On Friday, July 23, 2004 at 4:24:09 AM you wrote (at least in part):
>>>>> I said about /etc/tcp.smtp and control/rcpthosts because when I had to
>>>>> used non smtp-auth schema, I saved into control/rcpthosts the domains
>>>>> abled to communicate with internal users. Now, with smtp-auth, the
>>>>> can send/receive to/from anyone.
>>>> Why not turn off SMTP AUTH?
>>> Because I have users that connect from other internet providers in
>>> many cities,
>>> and I don't want to allow open relay or maintain the /etc/tcp.smtp.
>>> there are users using dial-up connections, and to maintain
>>> /etc/tcp.smtp is hard.
>> I guess I don't understand your original email.
>> It sounded like you were saying: I only want to accept mail for
>> domains in rcpthosts.
> Yes, I want to save into rcpthosts database, all domains that I need to
> I have my users using the mail system from any place in the Internet, so
> from any dinamic IPs.
> Then, I need smtp-auth to increase secutiry for these external accesses
> to my mail server.
No, you don't. SMTP-AUTH is used to set RELAYCLIENT, which is required
for being allowed to RELAY. If you don't want anybody to relay you
don't need to set RELAYCLIENT anytime. W/o this set qmail will never
relay. Therefore if somebody with dynamic IP connects to your server
he/she is allowed to send mails to domains in 'rcpthosts' only, unless
something sets RELAYCLIENT. If you now disable SMTP-AUTH nobody will
be able to send mails to anything except domains in 'rcpthosts'.
Having RELAYCLIENT *never* set, not even through SMTP-AUTH is the
*most secure* setup you can have.
>> If that's the case, turn of relaying entirely. You would only have to
>> worry about external users sending email to other external users
>> (@x.com sends to @y.com).
> I deleted RELAYCLIENT="" from /etc/tcp.smtp but the users with
> smtp-auth may send/receive emails to/from any other domains, not
> only domains listed into rcpthosts database.
Because SMTP-AUTH code sets RELAYCLIENT environment variable after
>> I can't think of an easy way to tell qmail:
>> 1) Accept mail for local users [but only from a limited list of
>> external domains?].
> Yes... and accept mail from external users in external limited list
You'll have to write a script/program that is called via QMAILQUEUE
and checks envelope sender and rejects the message if this from does
not match allowed domain/sender.
A different possible solution /could/ be to use 'mailfront'  with
it's mailrules as SMTP frontend. I haven't tested it, but maybe it's
possible to defined a rule:
As I said: this is untested, but maybe mailfront-mailinglist can
provide more information about it this kind of setup is possible with
> I need SMTP AUTH to increase security for these users. I don't want
> something like a external hacker using my SMTP server to send SPAM
> for my users and using a email like [EMAIL PROTECTED]
You can't prevent somebody sending mail to '[EMAIL PROTECTED]' if
'mydomain.com' is in your 'rcpthosts'. No matter if you enable
SMTP-AUTH or not.
In case of fire, yell "FIRE!