorization that I know of.

 IMOO another smtp.ipprop.tab parameter like MailAuth=0 should
 be created (to not change/mix 'ip checks' rules)

IMOO I think of this as a Relay function so I think the smtprelay.tab is
the place for the information. The docs define the purpose is to allow
hosts or networks to use the server as relay.

Agains the docs say using SmtpConfig-IP makes authentication require[d]
to send mail to the server. Please note that by setting this value
everything
requires authentication, even for sending to local domains, and this is
probably
not what you want.

However, I'm not sure why SmtpConfig-IP is locked down so hard?

Maybe, another way to think about this is that a parameter needs to be
added to SmtpConfig-IP to determine if the smtp.ipprop.tab or smtprelay.tab
should override the MailAuth. For example:

SmtpConfig-64.74.149.27,25MailAuth  ipprop
SmtpConfig-64.74.149.27,25MailAuth  relay

Any further suggestions Francis?

I just can't believe that as popular as Postini has become that I'm the
first
one trying to get xMail integrate with it! Anyone done this before?

Davide what is our next step?

I could really use a patched version of xMail to test.

Thanks,
Hal Dell
ePodWorks.net, Inc.
Managing Partner


-
To unsubscribe from this list: send the line unsubscribe xmail in
the body of a message to [EMAIL PROTECTED]
For general help: send the line help in the body of a message to
[EMAIL PROTECTED]