I suggested Mr Har Dell to simply add another ip to xmail server, then lookup down xmail to accept only postini servers on this ip with a = firewall rule, and use a smtpconfig "Mailauth" for original xmail ip.
Setup will be : Xmail server with two ips : - current one, with no changes in current xmail setup (configured in server.tab file with smtpconfig "mailauth" for it's customers that will = have to 'auth' to be relayed) - new ip, configured only for port 25 in xmail cmd line, without any 'smtpconfig' in server.tab, but with postini servers in smtp relay tab = file Firewall configured with : - no specific rules for current xmail ip smtp port 25 - rule that accept only postini servers on second xmail server ip port = 25 Postini servers configured to send to the second xmail server ip, not = the current. No need to have two instances in this case. Yes, actually this need external intervention (firewall). That will be not needed anymore when Davide add a "mailauth=3D0" for smtp.relay and smtp.ipprop files. As your 'second instance' solution or mine need another ip, the = question is : Can Mr Har Dell add another ip to xmail server ? Francis >-----Message d'origine----- >De : [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] la part de Don Drake >Envoy=E9 : lundi 5 mai 2008 16:24 >=C0 : [email protected] >Objet : [xmail] Re: Lockdown xMail > > >Can't you create a new instance of XMail just for Postini (in-=20 >postini.myisp.com) and set that up to only allow connections from =20 >Postini's servers? For MailLaunder, we suggest our clients only =20 >accept untrusted email from our IP block. > >Then have the in-postini.myisp.com forward to the internal servers =20 >(using custdomain?), and setup internal servers to accept email from =20 >in-postini.myisp.com via smtprelay.tab? > >I think there are potential solutions besides SMTP authorization. > >-Don > >-- >Don Drake >www.drakeconsult.com >www.maillaunder.com >312-560-1574 >800-733-2143 > > > >On May 5, 2008, at 1:21 AM, Hal Dell wrote: > >> Dear David Lord - >> >>> I've still not worked out if you want mail coming in via postini to >>> be allowed to be relayed or if postini is just an external filter = fo >>> scanning some of your incoming mail. If the latter, I can't see >>> why it should need to be treated different to any other incoming >>> email. However you've mentioned putting an entry for postini in >>> smtprelay.tab which would indicate that you intend it is allowed >>> to be relayed. I can't see how that can be done securely though >>> without authentication. >>>> >>>> ... you are correct that the eMail from Postini plus outbound >>>> eMail from clients are Relay'd on Port 25. >>>>> >>>>> There is no problem so far as I know in using port 25, but in >>>>> my case that port is blocked for outgoing by the ISPs except >>>>> via their particular gateways. Can you arrange for your clients >>>>> to use authentication on port 25? >> >> You need to keep in mind that I am the ISP for my customers and >> that both eMail Client and MTA Relay (Postini in this case) uses >> Port 25. >> >> What we have been talking about (in this thread -- look at >> previous posts ) is using the server.tab option >> "SmtpConfig-<ip>,<port>" with "MailAuth". >> >> The net effect of this command is for force authorization on all >> gateway'd eMail period. The issue is that we need some kind of >> exception for relay'd eMail -- in this case coming from Postini. >> >> Presently, any options specified in smtp.ipprop.tab and >> smtprelay.tab are ignored for all incoming eMail when using >> the above ip and port combo with "SmtpConfig". >> >> What we are waiting on from Davide is some new option to allow >> an override of the present behavior of "SmtpConfig" with "MailAuth". >> >>> Thefore, one has no choice but to lock the relay function to only >>> accept eMails from the upstream relay MTA; in this case Postini >>> IPs. This is easily doable on Many of the MTAs that I've come >>> across in the past like Microsoft Exchange; and RFC 4409 >>> already proposed this concept. >>>> >>>> If you can be sure only your own customers will attempt to relay >>>> via postini you can just add that ip block to smtprelay.tab = without >>>> specifying authentication, however I'd not trust it as being = secure >>>> without knowin a lot more as to how the service works. >> >> Postini is an MTA which forwards eMail to my xMail Server only >> and does not provide the function to allow the relay outside of the >> domains available on the xMail Server -- if it did it would be an >> open relay! >> >> All, outbound relay'd eMail for clients have to go thru my=20 >xMail and =20 >> the >> Customers use Port 25 or the submission Port 587. We can't use a >> Firewall to block in bound access because clients are located any >> place -- and clients are mobile with laptops and pdas. >> >> The Postini Config works like this: >> >> <DNS Name> --> < MX records with public IPs of Postini MTA> --> >> [ Postini In-Bound MTAs --> Postini Scanner Engines --> Postini >> Out-Bound MTAs pre-programmed to the IP of xMail MTA via Port >> 25 ] --> xMail MTA. >> >> Client config looks like: >> >> <DNS Name> --> <A Record with public IP> --> xMail MTA on Port >> 25 or 587 --> to Internal domains or relay'd Out-Bound for external = >> domains. >> >> Thanks, >> Hal Dell >> Managing Partner >> ePodWorks.net, Inc. >> >> - >> To unsubscribe from this list: send the line "unsubscribe xmail" in >> the body of a message to [EMAIL PROTECTED] >> For general help: send the line "help" in the body of a message to >> [EMAIL PROTECTED] >> > > > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
