[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: smtpserver s18 vs. user@[x.x.x.x] reject policy

To: shb@widearea.co.uk (Simon Brock)
Subject: Re: smtpserver s18 vs. user@[x.x.x.x] reject policy
From: Matti Aarnio <mea@nic.funet.fi>
Date: Thu, 3 Jun 1999 19:02:55 +0300 (EET DST)
Cc: zmailer@nic.funet.fi
In-Reply-To: <v04205115b37c3175f3d1@[10.0.0.3]> from "Simon Brock" at Jun 3, 99 02:32:04 pm

> Unless I have had made a horrible mistake somewhere, there is a 
> problem with the policy rejection in s18.

	I think your particular problem is with   smtpserver.conf,
	and  smtp-policy.src files.

	The files that this is sensitive about, and which are *not*
	automatically overwritten by 'make install(-bin)', are:
		MAILSHARE/smtpserver.conf	(several PARAMs!)
		MAILVAR/db/smtp-policy.src
		MAILBIN/policy-builder.sh

	Also, to a certain degree the
		MAILVAR/db/smtp-policy.relay
	file contents are quite sensitive..  Quite too much, I think.

	If you don't list your local addresses as address literals
	in that, then you don't have problems (shouldn't, I mean.)

	If you list your machine/network, then things become a bit
	difficult to you...  Poking at your systems a bit.
	(You do have 'PARAM debug' enabled...)

	Right, you seem to have in there:

[194.70.234.0]/24

	which means that any host in that C class can send thru your
	system.

	Unfortunately the smtp-policy.src defines  _full_rights
	as:  "rejectnet - relaycustnet + relaycustomer + relaytarget +"
	of these, the 'relaycustomer +' pair is poison, and it never
	should have been at the boilerplate!  It was removed a while
	back -- few months ago.  This harms you only if you define
	e.g. your hostname/domain suffix at the  smtp-policy.relay
	file.  (... ok, I removed 'relaycustomer *' from use ...)

	With S18 your  smtp-policy.relay  needs line:
		[194.70.234.6]/32 localdomain +
	which along with smtpserver.conf's  PARAM  settings:

#PARAM	allowsourceroute
#PARAM	accept-percent-kludge # "localpart" can contain '%' and '!'
PARAM	reject-percent-kludge # "localpart" can't contain  --"--
	
	will get the hole plugged.

	Yes, too damn complicated.   Even I can become confused, never
	mind of you, folks...  I have now added handling of autodetection
	of the local interfaces in that address processing path, and
	it does automatically this 'localdomain +' thing, plus removes
	possible '*rbl*' related attributes.

	It does *not* do "allow relaying thru me if the connection comes
	from this source address", e.g. it does not allow automatically
	email relaying if users inside the machine contacts the smtpserver
	at any of its interfaces. 
	Should it ???  (It could..)

	My test code is running at   mea.tmt.tele.fi,  please try to find
	a way which allows relaying thru.  You can even try things like:
		foo%bar.fi%mea.tmt.tele.fi@[127.0.0.1]
	and see it fail at correct spot :-)  ( Do use 'DEBUG' :) )

	However... !-path handling is not included in this resolving
	processing..  (Not yet, anyway.)

	I do see that sometimes a router-based approach is better, than
	my simple-minded approaches in the smtpserver.  Even though
	the router approch is way heavier..

	I would like to document how to do it, could anybody give
	pointers ?

> Having discovered that one of my machines -- a RedHat 5.2 machine -- 
> was registered on ORBS I updated it to s18.  Unfortunately it still 
> accepted the problematic address so I checked out a Solaris 2.6 
> running s11 and that rejected it.

	s11 seems to do DNS lookups for domain -- which is IP address
	literal in real life:

000- DNS-Verify: Look MX, or Addr for host '[194.70.234.6]'
000- ... returns: -2

	and fails...  Lucky for you.

> I then tried the same test on the same machine with different 
> smtpservers as shown below.  The s18 version allowed through the 
> offending address each time.  I have deleted and rebuilt all db files 
> each time.
> 
> Am I wrong or is the smtpserver wrong?
> 
> Regards
> Simon.

	That test is also errorneous, place
		-s strict
	into the  SMTPOPTIONS  and these will be rejected.
	(Until the testers do get their software fixed..)

> 220 dash.widearea.co.uk ZMailer Server 2.99.50-s18 #1 ESMTP+IDENT 
> ready at Thu, 3 Jun 1999 14:08:51 +0100
> HELO www.firstimpress.co.uk
> 250 dash.widearea.co.uk Hello www.firstimpress.co.uk
> MAIL From: <shb@firstimpress.co.uk>
> 250 2.1.0 Sender syntax Ok
> RCPT To: <orbs-relaytest%manawatu.co.nz@[194.70.234.6]>
> 250 2.1.5 Recipient address syntax Ok
> QUIT
> 221 2.0.0 dash.widearea.co.uk Out
> Connection closed by foreign host.
> 
> 220 dash.widearea.co.uk ZMailer Server 2.99.50-s11 #1 ESMTP+IDENT 
> ready at Thu, 3 Jun 1999 14:09:46 +0100
> HELO www.firstimpress.co.uk
> 250 dash.widearea.co.uk Hello www.firstimpress.co.uk
> MAIL From: <shb@firstimpress.co.uk>
> 250 2.1.0 Sender syntax Ok
> RCPT To: <orbs-relaytest%manawatu.co.nz@[194.70.234.6]>
> 553-5.4.3 Policy analysis found DNS error on
> 553-5.4.3 the target address. This address is
> 553 5.4.3 not currently acceptable.
> QUIT
> 221 2.0.0 dash.widearea.co.uk Out

/Matti Aarnio <mea@nic.funet.fi>

Follow-Ups:
- Re: smtpserver s18 vs. user@[x.x.x.x] reject policy
  - From: Michael Smith <michael@csuite.ns.ca> (Sun, 6 Jun 1999 18:29:18 +0300)

References:
- smtpserver s18 vs. user@[x.x.x.x] reject policy
  - From: Simon Brock <shb@widearea.co.uk>

Prev by Date: smtpserver s18 vs. user@[x.x.x.x] reject policy
Next by Date: Re: smtpserver s18 vs. user@[x.x.x.x] reject policy
Prev by thread: smtpserver s18 vs. user@[x.x.x.x] reject policy
Next by thread: Re: smtpserver s18 vs. user@[x.x.x.x] reject policy
Index(es):
- Date
- Thread