Re: Relaying Question (Wait! I read the FAQ and searched the archives)

2000-11-28 Thread Alex Pennace

On Tue, Nov 28, 2000 at 11:12:45PM -0800, [EMAIL PROTECTED] wrote:
> I setup the anti-relaying rules all fine and dandy according to the FAQ
> with tcpserver.. Everything works fine, *but* i need the ability to filter
> by DNS hostmask and IP address.. I tried the following test:
> 
> This setup works:
> 
> 209.142.1.150:allow,RELAYCLIENT=""
> :allow
> 
> This setup does NOT work:
> vadept.com:allow,RELAYCLIENT=""
> :allow
> 
> I need the ability to just wildcard IP's based upon their DNS lookup, I
> know I can enable paranoid mode to cut down on the spoofing, but will the
> current anti-relaying rules support a *.vadept.com rather than about
> 150-200 class C's?

Presume your tcpserver invocation is simple:

tcpserver 0 smtp qmail-smtpd

Insert a call to a script like so:

tcpserver 0 smtp shouldirelay qmail-smtpd.

Create a script "shouldirelay" that does two things:

1. Uses ucspi-tcp environment variables to decide if RELAYCLIENT
should be set. man tcp-environ for details.

2. execs the arguments in $@.

 PGP signature


Re: relaying question

1999-09-27 Thread Edward Castillo-Jakosalem

Thanks a lot Anand. You've been a great help!


Anand Buddhdev wrote:

> On Mon, Sep 27, 1999 at 09:32:07PM +0800, Edward Castillo-Jakosalem wrote:
>
> > So now I removed that deny line in my tcp.smtp file, issued the tcprule
> > command, and restarted my tcpserver. Does it mean that hosts can now connect
> > to my server without using it as a relay?
>
> Yes. Incidentally, you don't need to restart tcpserver. The rules
> database is read afresh for every incoming connection.
>
> > Oh and do we still need the rcpthosts file eventhough we are running
> > tcpserver?
>
> the rcpthosts file is still needed. This is so that non-relay clients
> can only send mail to domains that you want to receive mail for.
>
> --
> See complete headers for more info

--


0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Edward Castillo-Jakosalem
Systems Administrator
Access Net (Phils.), Inc.
http://www.access.net.ph/ecj
[EMAIL PROTECTED]
0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0




Re: relaying question

1999-09-27 Thread Anand Buddhdev

On Mon, Sep 27, 1999 at 09:32:07PM +0800, Edward Castillo-Jakosalem wrote:

> So now I removed that deny line in my tcp.smtp file, issued the tcprule
> command, and restarted my tcpserver. Does it mean that hosts can now connect
> to my server without using it as a relay?

Yes. Incidentally, you don't need to restart tcpserver. The rules
database is read afresh for every incoming connection.

> Oh and do we still need the rcpthosts file eventhough we are running
> tcpserver?

the rcpthosts file is still needed. This is so that non-relay clients
can only send mail to domains that you want to receive mail for.

-- 
See complete headers for more info



Re: relaying question

1999-09-27 Thread Edward Castillo-Jakosalem

So now I removed that deny line in my tcp.smtp file, issued the tcprule
command, and restarted my tcpserver. Does it mean that hosts can now connect
to my server without using it as a relay?
Oh and do we still need the rcpthosts file eventhough we are running
tcpserver?
Sorry but am quite a newbie to qmail!

Thanks Timothy!

"Timothy L. Mayo" wrote:

> Remove your last line.  It is what is causing your problem.
>
> You want to allow but without setting the RELAYCLIENT environment variable
> which is the default behavior.
>
> On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote:
>
> >
> > Hi to all!
> > I recently configured our smtp to point to another machine running
> > qmail-1.03. No problem with that. Now, what I see in our log file is
> > that it says 'deny' to all the hosts except the 2 ip blocks I configured
> > to be relayclients. I just need some help if what I did in my tcp.smtp
> > file is correct.
> >
> > xxx.xxx.xxx.:allow,RELAYCLIENT=""
> > yyy.yyy.yyy.:allow,RELAYCLIENT=""
> > :deny
> >
> > Does this config mean that it will allow relaying from xxx and yyy
> > domains and deny from anywhere else? What about other hosts sending mail
> > to one of our handled domains? Is this the deny that I see in our log
> > files?
> >
> > I hope I sent the complete details.
> > Thanks very much in advance for any help!
> >
> >
> > Edward Castillo-Jakosalem
> >
> >
> >
> >
>
> -
> Timothy L. Mayo mailto:[EMAIL PROTECTED]
> Senior Systems Administrator
> localconnect(sm)
> http://www.localconnect.net/
>
> The National Business Network Inc.  http://www.nb.net/
> One Monroeville Center, Suite 850
> Monroeville, PA  15146
> (412) 810- Phone
> (412) 810-8886 Fax

--


0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Edward Castillo-Jakosalem
Systems Administrator
Access Net (Phils.), Inc.
http://www.access.net.ph/ecj
[EMAIL PROTECTED]
0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0




Re: relaying question

1999-09-27 Thread Edward Castillo-Jakosalem

Yup. It's still there.

"Timothy L. Mayo" wrote:

> Did you remove your /var/qmail/control/rcpthosts file?  This MUST be in
> place!
>
> On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote:
>
> > >
> >
> > > > :deny
> > >
> > > This means don't let ANY OTHER host connect. What you want as your last
> > > rule is ":allow". That will allow connections from all other hosts, but
> > > will not let them relay.
> > >
> >
> > Yes but I already tried setting that to 'allow' and tested sending mail using
> > another ISP and it allowed relay. What am I still missing here?
> >
> > Thanks again Anand!
> >
> > --
> >
> > Edward Castillo-Jakosalem
> >
> >
> >
>
> -
> Timothy L. Mayo mailto:[EMAIL PROTECTED]
> Senior Systems Administrator
> localconnect(sm)
> http://www.localconnect.net/
>
> The National Business Network Inc.  http://www.nb.net/
> One Monroeville Center, Suite 850
> Monroeville, PA  15146
> (412) 810- Phone
> (412) 810-8886 Fax

--


0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0
Edward Castillo-Jakosalem
Systems Administrator
Access Net (Phils.), Inc.
http://www.access.net.ph/ecj
[EMAIL PROTECTED]
0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0




Re: relaying question

1999-09-27 Thread Timothy L. Mayo

Did you remove your /var/qmail/control/rcpthosts file?  This MUST be in
place!

On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote:

> >
> 
> > > :deny
> >
> > This means don't let ANY OTHER host connect. What you want as your last
> > rule is ":allow". That will allow connections from all other hosts, but
> > will not let them relay.
> >
> 
> Yes but I already tried setting that to 'allow' and tested sending mail using
> another ISP and it allowed relay. What am I still missing here?
> 
> Thanks again Anand!
> 
> --
> 
> Edward Castillo-Jakosalem
> 
> 
> 

-
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/

The National Business Network Inc.  http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA  15146
(412) 810- Phone
(412) 810-8886 Fax



Re: relaying question

1999-09-27 Thread Edward Castillo-Jakosalem

>

> > :deny
>
> This means don't let ANY OTHER host connect. What you want as your last
> rule is ":allow". That will allow connections from all other hosts, but
> will not let them relay.
>

Yes but I already tried setting that to 'allow' and tested sending mail using
another ISP and it allowed relay. What am I still missing here?

Thanks again Anand!

--

Edward Castillo-Jakosalem




Re: relaying question

1999-09-27 Thread Timothy L. Mayo

Remove your last line.  It is what is causing your problem.

You want to allow but without setting the RELAYCLIENT environment variable
which is the default behavior.

On Mon, 27 Sep 1999, Edward Castillo-Jakosalem wrote:

> 
> Hi to all!
> I recently configured our smtp to point to another machine running
> qmail-1.03. No problem with that. Now, what I see in our log file is
> that it says 'deny' to all the hosts except the 2 ip blocks I configured
> to be relayclients. I just need some help if what I did in my tcp.smtp
> file is correct.
> 
> xxx.xxx.xxx.:allow,RELAYCLIENT=""
> yyy.yyy.yyy.:allow,RELAYCLIENT=""
> :deny
> 
> Does this config mean that it will allow relaying from xxx and yyy
> domains and deny from anywhere else? What about other hosts sending mail
> to one of our handled domains? Is this the deny that I see in our log
> files?
> 
> I hope I sent the complete details.
> Thanks very much in advance for any help!
> 
> 
> Edward Castillo-Jakosalem
> 
> 
> 
> 

-
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/

The National Business Network Inc.  http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA  15146
(412) 810- Phone
(412) 810-8886 Fax



Re: relaying question

1999-09-27 Thread Anand Buddhdev

On Mon, Sep 27, 1999 at 06:48:52PM +0800, Edward Castillo-Jakosalem wrote:
  
> Hi to all!
> I recently configured our smtp to point to another machine running
> qmail-1.03. No problem with that. Now, what I see in our log file is
> that it says 'deny' to all the hosts except the 2 ip blocks I configured
> to be relayclients. I just need some help if what I did in my tcp.smtp
> file is correct.
> 
> xxx.xxx.xxx.:allow,RELAYCLIENT=""

This means allow connections from xxx.xxx.xxx AND let them relay to any
destination.

> yyy.yyy.yyy.:allow,RELAYCLIENT=""

Same as above for yyy.yyy.yyy

> :deny

This means don't let ANY OTHER host connect. What you want as your last
rule is ":allow". That will allow connections from all other hosts, but
will not let them relay.

-- 
See complete headers for more info



Re: relaying question

1999-06-17 Thread Timothy L. Mayo

You need BOTH lines in /etc/hosts.allow!

tcp-env: 1.2.3.: setenv = RELAYCLIENT
tcp-env: ALL

On Thu, 17 Jun 1999, Jeffrey Finkelstein wrote:

> Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail
> problem, but clients cannot send mail through the mail host since the 
> destination mail address is not in the rcpthosts file.
> 
> I must be missing something obvious somewhere, but I'll be darned if I see it
> just yet.
> 
> -jeff
> 
> On Thu, Jun 17, 1999 at 07:55:28PM +0200, Stefan Paletta wrote:
> > Jeffrey Finkelstein wrote/schrieb/scribsit:
> > > What concerns me is that it would seem that anyone can relay through the
> > > server when it is setup that way. When I try using /etc/hosts.allow of the 
> > > form:
> > > 
> > > tcp-env: 1.2.3.: setenv = RELAYCLIENT
> > > 
> > > then the system will not allow any connections from the outside to the smtp
> > > daemon so no incoming mail is allowed.
> > 
> > You probably need to allow connections from everywhere then.
> > Either add
> > 
> > tcp-env: ALL
> > 
> > to hosts.allow or check if you have an
> > 
> > ALL: ALL
> > 
> > in hosts.deny and need it.
> > 
> > Could also be that tcpd denies by default, who knows with tcpd...
> > 
> > Stefan
> 

-
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/

The National Business Network Inc.  http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA  15146
(412) 810- Phone
(412) 810-8886 Fax



Re: relaying question

1999-06-17 Thread Anonymous

Jeffrey Finkelstein wrote/schrieb/scribsit:
> Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail
> problem, but clients cannot send mail through the mail host since the 
> destination mail address is not in the rcpthosts file.

Your'e supposed to have both lines in hosts.allow. Like:
tcp-env: 10.0.0.0/255.0.0.0: setenv = RELAYCLIENT
tcp-env: ALL

I just tried it... but then again there are so many versions
of tcpd...

Stefan 



Re: relaying question

1999-06-17 Thread Anonymous

Putting the ``tcp-env: ALL'' in the /etc/hosts.allow solves the incoming mail
problem, but clients cannot send mail through the mail host since the 
destination mail address is not in the rcpthosts file.

I must be missing something obvious somewhere, but I'll be darned if I see it
just yet.

-jeff

On Thu, Jun 17, 1999 at 07:55:28PM +0200, Stefan Paletta wrote:
> Jeffrey Finkelstein wrote/schrieb/scribsit:
> > What concerns me is that it would seem that anyone can relay through the
> > server when it is setup that way. When I try using /etc/hosts.allow of the 
> > form:
> > 
> > tcp-env: 1.2.3.: setenv = RELAYCLIENT
> > 
> > then the system will not allow any connections from the outside to the smtp
> > daemon so no incoming mail is allowed.
> 
> You probably need to allow connections from everywhere then.
> Either add
> 
> tcp-env: ALL
> 
> to hosts.allow or check if you have an
> 
> ALL: ALL
> 
> in hosts.deny and need it.
> 
> Could also be that tcpd denies by default, who knows with tcpd...
> 
> Stefan



Re: relaying question

1999-06-17 Thread Anonymous

Jeffrey Finkelstein wrote/schrieb/scribsit:
> What concerns me is that it would seem that anyone can relay through the
> server when it is setup that way. When I try using /etc/hosts.allow of the 
> form:
> 
> tcp-env: 1.2.3.: setenv = RELAYCLIENT
> 
> then the system will not allow any connections from the outside to the smtp
> daemon so no incoming mail is allowed.

You probably need to allow connections from everywhere then.
Either add

tcp-env: ALL

to hosts.allow or check if you have an

ALL: ALL

in hosts.deny and need it.

Could also be that tcpd denies by default, who knows with tcpd...

Stefan