Hello Edilmar,

On Friday, July 23, 2004 at 4:24:09 AM you wrote (at least in part):

>>>>> I said about /etc/tcp.smtp and control/rcpthosts because when I had to
>>>>> used non smtp-auth schema, I saved into control/rcpthosts the domains
>>>>> abled to communicate with internal users. Now, with smtp-auth, the
>>>>> users
>>>>> can send/receive to/from anyone.
>>>> Why not turn off SMTP AUTH?
>>> Because I have users that connect from other internet providers in
>>> many cities,
>>> and I don't want to allow open relay or maintain the /etc/tcp.smtp.
>>> Sometimes,
>>> there are users using dial-up connections, and to maintain 
>>> /etc/tcp.smtp is hard.
>> I guess I don't understand your original email.
>> It sounded like you were saying:  I only want to accept mail for 
>> domains in rcpthosts.
> Yes, I want to save into rcpthosts database, all domains that I need to
> communicate.
> I have my users using the mail system from any place in the Internet, so
> from any dinamic IPs.
> Then, I need smtp-auth to increase secutiry for these external accesses
> to my mail server.

No, you don't. SMTP-AUTH is used to set RELAYCLIENT, which is required
for being allowed to RELAY. If you don't want anybody to relay you
don't need to set RELAYCLIENT anytime. W/o this set qmail will never
relay. Therefore if somebody with dynamic IP connects to your server
he/she is allowed to send mails to domains in 'rcpthosts' only, unless
something sets RELAYCLIENT. If you now disable SMTP-AUTH nobody will
be able to send mails to anything except domains in 'rcpthosts'.

Having RELAYCLIENT *never* set, not even through SMTP-AUTH is the
*most secure* setup you can have.

>> If that's the case, turn of relaying entirely.  You would only have to
>> worry about external users sending email to other external users 
>> (@x.com sends to @y.com). 

> I deleted RELAYCLIENT="" from /etc/tcp.smtp but the users with
> smtp-auth may send/receive emails to/from any other domains, not
> only domains listed into rcpthosts database.

Because SMTP-AUTH code sets RELAYCLIENT environment variable after
successful authentication.

>> I can't think of an easy way to tell qmail:
>> 1) Accept mail for local users [but only from a limited list of 
>> external domains?]. 

> Yes... and accept mail from external users in external limited list 
> domains.

You'll have to write a script/program that is called via QMAILQUEUE
and checks envelope sender and rejects the message if this from does
not match allowed domain/sender.

A different possible solution /could/ be to use 'mailfront' [1] with
it's mailrules as SMTP frontend. I haven't tested it, but maybe it's
possible to defined a rule:


As I said: this is untested, but maybe mailfront-mailinglist can
provide more information about it this kind of setup is possible with
mailfront rules.
> I need SMTP AUTH to increase security for these users. I don't want
> something like a external hacker using my SMTP server to send SPAM
> for my users and using a email like [EMAIL PROTECTED]

You can't prevent somebody sending mail to '[EMAIL PROTECTED]' if
'mydomain.com' is in your 'rcpthosts'. No matter if you enable
SMTP-AUTH or not.

[1]: http://untroubled.org/mailfront/
Best regards
Peter Palmreuther

In case of fire, yell "FIRE!

Reply via email to