> Dan
>
> Sorry responded to the wrong email.
>
> Red Hat 7.3, not sure what my brain was thinking, I have Red Hat 7.2-9.0
> installations.
Happens :>
> Anyway back to my question.
>SMTP
Ok...
> I am using the concept of POP before SMTP, most commonly implemented via
> DRACD (or the Drac Daemon).
ancientversion
A concept I never cared for, personally.
>
> To prevent open relays and to allow mobile clients to login from anywhere
> in
> the world and collect there mail and be able to send it back out again.
>
There are (IMHO) better ways. For example: AUTHENTICATED SMTP. I use Exim
4.2 and have authenticated SMTP. I don't care for sendmail myself. First
thing I did when installing my server was remove sendmail and install
Exim.
> Goal: Prevent Open Relay Spam from using my SMTP server, and allow people
> to
> login from anywhere to collect and send mail.IP's
>
Easy Solution: SMTP AUTH
> Nature of Problem:
>
> If you lock down SendMail SMTP to prevent open relaying you block all
> relaying. Then you have to create a "Whitelist" of IP's and/or Domains
> that
> can "relay" through you. Well that causes a problem if your clients are
> scattered to the winds using all sorts of ISP's and other ways of
> connecting
> to the internet. I have to open up all those ISP's domains so that my
> clients can use my SMTP server. When I do that then, anybody on those
> ISP's
> can use my SMTP server to do their bidding, hence I become an open relay
> and
> a spammers delight. I can't used authenticated SMTP, since not all email
> clients use it. Although maybe I need to force them now, probably all
> clients are supporting it by now not sure.
Name a commonly used client that does not support SMTP Auth? Outlook
Express does, Outlook does, Mozilla mail does, Eudora does, Pegasus
Express does, I can not think of any that do not. If you have a client who
does happen to be using such an anchient verison of a mail client that it
does not support SMTP Auth, you really aught to get them to upgrade.
>
> So I use POP before SMTP, when the client logs in to collect email (POP3)
> they use a login name and password, the DRACD popper then creates a dbm
> hash
> table with that IP address in it and will keep it in the dbm style hash
> table for 30 minutes (or some configurable amount). So then SMTP server
> gets a request for a relay, it then checks the hash table for that IP, if
> it
> is in the table, he can sendmail, otherwise disconnect. It works great
> and
> solves so many problems for me.
Except it's still (IMHO) risky and problematic. Allow me to present
Scenarios #2 & #3:
Scenario #2:
Person logs in. Grabs email, then starts replying to messages. 45
minutes later he finishes a lengthy message and tries to send. But
since he has not it the pop server in +30 minutes, his IP is gone
from the hash list. Therefore he gets an error.
Scenario #3:
Client logs in to send an email. He gets the error indicating he
needs to hit his pop server first. Disgrundled (he didn't want to
download his email yet!) he hits the pop server. Then he hits the
smtp server, sends his message, then logs out. Now someone else at
that IP decides to send some spam. It's been 15 minutes since legit
client logged out, so his IP is still hashed. So, he can use you as
an open relay for 15 minutes. That's PLENTY of time to send a few
THOUSAND emails, at DIAL-UP speeds. If they're on a decent speed
connection (DSL, Cable, etc...), it could go upwards of thousands.
Tens of thousands or more.
>
> I use SendMail with DRACD rules and qpopper with DRACD support, and of
> course DRACD.
>
> So with TMDA I need to be able to do something similar. Can I do this
> with
> TMDA?
>
Not that I know of. Why would you want to? I don't understand what you're
trying to accomplish. TMDA's whitelist is only "who is allowed to send TO
ME". And it's email addresses only, not IPs.
--- Dan
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
