Dear David Lord - > I've still not worked out if you want mail coming in via postini to > be allowed to be relayed or if postini is just an external filter fo > scanning some of your incoming mail. If the latter, I can't see > why it should need to be treated different to any other incoming > email. However you've mentioned putting an entry for postini in > smtprelay.tab which would indicate that you intend it is allowed > to be relayed. I can't see how that can be done securely though > without authentication. >> >> ... you are correct that the eMail from Postini plus outbound >> eMail from clients are Relay'd on Port 25. >>> >>> There is no problem so far as I know in using port 25, but in >>> my case that port is blocked for outgoing by the ISPs except >>> via their particular gateways. Can you arrange for your clients >>> to use authentication on port 25?
You need to keep in mind that I am the ISP for my customers and that both eMail Client and MTA Relay (Postini in this case) uses Port 25. What we have been talking about (in this thread -- look at previous posts ) is using the server.tab option "SmtpConfig-<ip>,<port>" with "MailAuth". The net effect of this command is for force authorization on all gateway'd eMail period. The issue is that we need some kind of exception for relay'd eMail -- in this case coming from Postini. Presently, any options specified in smtp.ipprop.tab and smtprelay.tab are ignored for all incoming eMail when using the above ip and port combo with "SmtpConfig". What we are waiting on from Davide is some new option to allow an override of the present behavior of "SmtpConfig" with "MailAuth". > Thefore, one has no choice but to lock the relay function to only > accept eMails from the upstream relay MTA; in this case Postini > IPs. This is easily doable on Many of the MTAs that I've come > across in the past like Microsoft Exchange; and RFC 4409 > already proposed this concept. >> >> If you can be sure only your own customers will attempt to relay >> via postini you can just add that ip block to smtprelay.tab without >> specifying authentication, however I'd not trust it as being secure >> without knowin a lot more as to how the service works. Postini is an MTA which forwards eMail to my xMail Server only and does not provide the function to allow the relay outside of the domains available on the xMail Server -- if it did it would be an open relay! All, outbound relay'd eMail for clients have to go thru my xMail and the Customers use Port 25 or the submission Port 587. We can't use a Firewall to block in bound access because clients are located any place -- and clients are mobile with laptops and pdas. The Postini Config works like this: <DNS Name> --> < MX records with public IPs of Postini MTA> --> [ Postini In-Bound MTAs --> Postini Scanner Engines --> Postini Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port 25 ] --> xMail MTA. Client config looks like: <DNS Name> --> <A Record with public IP> --> xMail MTA on Port 25 or 587 --> to Internal domains or relay'd Out-Bound for external domains. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
