Can't you create a new instance of XMail just for Postini (in- postini.myisp.com) and set that up to only allow connections from Postini's servers? For MailLaunder, we suggest our clients only accept untrusted email from our IP block.
Then have the in-postini.myisp.com forward to the internal servers (using custdomain?), and setup internal servers to accept email from in-postini.myisp.com via smtprelay.tab? I think there are potential solutions besides SMTP authorization. -Don -- Don Drake www.drakeconsult.com www.maillaunder.com 312-560-1574 800-733-2143 On May 5, 2008, at 1:21 AM, Hal Dell wrote: > Dear David Lord - > >> I've still not worked out if you want mail coming in via postini to >> be allowed to be relayed or if postini is just an external filter fo >> scanning some of your incoming mail. If the latter, I can't see >> why it should need to be treated different to any other incoming >> email. However you've mentioned putting an entry for postini in >> smtprelay.tab which would indicate that you intend it is allowed >> to be relayed. I can't see how that can be done securely though >> without authentication. >>> >>> ... you are correct that the eMail from Postini plus outbound >>> eMail from clients are Relay'd on Port 25. >>>> >>>> There is no problem so far as I know in using port 25, but in >>>> my case that port is blocked for outgoing by the ISPs except >>>> via their particular gateways. Can you arrange for your clients >>>> to use authentication on port 25? > > You need to keep in mind that I am the ISP for my customers and > that both eMail Client and MTA Relay (Postini in this case) uses > Port 25. > > What we have been talking about (in this thread -- look at > previous posts ) is using the server.tab option > "SmtpConfig-<ip>,<port>" with "MailAuth". > > The net effect of this command is for force authorization on all > gateway'd eMail period. The issue is that we need some kind of > exception for relay'd eMail -- in this case coming from Postini. > > Presently, any options specified in smtp.ipprop.tab and > smtprelay.tab are ignored for all incoming eMail when using > the above ip and port combo with "SmtpConfig". > > What we are waiting on from Davide is some new option to allow > an override of the present behavior of "SmtpConfig" with "MailAuth". > >> Thefore, one has no choice but to lock the relay function to only >> accept eMails from the upstream relay MTA; in this case Postini >> IPs. This is easily doable on Many of the MTAs that I've come >> across in the past like Microsoft Exchange; and RFC 4409 >> already proposed this concept. >>> >>> If you can be sure only your own customers will attempt to relay >>> via postini you can just add that ip block to smtprelay.tab without >>> specifying authentication, however I'd not trust it as being secure >>> without knowin a lot more as to how the service works. > > Postini is an MTA which forwards eMail to my xMail Server only > and does not provide the function to allow the relay outside of the > domains available on the xMail Server -- if it did it would be an > open relay! > > All, outbound relay'd eMail for clients have to go thru my xMail and > the > Customers use Port 25 or the submission Port 587. We can't use a > Firewall to block in bound access because clients are located any > place -- and clients are mobile with laptops and pdas. > > The Postini Config works like this: > > <DNS Name> --> < MX records with public IPs of Postini MTA> --> > [ Postini In-Bound MTAs --> Postini Scanner Engines --> Postini > Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port > 25 ] --> xMail MTA. > > Client config looks like: > > <DNS Name> --> <A Record with public IP> --> xMail MTA on Port > 25 or 587 --> to Internal domains or relay'd Out-Bound for external > domains. > > Thanks, > Hal Dell > Managing Partner > ePodWorks.net, Inc. > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]