Semantics in accept rule - strict meaning of "from local"
What is the definition of a locally originating connection please? It would appear that accept from local for any relay is not the same as table myself { localhost } accept from source for any relay I was trying to create a tighter version of the following 'smtpd.conf' which seems to work table mylan { 10.10.1.0/24, 10.10.10.0/24 } listen on 127.0.0.1 listen on 10.10.10.1 accept from source for any relay accept from local for any relay This allows this host (10.10.10.1) running OpenSMTPD to send email that originates on either itself, or any system on the 10.10.10.0/24 physical internal network, or any system on the 10.10.1.0/24 virtual internal network as is specified by NPPPD which is also running on this same machine. I was trying to have a tighter file and define 'mylan' as table mylan { 10.10.1.0/24, 10.10.10.0/24, localhost } which should let me drop the last line. It fails. Hence my first question. There are other places, e.g. for local virtual where the word 'local' does mean localhost and the default server name. Thanks - Damian Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037 Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here Views & opinions here are mine and not those of any past or present employer -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
On Fri May 30 2014 16:38, Clint Pachl wrote: [...] I still think that the 550 Invalid recipient error isn't intuitive when a client doesn't have the locality or the credentials required by the mail server. Let's see it from the rule processors point of view. With a ruleset like yours, accept from local for local alias aliases deliver to mbox accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} accept from local for any relay there's only one rule that applies in the non-local (also non-authenticated) case, so the ruleset is going to be reduced to: accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} When this rule is being evaluated, it expands the table domains and compares its content with the recipient domain from the envelope. In your case, it was 'devio.us'. This domain is obviously not part of your domains table. So, smtpd concludes it's not the destination mail server, but it's also not allowed to try to relay it, either. Yes, there's no distinction being made between non-local and non-authenticated senders, because it's just the same case. How could the server know better? Should it return something along the lines of if you'd authenticated yourself, I might be able to deal with your mail differently? Therefore, the sender (correctly) receives 550 Invalid recipient in both cases. Norman -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Meaning of from local
The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Actually, from local means 2 things: 1- from _any_ IP address that is assigned to the local machine 2- from clients that have authenticated themselves to the local machine Gilles On Fri, May 30, 2014 at 05:45:43AM -0700, Barbier, Jason wrote: From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Panagiotis Atmatzidis wrote, On 05/30/14 05:58: My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay No it will not accept emails from 10.0.9/24 or x.x.10/24 The problem is that the mail server *is* accepting/relaying mail from the client which is on a different subnet. So this behavior doesn't seem correct. I discovered that authentication may be changing the behavior of from local. But I'm not getting intuitive error messages (see below) from smtpd, so I'm unsure of the exact behavior. I just want confirmation of the meaning of from local with regards to successfully authenticated clients regardless of their locality from the server. Here is my entire conf that allows the behavior described above: ### /etc/mail/smtpd.conf ### table aliases /etc/mail/aliases table domains /etc/mail/domains table passwd/etc/mail/passwd table users /etc/mail/users pki tm certificate /etc/ssl/mail.targetmeister.com.crt pki tm key /etc/ssl/private/mail.targetmeister.com.key listen on localhost listen on mail port smtp tls pki tm listen on mail port submission tls-require pki tm auth passwd accept from local for local alias aliases deliver to mbox accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} accept from local for any relay ### END ### And here is the session output from smtpd when a client on a different subnet from the server submits an email for relay *with authentication* on submission port 587: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Accepted authentication for user xx...@pachl.us on session 49c757a0a5705603 smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603: from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session e5969f5c34763839... smtp-out: Connected on session e5969f5c34763839 smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-out: Server certificate verification failed on session e5969f5c34763839 relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839, from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as A9B071B5B88 smtp-out: Closing session e5969f5c34763839: 1 message sent. But, if I make authentication optional (auth-optional) on submission port and authentication on the client is turned off, I get the following session output: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT TO:xxx...@devio.us = 550 Invalid recipient smtp-in: Received disconnect from session 26c46acb7b5bf97b smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acc2bed96ec: RCPT TO:xxx...@devio.us = 550 Invalid recipient As you can see, it does not relay the mail. It instead gives me a 550 Invalid recipient error, which doesn't seem apropos. It seems the error should mention a failure in authentication, permission, or credentials. Bottom line is, it seems successful authentication makes a client local. Is this correct? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
I apologize for the noise I've created. I did not read the documentation closely. I found a definitive answer to my question in the listen on directive, which states: If the auth parameter is used, then a client may only start an SMTP transaction after a successful authentication. Any remote sender that passed SMTPAUTH is treated as if it was the server's local user that was sending the mail. This means that filter rules using from local will be matched. I still think that the 550 Invalid recipient error isn't intuitive when a client doesn't have the locality or the credentials required by the mail server. Thanks, Clint Clint Pachl wrote, On 05/30/14 16:26: Panagiotis Atmatzidis wrote, On 05/30/14 05:58: My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay No it will not accept emails from 10.0.9/24 or x.x.10/24 The problem is that the mail server *is* accepting/relaying mail from the client which is on a different subnet. So this behavior doesn't seem correct. I discovered that authentication may be changing the behavior of from local. But I'm not getting intuitive error messages (see below) from smtpd, so I'm unsure of the exact behavior. I just want confirmation of the meaning of from local with regards to successfully authenticated clients regardless of their locality from the server. Here is my entire conf that allows the behavior described above: ### /etc/mail/smtpd.conf ### table aliases /etc/mail/aliases table domains /etc/mail/domains table passwd/etc/mail/passwd table users /etc/mail/users pki tm certificate /etc/ssl/mail.targetmeister.com.crt pki tm key /etc/ssl/private/mail.targetmeister.com.key listen on localhost listen on mail port smtp tls pki tm listen on mail port submission tls-require pki tm auth passwd accept from local for local alias aliases deliver to mbox accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} accept from local for any relay ### END ### And here is the session output from smtpd when a client on a different subnet from the server submits an email for relay *with authentication* on submission port 587: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Accepted authentication for user xx...@pachl.us on session 49c757a0a5705603 smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603: from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session e5969f5c34763839... smtp-out: Connected on session e5969f5c34763839 smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-out: Server certificate verification failed on session e5969f5c34763839 relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839, from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as A9B071B5B88 smtp-out: Closing session e5969f5c34763839: 1 message sent. But, if I make authentication optional (auth-optional) on submission port and authentication on the client is turned off, I get the following session output: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT TO:xxx...@devio.us = 550 Invalid recipient smtp-in: Received disconnect from session 26c46acb7b5bf97b smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acc2bed96ec: RCPT TO:xxx...@devio.us = 550 Invalid recipient As you can see, it does not relay the mail. It instead gives me a 550 Invalid recipient error, which doesn't seem apropos. It seems the error should mention a failure in authentication, permission, or credentials. Bottom line is, it seems successful authentication makes a client local. Is this correct? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org