On 2005-11-27, at 1318, [EMAIL PROTECTED] wrote:


ok i know how to force users to provide username and password(ofcourse
using jms's patch) for sending mail but what about the servers on the
internet how they'll send mails to this server can i excluded say any ip
to not be authenticated.

it depends on what you mean by "ip not to be authenticated". three different things come to mind:

(1) if you're worried about other servers doing normal deliveries to mailboxes which are handled by your server, as long as you don't set REQUIRE_AUTH or FORCE_TLS on the server, they will still be able to do normal deliveries.

(2) if you want certain IP addresses to be able to relay (i.e. send mail anywhere without being required to AUTH first) you can add the line to your tcpserver access control file (normally /etc/tcp.smtp) with a line that sets RELAYCLIENT="". a few other people have already pointed this out.

(3) if you want certain IP addresses to not be able to use AUTH at all, for example if you know that a certain IP block is full of spammers and you don't want them to use AUTH at all, even if they do know one of your users' passwords... hrmmm... it sounds like i might need to add a DENY_AUTH environment variable (no, it doesn't exist yet.) the closest you can get for right now is this:

- make sure you're using at least version 6 of my combined patch
- make sure the SMTP service correctly supports STARTTLS
- do NOT use the option to "allow insecure AUTH" (you shouldn't use this option anyway) - add a line to your tcpserver access control file which has DENY_TLS="" for their IP range

this will prevent them from being able to use STARTTLS, and without TLS the AUTH command won't be available... which means they will be limited to standard deliveries to your domains only, and never able to use AUTH and gain permission to relay.

of course this means your users will have to use STARTTLS before they can AUTH, but that's just a matter of turning on a checkbox in their mail program.

--------------------------------------------------
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <[EMAIL PROTECTED]> |
--------------------------------------------------
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |
--------------------------------------------------


Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to