[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AUTH, MSA-mode and FULLTRUST


Checking the ChangeLog:

2004-06-22  Matti Aarnio  <mea@zmailer.org>
        * smtpserver/policytest.c:
            When in MSA-mode, _ignore_ 'relaycustnet +' attributes.
            Will then always demand user to authenticate!

So obviously its a feature not a bug :-)

Any idea for a work-around?

The need for this, us I previously said, is to control 
from the mail server point of view (not firewall o smtp client
configuration)
who can send and who must authenticate.

Thanks









> -----Original Message-----
> From: Nicolas Baumgarten 
> Sent: Friday, December 03, 2004 3:34 PM
> To: 'Jeff Warnica'
> Cc: Zmailer List
> Subject: RE: AUTH, MSA-mode and FULLTRUST
> 
> 
> Jeff,
> 
> what I'm telling was possible and we are currently using it in many
> production servers.
> The exact version is: zmailer-2.99.56-patch1pre-cvs20040312
> 
> When we set up a test install of cvs20041104 we find that it's not 
> posible anymore.
> 
> Our current setup includes many client networks which are 
> "fulltrust" (including individual users or corporate MTA's)
> which don't need to authenticate.
> The rest of the  world have to, if using our servers as 
> outgoing relay.
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Jeff Warnica [mailto:jeffw@chebucto.ns.ca]
> > Sent: Thursday, December 02, 2004 10:48 PM
> > To: Nicolas Baumgarten
> > Cc: Zmailer List
> > Subject: Re: AUTH, MSA-mode and FULLTRUST
> > 
> > 
> > 
> > I suspect that the path of least resistance would be to have local
> > systems submit to :25. But if you are going to reconfigure 
> > each client,
> > you might as well tell it to send the username/password. I 
> suppose you
> > could do some port redirection magic (ie, iptables with 
> > Linux) such that
> > connections to :587 are transparently redirected to :25.
> > 
> > I don't know if what you ask about ZMailer is possible, but 
> this might
> > provide a quick solution until something else comes along.
> > 
> > On Thu, 2004-02-12 at 20:51 -0300, Nicolas Baumgarten wrote:
> > > Hi,
> > > 
> > > in previous versions we used authentication 
> > > like is descripted in this old smtpserver.conf sample
> > > -------
> > > PARAM  MSA-mode        # Message Submission Agent mode. Require
> > > #                       # successful user authentication 
> during SMTP
> > > #                       # sessions initiated from outside 
> > of the trusted
> > > #                       # networks or the networks with 
> > relaying enabled
> > > #                       # (see "fulltrustnet" and 
> "relaycustnet" in
> > > #                       # smtp-policy.src file).
> > > -------
> > > 
> > > having this and "smtp-auth" was enough.
> > > 
> > > The problem we have now is that if MSA mode is enabled 
> > > (via MSA-mode keyword or BindSubmit ) then we cant avoid
> > > authentication from fulltrustnet networks.
> > > The answer is always:
> > > 503 5.5.1 Hello [192.168.1.21], In SUBMISSION mode must 
> > authenticate first!
> > > 
> > > Is this something we doing wrong?
> > > 
> > > Thanks ....
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe 
> > zmailer" in
> > > the body of a message to majordomo@nic.funet.fi
> > > 
> > > 
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe 
> zmailer" in
> > the body of a message to majordomo@nic.funet.fi
> > 
> 
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi