[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: smtpserver s18 vs. user@[x.x.x.x] reject policy
> Unless I have had made a horrible mistake somewhere, there is a
> problem with the policy rejection in s18.
I think your particular problem is with smtpserver.conf,
and smtp-policy.src files.
The files that this is sensitive about, and which are *not*
automatically overwritten by 'make install(-bin)', are:
MAILSHARE/smtpserver.conf (several PARAMs!)
MAILVAR/db/smtp-policy.src
MAILBIN/policy-builder.sh
Also, to a certain degree the
MAILVAR/db/smtp-policy.relay
file contents are quite sensitive.. Quite too much, I think.
If you don't list your local addresses as address literals
in that, then you don't have problems (shouldn't, I mean.)
If you list your machine/network, then things become a bit
difficult to you... Poking at your systems a bit.
(You do have 'PARAM debug' enabled...)
Right, you seem to have in there:
[194.70.234.0]/24
which means that any host in that C class can send thru your
system.
Unfortunately the smtp-policy.src defines _full_rights
as: "rejectnet - relaycustnet + relaycustomer + relaytarget +"
of these, the 'relaycustomer +' pair is poison, and it never
should have been at the boilerplate! It was removed a while
back -- few months ago. This harms you only if you define
e.g. your hostname/domain suffix at the smtp-policy.relay
file. (... ok, I removed 'relaycustomer *' from use ...)
With S18 your smtp-policy.relay needs line:
[194.70.234.6]/32 localdomain +
which along with smtpserver.conf's PARAM settings:
#PARAM allowsourceroute
#PARAM accept-percent-kludge # "localpart" can contain '%' and '!'
PARAM reject-percent-kludge # "localpart" can't contain --"--
will get the hole plugged.
Yes, too damn complicated. Even I can become confused, never
mind of you, folks... I have now added handling of autodetection
of the local interfaces in that address processing path, and
it does automatically this 'localdomain +' thing, plus removes
possible '*rbl*' related attributes.
It does *not* do "allow relaying thru me if the connection comes
from this source address", e.g. it does not allow automatically
email relaying if users inside the machine contacts the smtpserver
at any of its interfaces.
Should it ??? (It could..)
My test code is running at mea.tmt.tele.fi, please try to find
a way which allows relaying thru. You can even try things like:
foo%bar.fi%mea.tmt.tele.fi@[127.0.0.1]
and see it fail at correct spot :-) ( Do use 'DEBUG' :) )
However... !-path handling is not included in this resolving
processing.. (Not yet, anyway.)
I do see that sometimes a router-based approach is better, than
my simple-minded approaches in the smtpserver. Even though
the router approch is way heavier..
I would like to document how to do it, could anybody give
pointers ?
> Having discovered that one of my machines -- a RedHat 5.2 machine --
> was registered on ORBS I updated it to s18. Unfortunately it still
> accepted the problematic address so I checked out a Solaris 2.6
> running s11 and that rejected it.
s11 seems to do DNS lookups for domain -- which is IP address
literal in real life:
000- DNS-Verify: Look MX, or Addr for host '[194.70.234.6]'
000- ... returns: -2
and fails... Lucky for you.
> I then tried the same test on the same machine with different
> smtpservers as shown below. The s18 version allowed through the
> offending address each time. I have deleted and rebuilt all db files
> each time.
>
> Am I wrong or is the smtpserver wrong?
>
> Regards
> Simon.
That test is also errorneous, place
-s strict
into the SMTPOPTIONS and these will be rejected.
(Until the testers do get their software fixed..)
> 220 dash.widearea.co.uk ZMailer Server 2.99.50-s18 #1 ESMTP+IDENT
> ready at Thu, 3 Jun 1999 14:08:51 +0100
> HELO www.firstimpress.co.uk
> 250 dash.widearea.co.uk Hello www.firstimpress.co.uk
> MAIL From: <shb@firstimpress.co.uk>
> 250 2.1.0 Sender syntax Ok
> RCPT To: <orbs-relaytest%manawatu.co.nz@[194.70.234.6]>
> 250 2.1.5 Recipient address syntax Ok
> QUIT
> 221 2.0.0 dash.widearea.co.uk Out
> Connection closed by foreign host.
>
> 220 dash.widearea.co.uk ZMailer Server 2.99.50-s11 #1 ESMTP+IDENT
> ready at Thu, 3 Jun 1999 14:09:46 +0100
> HELO www.firstimpress.co.uk
> 250 dash.widearea.co.uk Hello www.firstimpress.co.uk
> MAIL From: <shb@firstimpress.co.uk>
> 250 2.1.0 Sender syntax Ok
> RCPT To: <orbs-relaytest%manawatu.co.nz@[194.70.234.6]>
> 553-5.4.3 Policy analysis found DNS error on
> 553-5.4.3 the target address. This address is
> 553 5.4.3 not currently acceptable.
> QUIT
> 221 2.0.0 dash.widearea.co.uk Out
/Matti Aarnio <mea@nic.funet.fi>