Re: Relaying Question (Wait! I read the FAQ and searched the archives)
On Tue, Nov 28, 2000 at 11:12:45PM -0800, [EMAIL PROTECTED] wrote: > I setup the anti-relaying rules all fine and dandy according to the FAQ > with tcpserver.. Everything works fine, *but* i need the ability to filter > by DNS hostmask and IP address.. I tried the following test: > > This setup works: > > 209.142.1.150:allow,RELAYCLIENT="" > :allow > > This setup does NOT work: > vadept.com:allow,RELAYCLIENT="" > :allow > > I need the ability to just wildcard IP's based upon their DNS lookup, I > know I can enable paranoid mode to cut down on the spoofing, but will the > current anti-relaying rules support a *.vadept.com rather than about > 150-200 class C's? Presume your tcpserver invocation is simple: tcpserver 0 smtp qmail-smtpd Insert a call to a script like so: tcpserver 0 smtp shouldirelay qmail-smtpd. Create a script "shouldirelay" that does two things: 1. Uses ucspi-tcp environment variables to decide if RELAYCLIENT should be set. man tcp-environ for details. 2. execs the arguments in $@. PGP signature
Re: relaying question
Thanks a lot Anand. You've been a great help! Anand Buddhdev wrote: > On Mon, Sep 27, 1999 at 09:32:07PM +0800, Edward Castillo-Jakosalem wrote: > > > So now I removed that deny line in my tcp.smtp file, issued the tcprule > > command, and restarted my tcpserver. Does it mean that hosts can now connect > > to my server without using it as a relay? > > Yes. Incidentally, you don't need to restart tcpserver. The rules > database is read afresh for every incoming connection. > > > Oh and do we still need the rcpthosts file eventhough we are running > > tcpserver? > > the rcpthosts file is still needed. This is so that non-relay clients > can only send mail to domains that you want to receive mail for. > > -- > See complete headers for more info -- 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 Edward Castillo-Jakosalem Systems Administrator Access Net (Phils.), Inc. http://www.access.net.ph/ecj [EMAIL PROTECTED] 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Re: relaying question
On Mon, Sep 27, 1999 at 09:32:07PM +0800, Edward Castillo-Jakosalem wrote: > So now I removed that deny line in my tcp.smtp file, issued the tcprule > command, and restarted my tcpserver. Does it mean that hosts can now connect > to my server without using it as a relay? Yes. Incidentally, you don't need to restart tcpserver. The rules database is read afresh for every incoming connection. > Oh and do we still need the rcpthosts file eventhough we are running > tcpserver? the rcpthosts file is still needed. This is so that non-relay clients can only send mail to domains that you want to receive mail for. -- See complete headers for more info
Re: relaying question
So now I removed that deny line in my tcp.smtp file, issued the tcprule command, and restarted my tcpserver. Does it mean that hosts can now connect to my server without using it as a relay? Oh and do we still need the rcpthosts file eventhough we are running tcpserver? Sorry but am quite a newbie to qmail! Thanks Timothy! "Timothy L. Mayo" wrote: > Remove your last line. It is what is causing your problem. > > You want to allow but without setting the RELAYCLIENT environment variable > which is the default behavior. > > On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote: > > > > > Hi to all! > > I recently configured our smtp to point to another machine running > > qmail-1.03. No problem with that. Now, what I see in our log file is > > that it says 'deny' to all the hosts except the 2 ip blocks I configured > > to be relayclients. I just need some help if what I did in my tcp.smtp > > file is correct. > > > > xxx.xxx.xxx.:allow,RELAYCLIENT="" > > yyy.yyy.yyy.:allow,RELAYCLIENT="" > > :deny > > > > Does this config mean that it will allow relaying from xxx and yyy > > domains and deny from anywhere else? What about other hosts sending mail > > to one of our handled domains? Is this the deny that I see in our log > > files? > > > > I hope I sent the complete details. > > Thanks very much in advance for any help! > > > > > > Edward Castillo-Jakosalem > > > > > > > > > > - > Timothy L. Mayo mailto:[EMAIL PROTECTED] > Senior Systems Administrator > localconnect(sm) > http://www.localconnect.net/ > > The National Business Network Inc. http://www.nb.net/ > One Monroeville Center, Suite 850 > Monroeville, PA 15146 > (412) 810- Phone > (412) 810-8886 Fax -- 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 Edward Castillo-Jakosalem Systems Administrator Access Net (Phils.), Inc. http://www.access.net.ph/ecj [EMAIL PROTECTED] 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Re: relaying question
Yup. It's still there. "Timothy L. Mayo" wrote: > Did you remove your /var/qmail/control/rcpthosts file? This MUST be in > place! > > On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote: > > > > > > > > > > :deny > > > > > > This means don't let ANY OTHER host connect. What you want as your last > > > rule is ":allow". That will allow connections from all other hosts, but > > > will not let them relay. > > > > > > > Yes but I already tried setting that to 'allow' and tested sending mail using > > another ISP and it allowed relay. What am I still missing here? > > > > Thanks again Anand! > > > > -- > > > > Edward Castillo-Jakosalem > > > > > > > > - > Timothy L. Mayo mailto:[EMAIL PROTECTED] > Senior Systems Administrator > localconnect(sm) > http://www.localconnect.net/ > > The National Business Network Inc. http://www.nb.net/ > One Monroeville Center, Suite 850 > Monroeville, PA 15146 > (412) 810- Phone > (412) 810-8886 Fax -- 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 Edward Castillo-Jakosalem Systems Administrator Access Net (Phils.), Inc. http://www.access.net.ph/ecj [EMAIL PROTECTED] 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Re: relaying question
Did you remove your /var/qmail/control/rcpthosts file? This MUST be in place! On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote: > > > > > > :deny > > > > This means don't let ANY OTHER host connect. What you want as your last > > rule is ":allow". That will allow connections from all other hosts, but > > will not let them relay. > > > > Yes but I already tried setting that to 'allow' and tested sending mail using > another ISP and it allowed relay. What am I still missing here? > > Thanks again Anand! > > -- > > Edward Castillo-Jakosalem > > > - Timothy L. Mayo mailto:[EMAIL PROTECTED] Senior Systems Administrator localconnect(sm) http://www.localconnect.net/ The National Business Network Inc. http://www.nb.net/ One Monroeville Center, Suite 850 Monroeville, PA 15146 (412) 810- Phone (412) 810-8886 Fax
Re: relaying question
> > > :deny > > This means don't let ANY OTHER host connect. What you want as your last > rule is ":allow". That will allow connections from all other hosts, but > will not let them relay. > Yes but I already tried setting that to 'allow' and tested sending mail using another ISP and it allowed relay. What am I still missing here? Thanks again Anand! -- Edward Castillo-Jakosalem
Re: relaying question
Remove your last line. It is what is causing your problem. You want to allow but without setting the RELAYCLIENT environment variable which is the default behavior. On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote: > > Hi to all! > I recently configured our smtp to point to another machine running > qmail-1.03. No problem with that. Now, what I see in our log file is > that it says 'deny' to all the hosts except the 2 ip blocks I configured > to be relayclients. I just need some help if what I did in my tcp.smtp > file is correct. > > xxx.xxx.xxx.:allow,RELAYCLIENT="" > yyy.yyy.yyy.:allow,RELAYCLIENT="" > :deny > > Does this config mean that it will allow relaying from xxx and yyy > domains and deny from anywhere else? What about other hosts sending mail > to one of our handled domains? Is this the deny that I see in our log > files? > > I hope I sent the complete details. > Thanks very much in advance for any help! > > > Edward Castillo-Jakosalem > > > > - Timothy L. Mayo mailto:[EMAIL PROTECTED] Senior Systems Administrator localconnect(sm) http://www.localconnect.net/ The National Business Network Inc. http://www.nb.net/ One Monroeville Center, Suite 850 Monroeville, PA 15146 (412) 810- Phone (412) 810-8886 Fax
Re: relaying question
On Mon, Sep 27, 1999 at 06:48:52PM +0800, Edward Castillo-Jakosalem wrote: > Hi to all! > I recently configured our smtp to point to another machine running > qmail-1.03. No problem with that. Now, what I see in our log file is > that it says 'deny' to all the hosts except the 2 ip blocks I configured > to be relayclients. I just need some help if what I did in my tcp.smtp > file is correct. > > xxx.xxx.xxx.:allow,RELAYCLIENT="" This means allow connections from xxx.xxx.xxx AND let them relay to any destination. > yyy.yyy.yyy.:allow,RELAYCLIENT="" Same as above for yyy.yyy.yyy > :deny This means don't let ANY OTHER host connect. What you want as your last rule is ":allow". That will allow connections from all other hosts, but will not let them relay. -- See complete headers for more info
Re: relaying question
You need BOTH lines in /etc/hosts.allow! tcp-env: 1.2.3.: setenv = RELAYCLIENT tcp-env: ALL On Thu, 17 Jun 1999, Jeffrey Finkelstein wrote: > Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail > problem, but clients cannot send mail through the mail host since the > destination mail address is not in the rcpthosts file. > > I must be missing something obvious somewhere, but I'll be darned if I see it > just yet. > > -jeff > > On Thu, Jun 17, 1999 at 07:55:28PM +0200, Stefan Paletta wrote: > > Jeffrey Finkelstein wrote/schrieb/scribsit: > > > What concerns me is that it would seem that anyone can relay through the > > > server when it is setup that way. When I try using /etc/hosts.allow of the > > > form: > > > > > > tcp-env: 1.2.3.: setenv = RELAYCLIENT > > > > > > then the system will not allow any connections from the outside to the smtp > > > daemon so no incoming mail is allowed. > > > > You probably need to allow connections from everywhere then. > > Either add > > > > tcp-env: ALL > > > > to hosts.allow or check if you have an > > > > ALL: ALL > > > > in hosts.deny and need it. > > > > Could also be that tcpd denies by default, who knows with tcpd... > > > > Stefan > - Timothy L. Mayo mailto:[EMAIL PROTECTED] Senior Systems Administrator localconnect(sm) http://www.localconnect.net/ The National Business Network Inc. http://www.nb.net/ One Monroeville Center, Suite 850 Monroeville, PA 15146 (412) 810- Phone (412) 810-8886 Fax
Re: relaying question
Jeffrey Finkelstein wrote/schrieb/scribsit: > Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail > problem, but clients cannot send mail through the mail host since the > destination mail address is not in the rcpthosts file. Your'e supposed to have both lines in hosts.allow. Like: tcp-env: 10.0.0.0/255.0.0.0: setenv = RELAYCLIENT tcp-env: ALL I just tried it... but then again there are so many versions of tcpd... Stefan
Re: relaying question
Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail problem, but clients cannot send mail through the mail host since the destination mail address is not in the rcpthosts file. I must be missing something obvious somewhere, but I'll be darned if I see it just yet. -jeff On Thu, Jun 17, 1999 at 07:55:28PM +0200, Stefan Paletta wrote: > Jeffrey Finkelstein wrote/schrieb/scribsit: > > What concerns me is that it would seem that anyone can relay through the > > server when it is setup that way. When I try using /etc/hosts.allow of the > > form: > > > > tcp-env: 1.2.3.: setenv = RELAYCLIENT > > > > then the system will not allow any connections from the outside to the smtp > > daemon so no incoming mail is allowed. > > You probably need to allow connections from everywhere then. > Either add > > tcp-env: ALL > > to hosts.allow or check if you have an > > ALL: ALL > > in hosts.deny and need it. > > Could also be that tcpd denies by default, who knows with tcpd... > > Stefan
Re: relaying question
Jeffrey Finkelstein wrote/schrieb/scribsit: > What concerns me is that it would seem that anyone can relay through the > server when it is setup that way. When I try using /etc/hosts.allow of the > form: > > tcp-env: 1.2.3.: setenv = RELAYCLIENT > > then the system will not allow any connections from the outside to the smtp > daemon so no incoming mail is allowed. You probably need to allow connections from everywhere then. Either add tcp-env: ALL to hosts.allow or check if you have an ALL: ALL in hosts.deny and need it. Could also be that tcpd denies by default, who knows with tcpd... Stefan