[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: smtp policy problem
On Fri, Feb 25, 2000 at 09:08:24AM +0000, Tomasz Rzad wrote:
> Hello all,
> I need quick solution in SMTP policy.
> I would like to have following situation:
> MAIL FROM:<email@example.com> RCPT TO: <firstname.lastname@example.org> -> OK
> MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> -> OK
> MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> -> GO AWAY
> What I have today is:
> # smtp-policy.src
> my-domain.com relaycustomer + relaytarget +
> .my-domain.com relaycustomer + relaytarget +
> . relaycustomer - relaytarget -
> [0.0.0.0]/0 relaycustomer - relaytarget -
> and it doesn't work with zmailer 2.99.52-patch2 but worked with 2.99.50.
> Thanks for any comments,
The 'relaycustomer +' has been rendered ineffective somewhere in between.
Essentially the problem with allowing relaying if MAIL FROM is your local
domain is that then spamsters can easily use you as a relay by using your
local domain -- which is fairly trivially foundable, after all..
What is my recommendation, is that you list your customer networks, and
mark them as 'relaycustnet +' -- then people sending from those domains
will be able to send just fine.
[192.168.0.0]/16 relaycustnet +
[18.104.22.168]/24 relaycustnet +
The current boilerplates have lots more stuff around them, but at least
they are secure -- and the CVS version got some cleanup to make it a bit
more understandable, if possible..
An alternate is to enable SMTP AUTHENTICATION (AUTH LOGIN) subsystem,
possibly under STARTTLS envelope (e.g. SSL wrapper above SMTP.)
Then have users authenticate to the smtpserver before sending anything.
/Matti Aarnio <email@example.com>