Semantics in accept rule - strict meaning of "from local"
What is the definition of a locally originating connection please?
It would appear that
accept from local for any relay
is not the same as
table myself { localhost }
accept from source for any relay
I was trying to create a tighter version of the following 'smtpd.conf'
which seems to work
table mylan { 10.10.1.0/24, 10.10.10.0/24 }
listen on 127.0.0.1
listen on 10.10.10.1
accept from source for any relay
accept from local for any relay
This allows this host (10.10.10.1) running OpenSMTPD to send email that
originates on either itself, or any system on the 10.10.10.0/24 physical
internal network, or any system on the 10.10.1.0/24 virtual internal
network as is specified by NPPPD which is also running on this same
machine.
I was trying to have a tighter file and define 'mylan' as
table mylan { 10.10.1.0/24, 10.10.10.0/24, localhost }
which should let me drop the last line. It fails. Hence my first question.
There are other places, e.g.
for local virtual
where the word 'local' does mean localhost and the default server name.
Thanks - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
On Fri May 30 2014 16:38, Clint Pachl wrote:
[...]
I still think that the 550 Invalid recipient error isn't intuitive when a
client doesn't have the locality or the credentials required by the mail
server.
Let's see it from the rule processors point of view. With a ruleset like
yours,
accept from local for local alias aliases deliver to mbox
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
accept from local for any relay
there's only one rule that applies in the non-local (also
non-authenticated) case, so the ruleset is going to be reduced to:
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
When this rule is being evaluated, it expands the table domains and
compares its content with the recipient domain from the envelope. In
your case, it was 'devio.us'. This domain is obviously not part of
your domains table. So, smtpd concludes it's not the destination mail
server, but it's also not allowed to try to relay it, either.
Yes, there's no distinction being made between non-local and
non-authenticated senders, because it's just the same case. How could
the server know better? Should it return something along the lines of
if you'd authenticated yourself, I might be able to deal with your mail
differently? Therefore, the sender (correctly) receives 550 Invalid
recipient in both cases.
Norman
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Meaning of from local
The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Actually, from local means 2 things: 1- from _any_ IP address that is assigned to the local machine 2- from clients that have authenticated themselves to the local machine Gilles On Fri, May 30, 2014 at 05:45:43AM -0700, Barbier, Jason wrote: From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Panagiotis Atmatzidis wrote, On 05/30/14 05:58:
My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD
server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will
relay mail to the Internet for the client with the following single rule:
accept from local for any relay
No it will not accept emails from 10.0.9/24 or x.x.10/24
The problem is that the mail server *is* accepting/relaying mail from
the client which is on a different subnet. So this behavior doesn't seem
correct.
I discovered that authentication may be changing the behavior of from
local. But I'm not getting intuitive error messages (see below) from
smtpd, so I'm unsure of the exact behavior. I just want confirmation of
the meaning of from local with regards to successfully authenticated
clients regardless of their locality from the server.
Here is my entire conf that allows the behavior described above:
### /etc/mail/smtpd.conf ###
table aliases /etc/mail/aliases
table domains /etc/mail/domains
table passwd/etc/mail/passwd
table users /etc/mail/users
pki tm certificate /etc/ssl/mail.targetmeister.com.crt
pki tm key /etc/ssl/private/mail.targetmeister.com.key
listen on localhost
listen on mail port smtp tls pki tm
listen on mail port submission tls-require pki tm auth passwd
accept from local for local alias aliases deliver to mbox
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
accept from local for any relay
### END ###
And here is the session output from smtpd when a client on a different
subnet from the server submits an email for relay *with authentication*
on submission port 587:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Accepted authentication for user xx...@pachl.us on session
49c757a0a5705603
smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603:
from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP
smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session
e5969f5c34763839...
smtp-out: Connected on session e5969f5c34763839
smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-out: Server certificate verification failed on session e5969f5c34763839
relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839,
from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20,
relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as
A9B071B5B88
smtp-out: Closing session e5969f5c34763839: 1 message sent.
But, if I make authentication optional (auth-optional) on submission
port and authentication on the client is turned off, I get the following
session output:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
smtp-in: Received disconnect from session 26c46acb7b5bf97b
smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acc2bed96ec: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
As you can see, it does not relay the mail. It instead gives me a 550
Invalid recipient error, which doesn't seem apropos. It seems the error
should mention a failure in authentication, permission, or credentials.
Bottom line is, it seems successful authentication makes a client
local. Is this correct?
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
I apologize for the noise I've created. I did not read the documentation
closely. I found a definitive answer to my question in the listen on
directive, which states:
If the auth parameter is used, then a client may only start an SMTP
transaction after a successful authentication. Any remote sender that
passed SMTPAUTH is treated as if it was the server's local user that was
sending the mail. This means that filter rules using from local will
be matched.
I still think that the 550 Invalid recipient error isn't intuitive
when a client doesn't have the locality or the credentials required by
the mail server.
Thanks,
Clint
Clint Pachl wrote, On 05/30/14 16:26:
Panagiotis Atmatzidis wrote, On 05/30/14 05:58:
My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24.
The OpenSMTPD server is at 10.0.9.20. The email client is at
10.0.10.24. The mail server will relay mail to the Internet for the
client with the following single rule:
accept from local for any relay
No it will not accept emails from 10.0.9/24 or x.x.10/24
The problem is that the mail server *is* accepting/relaying mail from
the client which is on a different subnet. So this behavior doesn't
seem correct.
I discovered that authentication may be changing the behavior of from
local. But I'm not getting intuitive error messages (see below) from
smtpd, so I'm unsure of the exact behavior. I just want confirmation
of the meaning of from local with regards to successfully
authenticated clients regardless of their locality from the server.
Here is my entire conf that allows the behavior described above:
### /etc/mail/smtpd.conf ###
table aliases /etc/mail/aliases
table domains /etc/mail/domains
table passwd/etc/mail/passwd
table users /etc/mail/users
pki tm certificate /etc/ssl/mail.targetmeister.com.crt
pki tm key /etc/ssl/private/mail.targetmeister.com.key
listen on localhost
listen on mail port smtp tls pki tm
listen on mail port submission tls-require pki tm auth passwd
accept from local for local alias aliases deliver to mbox
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
accept from local for any relay
### END ###
And here is the session output from smtpd when a client on a different
subnet from the server submits an email for relay *with
authentication* on submission port 587:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Accepted authentication for user xx...@pachl.us on session
49c757a0a5705603
smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603:
from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1,
proto=ESMTP
smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on
session e5969f5c34763839...
smtp-out: Connected on session e5969f5c34763839
smtp-out: Started TLS on session e5969f5c34763839:
version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-out: Server certificate verification failed on session
e5969f5c34763839
relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839,
from=xx...@pachl.us, to=xx...@devio.us, rcpt=-,
source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250
2.0.0 Ok: queued as A9B071B5B88
smtp-out: Closing session e5969f5c34763839: 1 message sent.
But, if I make authentication optional (auth-optional) on submission
port and authentication on the client is turned off, I get the
following session output:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
smtp-in: Received disconnect from session 26c46acb7b5bf97b
smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acc2bed96ec: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
As you can see, it does not relay the mail. It instead gives me a 550
Invalid recipient error, which doesn't seem apropos. It seems the
error should mention a failure in authentication, permission, or
credentials.
Bottom line is, it seems successful authentication makes a client
local. Is this correct?
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
