Marc-Olivier Bernard <[EMAIL PROTECTED]> writes:
> 3. Considering the following note from
> http://www.palomine.net/qmail/selectiverelay.html
>
> NOTE: If you're already starting your qmail-smtpd service in a script that
> runs as part of your boot process, don't start it again with the above
> tcpserver line; just make sure that your script includes the
> -x/etc/tcp.smtp.cdb option.
This is confusing.
> I add -x/etc/tcp.smtp.cdb in /etc/xinetd.d/smtp :
>
> service smtp
> {
> socket_type = stream
> wait = no
> user = qmaild
> server = /var/qmail/bin/tcp-env
> server_args = /var/qmail/bin/qmail-smtpd -x/etc/tcp.smtp.cdb
> log_on_failure += USERID ^^^^^^^^^^^^^^^^^^^^
> disable = no
> }
Unfortunately, this won't work. The '-x' flag is only understood by
tcpserver and not by either tcp-env or qmail-smtpd.
qmail-smtpd will only accept mail for hosts (domains) listed in
/var/qmail/control/rcpthosts unless the RELAYCLIENT environment
variable is set. tcpserver allows you to set this variable based on
the IP address of the incoming connection.
xinetd allows you to set environment variables unconditionally. That
means that if you set RELAYCLIENT using xinetd's 'env' attribute, you
will become an open relay for anyone in the world. You probably don't
want to do that. I don't know how to make xinetd conditionally set
environment variables based on the connection address, or even if it
is possible.
If you want to keep using xinetd for your qmail servers, I would
suggest that you run a second copy of qmail-smtpd using tcpserver and
ensure that it binds only to 127.0.0.1. This second service will only
be available to programs running on the local machine. You can then
use the tcp.smtp.cdb file you have already created to set RELAYCLIENT
for 127.0.0.1. tmda-filter, by default, connects to localhost:25, so
it should connect to your second, private copy of qmail-smtpd.
You may have to add a 'bind' attribute to your smtp service definition
(listed above) so that it *doesn't* try to bind to 127.0.0.1. If
xinetd does bind to 127.0.0.1, then tcpserver won't be able to do so.
bind = <your_primary_IP_address>
That should limit xinetd to accepting connections only on the IP
address you specify, rather than all IP addresses on the machine.
Of course, you may find it simpler to remove the smtp service from
xinetd and switch entirely to tcpserver for qmail-smtpd, since the
configuration is nearly identical and you will then have only one SMTP
server running rather than two.
Tim
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
