[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: smtp policy problem



On Fri, Feb 25, 2000 at 09:08:24AM +0000, Tomasz Rzad wrote:
> Hello all,
> 
> I need quick solution in SMTP policy.
> I would like to have following situation:
> 
> MAIL FROM:<user@my-domain.com> RCPT TO: <anybody@any-domain.com> -> OK
> MAIL FROM:<anybody@any-domain.com> RCPT TO:<user@my-domain.com> -> OK
> MAIL FROM:<anybody@any-domain.com> RCPT TO:<anybody@any-domain.com> -> GO AWAY
> 
> What I have today is:
> 
> # smtp-policy.src
> 
> my-domain.com    relaycustomer +  relaytarget +
> .my-domain.com   relaycustomer +  relaytarget +
> .                relaycustomer -  relaytarget -
> [0.0.0.0]/0      relaycustomer -  relaytarget -
> 
> and it doesn't work with zmailer 2.99.52-patch2 but worked with 2.99.50.
> Thanks for any comments,

  The 'relaycustomer +' has been rendered ineffective somewhere in between.
  Essentially the problem with allowing relaying if MAIL FROM is your local
  domain is that then spamsters can easily use you as a relay by using your
  local domain -- which is fairly trivially foundable, after all..

  What is my recommendation, is that you list your customer networks, and
  mark them as  'relaycustnet +' -- then people sending from those domains
  will be able to send just fine.

	[192.168.0.0]/16	relaycustnet +
	[199.200.201.0]/24	relaycustnet +

  The current boilerplates have lots more stuff around them, but at least
  they are secure -- and the CVS version got some cleanup to make it a bit
  more understandable, if possible..

  An alternate is to enable SMTP AUTHENTICATION (AUTH LOGIN) subsystem,
  possibly under STARTTLS envelope (e.g. SSL wrapper above SMTP.)
  Then have users authenticate to the smtpserver before sending anything.

> Brgds,
> Tomek

-- 
/Matti Aarnio	<mea@nic.funet.fi>