One thing that might be confusing Steve, is the messages that qmail sends to
you when you're not allowed to relay. Instead of saying you're not allowed
to relay it says sorry, that domain isn't in my list of allowed rcpthosts
This can be misleading, thinking that you have to put every domain you want
to send to in rcpthosts.
SMTP is basically, one server (or client) passing off a message to another
server. The rcpthosts file in qmail is a list of domains qmail will accept
mail for, from ANY ip address on the internet. qmail is assuming that any
domain in rcpthosts is a local one. It doesn't have to be, but that's sort
of the assumption. So when I send an email to your server, to a domain
that's local to you, qmail will happily accept and deliver it. But, let's
say I try to send _through_ your server out to somebody elses, say...
yahoo.com. That's relay. I'm relaying a message from my computer, to your
server, and asking your server not to deliver it locally, but to send it off
to somebody else. If your server allows this type of activity from anyone,
your server is open relay, because it will happily relay any message from
anyone, to any other server on the net. There are several ways to control
relay.
The easiest, and most basic way, is by IP address. qmail has a tcp.smtp.cdb
file, which is a compiled version of the tcp.smtp text file that you write
(cdb is a simple, fast, file system based database format). That file
contains a list of rules for qmail-smtpd to follow, such as what IP's to
allow and/or deny, and also what variables to pass on with their
connections. One of these variables is RELAYCLIENT. If the IP gets passed
on with this RELAYCLIENT variable, then qmail will allow that IP to relay
through the server. If it doesn't, qmail won't allow it to relay. Managing
a strictly IP based relay is a full time job sometimes, so they created
programs and protocols to make it a bit easier.
The basis of relay is this. You only want to allow people who are your
customers and/or clients to relay through the server. People you have some
form of control and/or communication with, in order to control spam and
other forms of relay abuse. vpopmail supports a feature it calls roaming
users which is pop before smtp. A client pops their mail, vpopmail records
their ip address and time stamps it, then adds it to the relay
automatically. The IP's are selectively removed from the relay every X
minutes, as defined when you compile vpopmail.
Another option is to support the SMTP-AUTH patch. qmail doesn't support
this by default, so you'll need to download a patch for qmail and patch your
source. But this protocol allows users to send a username and password
across in order to verify their authenticity. There are several patches out
for qmail that allow support for this, but I recommend:
http://members.elysium.pl/brush/qmail-smtpd-auth/
If you plan on using it, read the FAQ, it explains how to impliment it with
vpopmail.
Sorry for the long winded email, but I hope that helps to clear things up.
SMTP can be confusing ;).
-Clayton
-Original Message-
From: David Richardson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 26, 2003 5:26 AM
To: [EMAIL PROTECTED]; Steve Schofield
Subject: Re: [vchkpw] Newbie trying to figure vpopmail to popb4smtp.
Steve, the SMTP-AUTH functionality is added to qmail as a patch. With
SMTP-AUTH and VPOPmail, you are able to authenticate virtual domain users
into a _temporary_ mode to run your system as a relay based upon their IP
being added by VPOPmail into a table of recently authenticated IPs. This
IP list expires fairly quickly and only makes eligible those hosts who have
authenticated. Your system is never a fully open relay. Qmail's rules
about locals, rcpthosts, etc are always obeyed by qmail. Vpopmail adds the
IPs to a faked holding table of auth'd ips (oversimplification???)
Read up on the SMTP-AUTH patch, you'll get the hang of it. Vpopmail rocks
for serving virtual domains. Squirrelmail can be applied really easily to a
working vpopmail implementation - and it doesn't change anything about your
relay settings (to my limited knowledge). Dave.
-- Original Message --
From: Steve Schofield [EMAIL PROTECTED]
Date: Wed, 26 Feb 2003 02:20:31 -0500
i'm trying to configure my vpopmail + squirrelmail + qmail to not be an
open relay. The only way i've found to control this is put restricted
domains in the rcptshosts file. A concept of popb4smtp seems to be
slipping through my fingers. I've read the /usr/local/vpopmail/docs
switches. From the doc's, it will dynamically add the user so they can
relay. --enable-roaming-users=y \
--enable-relay-clear-minutes=${RELAYCLEAR}
Once I tried to implement. When I test this concept out, its an open
relay. What am I missing? Once frustrated newbie!
**
* Steve Schofield
* [EMAIL PROTECTED]
*
* Microsoft
