Hello Edilmar, On Friday, July 23, 2004 at 4:24:09 AM you wrote (at least in part):
>>>>> I said about /etc/tcp.smtp and control/rcpthosts because when I had to >>>>> used non smtp-auth schema, I saved into control/rcpthosts the domains >>>>> abled to communicate with internal users. Now, with smtp-auth, the >>>>> users >>>>> can send/receive to/from anyone. >>>> Why not turn off SMTP AUTH? >>> Because I have users that connect from other internet providers in >>> many cities, >>> and I don't want to allow open relay or maintain the /etc/tcp.smtp. >>> Sometimes, >>> there are users using dial-up connections, and to maintain >>> /etc/tcp.smtp is hard. >> I guess I don't understand your original email. >> >> It sounded like you were saying: I only want to accept mail for >> domains in rcpthosts. > Yes, I want to save into rcpthosts database, all domains that I need to > communicate. > I have my users using the mail system from any place in the Internet, so > from any dinamic IPs. > Then, I need smtp-auth to increase secutiry for these external accesses > to my mail server. No, you don't. SMTP-AUTH is used to set RELAYCLIENT, which is required for being allowed to RELAY. If you don't want anybody to relay you don't need to set RELAYCLIENT anytime. W/o this set qmail will never relay. Therefore if somebody with dynamic IP connects to your server he/she is allowed to send mails to domains in 'rcpthosts' only, unless something sets RELAYCLIENT. If you now disable SMTP-AUTH nobody will be able to send mails to anything except domains in 'rcpthosts'. Having RELAYCLIENT *never* set, not even through SMTP-AUTH is the *most secure* setup you can have. >> If that's the case, turn of relaying entirely. You would only have to >> worry about external users sending email to other external users >> (@x.com sends to @y.com). > I deleted RELAYCLIENT="" from /etc/tcp.smtp but the users with > smtp-auth may send/receive emails to/from any other domains, not > only domains listed into rcpthosts database. Because SMTP-AUTH code sets RELAYCLIENT environment variable after successful authentication. >> I can't think of an easy way to tell qmail: >> >> 1) Accept mail for local users [but only from a limited list of >> external domains?]. > Yes... and accept mail from external users in external limited list > domains. You'll have to write a script/program that is called via QMAILQUEUE and checks envelope sender and rejects the message if this from does not match allowed domain/sender. A different possible solution /could/ be to use 'mailfront' [1] with it's mailrules as SMTP frontend. I haven't tested it, but maybe it's possible to defined a rule: :sender k[[@/var/qmail/control/rcpthosts]]:[[@/var/qmail/control/rcpthosts]] As I said: this is untested, but maybe mailfront-mailinglist can provide more information about it this kind of setup is possible with mailfront rules. > I need SMTP AUTH to increase security for these users. I don't want > something like a external hacker using my SMTP server to send SPAM > for my users and using a email like [EMAIL PROTECTED] You can't prevent somebody sending mail to '[EMAIL PROTECTED]' if 'mydomain.com' is in your 'rcpthosts'. No matter if you enable SMTP-AUTH or not. [1]: http://untroubled.org/mailfront/ -- Best regards Peter Palmreuther In case of fire, yell "FIRE!
