Re: How do I only allow relay for authenticated users?
Hi, On 09/24/2017 12:12 PM, Bruno Pagani wrote: Hi, Le 24/09/2017 à 20:48, Kevin a écrit : My question is: how do I only allow relay for authenticated users? #accept from any for any relay via tls+auth://la...@smtp.sendgrid.net auth Just `accept from local` instead of `from any` in the line I’ve left above, and it should work the way you want. ;) Ah! I see now in the man page: "Any remote sender that passed SMTPAUTH is treated as if it was the server's local user that was sending the mail. This means that filter rules using from local will be matched." Thank you. -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How do I only allow relay for authenticated users?
Hi, Le 24/09/2017 à 20:48, Kevin a écrit : > Hi, I just started with OpenSMTPD and I was able to get it up and > running (with Dovecot) in just one day. It's a real pleasure to use > and configure, so thank you! > > My question is: how do I only allow relay for authenticated users? > > #accept from any for any relay via tls+auth://la...@smtp.sendgrid.net > auth > > If I understand the above correctly, somebody could connect to port > 25, not authenticate, but still send an email which would relay to > sendgrid. However, I don't want to enforce authentication on 25 > because then I can't receive email for my domains as an MX server. Just `accept from local` instead of `from any` in the line I’ve left above, and it should work the way you want. ;) Which is what examples do btw, except that `from local` being the default it’s not specified. Bruno signature.asc Description: OpenPGP digital signature
How do I only allow relay for authenticated users?
Hi, I just started with OpenSMTPD and I was able to get it up and running (with Dovecot) in just one day. It's a real pleasure to use and configure, so thank you! My question is: how do I only allow relay for authenticated users? Below is my current configuration largely based on the example1 from the FAQ. I'm running from source with opensmtpd-201702130941p1. table aliases file:/etc/mail/aliases table domains file:/etc/mail/domains table passwd passwd:/etc/mail/passwd table users file:/etc/mail/users table secrets file:/etc/mail/secrets pki ${cubevar_app_email_host} certificate "/etc/letsencrypt/live/${cubevar_app_email_host}/fullchain.pem" pki ${cubevar_app_email_host} key "/etc/letsencrypt/live/${cubevar_app_email_host}/privkey.pem" listen on eth0 inet4 port 25 tls pki ${cubevar_app_email_host} auth-optional listen on eth0 inet4 port 465 tls-require pki ${cubevar_app_email_host} auth listen on eth0 inet4 port 587 tls-require pki ${cubevar_app_email_host} auth accept from local for local alias deliver to lmtp "/run/dovecot/lmtp" rcpt-to accept from any for domain virtual deliver to lmtp "/run/dovecot/lmtp" rcpt-to #accept from any for any relay via tls+auth://la...@smtp.sendgrid.net auth If I understand the above correctly, somebody could connect to port 25, not authenticate, but still send an email which would relay to sendgrid. However, I don't want to enforce authentication on 25 because then I can't receive email for my domains as an MX server. -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
Hi Jourg, > Op 4 mei 2017, om 10:02 heeft Joerg Jung het volgende > geschreven: > > >> On 3. May 2017, at 15:05, Frank Timmers wrote: >> >> Hi, >> >> I’m trying to allow relay for authenticated users, however “smtpd -n” gives >> a syntax error on the last line (with the authenticated) keyword. As far as >> I understand the documentation [1], this should be the correct syntax. I’ve >> included my config below. Any hints on why this isn’t working? I’m using >> OpenSMTPD version 6.0.2p1. >> >> In the config below, i differentiate between hosts which can only mail to >> internal domains and hosts which can relay to any domain. It would be great >> to be able to do the same for authenticated users. For example with “accept >> from any user for domain ”. >> I don’t see how I would be able to do that with the current options. >> >> Thanks and Kind regards, >> Frank. >> >> >> >> 1: http://man.openbsd.org/smtpd.conf >> >> — >> # PKI >> pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" >> pki mail.example.com key "/etc/opensmtpd/ssl.key" >> >> # If you edit the file, you have to run "smtpctl update table " >> table internal_domains file:/etc/opensmtpd/tables/internal_domains >> table sender_domains file:/etc/opensmtpd/tables/sender_domains >> table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally >> table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally >> table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist >> table smtp_users file:/etc/opensmtpd/tables/smtp_users >> >> # Interface to listen on any address (needed for failover) >> listen on 0.0.0.0 secure auth-optional pki mail.example.com >> >> # Listen on localhost for DKIM signed mail >> listen on 127.0.0.1 port 10028 tag DKIM >> >> # Relay all DKIM signed mails >> accept tagged DKIM for any relay >> >> # accept all mail for whitelisted recipients and relay to dkimproxy >> accept from any for any recipient relay via >> smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any from >> approved sender domains >> accept from source sender for any >> relay via smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any from >> approved sender domains >> accept from source sender for domain >> relay via smtp://127.0.0.1:10027 >> >> # Authenticated users are allowed to relay >> accept authenticated from any relay >> — > > If I remember correctly, authenticated users are treated like “local” users, > so > accept rom local for any relay > might work. "accept from local for any relay” does seem to work. However this is for my situation not sufficient. In the config above, I differentiate between hosts which are allowed to relay and hosts which are allowed only to relay to a limited set of destination domains. I’d like to do this for authenticated users as well. with the authenticated keyword as mentioned in the documentation, I could construct something like: accept authenticated from source 10.1.0.0/24 for any relay accept authenticated from source 10.2.0.0/24 for domain relay As far I understand the documentation (http://man.openbsd.org/smtpd.conf), the above two lines should work. Ideally I’d prefer the ruleset below, could this be considered a feature request? — # PKI pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" pki mail.example.com key "/etc/opensmtpd/ssl.key" # Tables table domain_list file:/etc/opensmtpd/tables/domain_list table restricted_users file:/etc/opensmtpd/tables/restricted_users table relay_users file:/etc/opensmtpd/tables/relay_users # Interface to listen on. listen on 0.0.0.0 secure auth-optional pki mail.example.com # Ruleset accept authenticated user from any for any relay accept authenticated user from any for domain relay — Kind regards, Frank. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
I believe they are treated as local users. I've never used the "authenticated" keyword, so I'm not sure how to implement it correctly. I think my current setup I tag the incoming messages on submission port and use the tag in my relay rule. Sent from BlueMail On May 4, 2017, 3:02 AM, at 3:02 AM, Joerg Jung wrote: > >> On 3. May 2017, at 15:05, Frank Timmers >wrote: >> >> Hi, >> >> I’m trying to allow relay for authenticated users, however “smtpd -n” >gives a syntax error on the last line (with the authenticated) keyword. >As far as I understand the documentation [1], this should be the >correct syntax. I’ve included my config below. Any hints on why this >isn’t working? I’m using OpenSMTPD version 6.0.2p1. >> >> In the config below, i differentiate between hosts which can only >mail to internal domains and hosts which can relay to any domain. It >would be great to be able to do the same for authenticated users. For >example with “accept from any user for >domain ”. I don’t see how I would be able to do that >with the current options. >> >> Thanks and Kind regards, >> Frank. >> >> >> >> 1: http://man.openbsd.org/smtpd.conf >> >> — >> # PKI >> pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" >> pki mail.example.com key "/etc/opensmtpd/ssl.key" >> >> # If you edit the file, you have to run "smtpctl update table >" >> table internal_domains file:/etc/opensmtpd/tables/internal_domains >> table sender_domains file:/etc/opensmtpd/tables/sender_domains >> table can_relay_internally >file:/etc/opensmtpd/tables/can_relay_internally >> table can_relay_externally >file:/etc/opensmtpd/tables/can_relay_externally >> table recipient_whitelist >file:/etc/opensmtpd/tables/recipient_whitelist >> table smtp_users file:/etc/opensmtpd/tables/smtp_users >> >> # Interface to listen on any address (needed for failover) >> listen on 0.0.0.0 secure auth-optional pki >mail.example.com >> >> # Listen on localhost for DKIM signed mail >> listen on 127.0.0.1 port 10028 tag DKIM >> >> # Relay all DKIM signed mails >> accept tagged DKIM for any relay >> >> # accept all mail for whitelisted recipients and relay to dkimproxy >> accept from any for any recipient relay via >smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any >from approved sender domains >> accept from source sender for >any relay via smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any >from approved sender domains >> accept from source sender for >domain relay via smtp://127.0.0.1:10027 >> >> # Authenticated users are allowed to relay >> accept authenticated from any relay >> — > >If I remember correctly, authenticated users are treated like “local” >users, so > accept rom local for any relay >might work. > >-- >You received this mail because you are subscribed to misc@opensmtpd.org >To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
> On 3. May 2017, at 15:05, Frank Timmers wrote: > > Hi, > > I’m trying to allow relay for authenticated users, however “smtpd -n” gives a > syntax error on the last line (with the authenticated) keyword. As far as I > understand the documentation [1], this should be the correct syntax. I’ve > included my config below. Any hints on why this isn’t working? I’m using > OpenSMTPD version 6.0.2p1. > > In the config below, i differentiate between hosts which can only mail to > internal domains and hosts which can relay to any domain. It would be great > to be able to do the same for authenticated users. For example with “accept > from any user for domain ”. I > don’t see how I would be able to do that with the current options. > > Thanks and Kind regards, > Frank. > > > > 1: http://man.openbsd.org/smtpd.conf > > — > # PKI > pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" > pki mail.example.com key "/etc/opensmtpd/ssl.key" > > # If you edit the file, you have to run "smtpctl update table " > table internal_domains file:/etc/opensmtpd/tables/internal_domains > table sender_domains file:/etc/opensmtpd/tables/sender_domains > table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally > table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally > table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist > table smtp_users file:/etc/opensmtpd/tables/smtp_users > > # Interface to listen on any address (needed for failover) > listen on 0.0.0.0 secure auth-optional pki mail.example.com > > # Listen on localhost for DKIM signed mail > listen on 127.0.0.1 port 10028 tag DKIM > > # Relay all DKIM signed mails > accept tagged DKIM for any relay > > # accept all mail for whitelisted recipients and relay to dkimproxy > accept from any for any recipient relay via > smtp://127.0.0.1:10027 > > # Hosts in table are allowed to relay to any from > approved sender domains > accept from source sender for any > relay via smtp://127.0.0.1:10027 > > # Hosts in table are allowed to relay to any from > approved sender domains > accept from source sender for domain > relay via smtp://127.0.0.1:10027 > > # Authenticated users are allowed to relay > accept authenticated from any relay > — If I remember correctly, authenticated users are treated like “local” users, so accept rom local for any relay might work. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
On 05/03/17 16:27, Frank Timmers wrote: Hi Edgar, Op 3 mei 2017, om 23:04 heeft Edgar Pettijohn het volgende geschreven: On 05/03/17 08:05, Frank Timmers wrote: Hi, I’m trying to allow relay for authenticated users, however “smtpd -n” gives a syntax error on the last line (with the authenticated) keyword. As far as I understand the documentation [1], this should be the correct syntax. I’ve included my config below. Any hints on why this isn’t working? I’m using OpenSMTPD version 6.0.2p1. In the config below, i differentiate between hosts which can only mail to internal domains and hosts which can relay to any domain. It would be great to be able to do the same for authenticated users. For example with “accept from any user for domain ”. I don’t see how I would be able to do that with the current options. Thanks and Kind regards, Frank. 1: http://man.openbsd.org/smtpd.conf — # PKI pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" pki mail.example.com key "/etc/opensmtpd/ssl.key" # If you edit the file, you have to run "smtpctl update table " table internal_domains file:/etc/opensmtpd/tables/internal_domains table sender_domains file:/etc/opensmtpd/tables/sender_domains table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist table smtp_users file:/etc/opensmtpd/tables/smtp_users # Interface to listen on any address (needed for failover) listen on 0.0.0.0 secure auth-optional pki mail.example.com # Listen on localhost for DKIM signed mail listen on 127.0.0.1 port 10028 tag DKIM # Relay all DKIM signed mails accept tagged DKIM for any relay # accept all mail for whitelisted recipients and relay to dkimproxy accept from any for any recipient relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for any relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for domain relay via smtp://127.0.0.1:10027 # Authenticated users are allowed to relay accept authenticated from any relay — try: accept authenticated for any relay Thanks for the response. This also produces a syntax error message. Regards, Frank I was thinking you may also need to switch from auth-optional to auth. I believe they are treated differently. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
Hi Edgar, > Op 3 mei 2017, om 23:04 heeft Edgar Pettijohn het > volgende geschreven: > > > > On 05/03/17 08:05, Frank Timmers wrote: >> Hi, >> >> I’m trying to allow relay for authenticated users, however “smtpd -n” gives >> a syntax error on the last line (with the authenticated) keyword. As far as >> I understand the documentation [1], this should be the correct syntax. I’ve >> included my config below. Any hints on why this isn’t working? I’m using >> OpenSMTPD version 6.0.2p1. >> >> In the config below, i differentiate between hosts which can only mail to >> internal domains and hosts which can relay to any domain. It would be great >> to be able to do the same for authenticated users. For example with “accept >> from any user for domain ”. >> I don’t see how I would be able to do that with the current options. >> >> Thanks and Kind regards, >> Frank. >> >> >> >> 1: http://man.openbsd.org/smtpd.conf >> >> — >> # PKI >> pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" >> pki mail.example.com key "/etc/opensmtpd/ssl.key" >> >> # If you edit the file, you have to run "smtpctl update table " >> table internal_domains file:/etc/opensmtpd/tables/internal_domains >> table sender_domains file:/etc/opensmtpd/tables/sender_domains >> table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally >> table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally >> table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist >> table smtp_users file:/etc/opensmtpd/tables/smtp_users >> >> # Interface to listen on any address (needed for failover) >> listen on 0.0.0.0 secure auth-optional pki mail.example.com >> >> # Listen on localhost for DKIM signed mail >> listen on 127.0.0.1 port 10028 tag DKIM >> >> # Relay all DKIM signed mails >> accept tagged DKIM for any relay >> >> # accept all mail for whitelisted recipients and relay to dkimproxy >> accept from any for any recipient relay via >> smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any from >> approved sender domains >> accept from source sender for any >> relay via smtp://127.0.0.1:10027 >> >> # Hosts in table are allowed to relay to any from >> approved sender domains >> accept from source sender for domain >> relay via smtp://127.0.0.1:10027 >> >> # Authenticated users are allowed to relay >> accept authenticated from any relay >> — >> >> > try: > accept authenticated for any relay Thanks for the response. This also produces a syntax error message. Regards, Frank -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Relay for authenticated users
On 05/03/17 08:05, Frank Timmers wrote: Hi, I’m trying to allow relay for authenticated users, however “smtpd -n” gives a syntax error on the last line (with the authenticated) keyword. As far as I understand the documentation [1], this should be the correct syntax. I’ve included my config below. Any hints on why this isn’t working? I’m using OpenSMTPD version 6.0.2p1. In the config below, i differentiate between hosts which can only mail to internal domains and hosts which can relay to any domain. It would be great to be able to do the same for authenticated users. For example with “accept from any user for domain ”. I don’t see how I would be able to do that with the current options. Thanks and Kind regards, Frank. 1: http://man.openbsd.org/smtpd.conf — # PKI pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" pki mail.example.com key "/etc/opensmtpd/ssl.key" # If you edit the file, you have to run "smtpctl update table " table internal_domains file:/etc/opensmtpd/tables/internal_domains table sender_domains file:/etc/opensmtpd/tables/sender_domains table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist table smtp_users file:/etc/opensmtpd/tables/smtp_users # Interface to listen on any address (needed for failover) listen on 0.0.0.0 secure auth-optional pki mail.example.com # Listen on localhost for DKIM signed mail listen on 127.0.0.1 port 10028 tag DKIM # Relay all DKIM signed mails accept tagged DKIM for any relay # accept all mail for whitelisted recipients and relay to dkimproxy accept from any for any recipient relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for any relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for domain relay via smtp://127.0.0.1:10027 # Authenticated users are allowed to relay accept authenticated from any relay — try: accept authenticated for any relay -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Relay for authenticated users
Hi, I’m trying to allow relay for authenticated users, however “smtpd -n” gives a syntax error on the last line (with the authenticated) keyword. As far as I understand the documentation [1], this should be the correct syntax. I’ve included my config below. Any hints on why this isn’t working? I’m using OpenSMTPD version 6.0.2p1. In the config below, i differentiate between hosts which can only mail to internal domains and hosts which can relay to any domain. It would be great to be able to do the same for authenticated users. For example with “accept from any user for domain ”. I don’t see how I would be able to do that with the current options. Thanks and Kind regards, Frank. 1: http://man.openbsd.org/smtpd.conf — # PKI pki mail.example.com certificate "/etc/opensmtpd/ssl.crt" pki mail.example.com key "/etc/opensmtpd/ssl.key" # If you edit the file, you have to run "smtpctl update table " table internal_domains file:/etc/opensmtpd/tables/internal_domains table sender_domains file:/etc/opensmtpd/tables/sender_domains table can_relay_internally file:/etc/opensmtpd/tables/can_relay_internally table can_relay_externally file:/etc/opensmtpd/tables/can_relay_externally table recipient_whitelist file:/etc/opensmtpd/tables/recipient_whitelist table smtp_users file:/etc/opensmtpd/tables/smtp_users # Interface to listen on any address (needed for failover) listen on 0.0.0.0 secure auth-optional pki mail.example.com # Listen on localhost for DKIM signed mail listen on 127.0.0.1 port 10028 tag DKIM # Relay all DKIM signed mails accept tagged DKIM for any relay # accept all mail for whitelisted recipients and relay to dkimproxy accept from any for any recipient relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for any relay via smtp://127.0.0.1:10027 # Hosts in table are allowed to relay to any from approved sender domains accept from source sender for domain relay via smtp://127.0.0.1:10027 # Authenticated users are allowed to relay accept authenticated from any relay — -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org