[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rcpthosts_from_db



On Fri, Sep 20, 2002 at 07:17:53PM +1000, Mattt wrote:
> Hhmm... oddly (but in a nice way *grin*), it now does seem to work
> properly. Although, qmail-showctl says that " SMTP clients may send
> messages to any recipient." - is this simply the result of an unpatched
> program failing to see the rcpthosts flatfile?
Absolutely.
> 
> If I try to send mail outside the network (without telling my client to
> send credentials to the server), it immediately sends me back "Requested
> action not taken: mailbox name not allowed: mail not sent". Seems a
> little inelegant, at best - is this really the error I should be
> getting? 
No. It should tell you: 
  553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Maybe your client doesn't report you the errorstring sent by the
server but reports its own interpretation ?

> Sending inside the network works without auth (for all intents
> and purposes, (network == domain) on this still-in-devel server...), and
> sending anywhere with auth works ;-)
Ok. I'll give a little more explanation about the cooperation of
rcpthosts, qmail-smtpd and RELAYCLIENT
- rcpthosts (or the equivalent from the database) contains all domains for
  which your server will accept mail with or without RELAYCLIENT or 
  authenticated smtp (it will of course fail if you supply a wrong password).
  If your server is connected directly to the internet, this will protect
  you agains spam-relaying.
- RELAYCLIENT is a parameter which could be set by tcpserver. If the mailserver
  receives mail it will skip the rcpthosts-check if that parameter is supplied.
  This allows you to specify a range op computers which can relay mail through
  your mailserver. Eg: the computers on your local network. 

Suppose your company has a mailserver which is directly connected to the
internet. You put your domain-names in rcpthosts and your server will accept
all mails for your company. Your employees are on an internal netwerk
(say 192.168.0.x) and your mailserver will relay all mail coming from their
computers. Considered from the 'inside', your server is an open relay. From
the outside it doesn't.
This is great as long as everybody keeps the same IP-address. But your
salesmanager also needs to send mail through your computer and he's frequently
using a dialup without a fixed IP-address. Here appears smtp-auth: if his
computer sends a correct login/password, smtp-auth will set the RELAYCLIENT
for his connection and the mailserver will work as open relay for this
connection (not his IP-address). Of course you can use smtp-auth for your
local employees too but RELAYCLIENT can already take care of it.

I hope this clarifies things a little.


Regards,
Michael.