Thank you Rusty!
On Fri, Jun 29, 2001 at 08:00:57AM -0700, Rusty Carruth wrote:
> Tom Strickland <[EMAIL PROTECTED]> wrote:
> > ...
> > I should have been more clear in my last posting: my main question was:
> > If we're delivering our mail as coming from ourcharity.org.uk and it's
> > being relayed through BT's (our new ISP) SMTP server, wouldn't it get
> > blocked at some point by spam filters (e.g. on mailing lists, people's
> > home machines)? Or have I misunderstood something?
>
> All *correctly configured* (see notes 1 and 2) ISPs these days have their
> smtp servers set up to not relay mail. What does this mean? It means
> that, if you connect to the smtp server (port 25) on their machine
> then either you are from their domain or not. If you are inside
> their domain(s) then you can send anywhere; if you are NOT from
> inside their domain(s) then you can only send to recipients inside
> their domain(s) (see note 3).
>
> Huh? Well, if you connect to your isp (say, thatisp.uk), and tell them
> you are ourcharity.org.uk then you are not sending from inside their domain
> (probably - it depends upon exactly how they check your inside-ness!),
> and thus you will only be able to send email to recipients whose email
> addresses end in 'thatisp.uk' - probably not too useful. (See note 4)
Well, currently I'm with Demon, who use POP-before-SMTP to do auth. I
don't know about our new ISP: I've had BT forced on me - I hope they're
as good as Demon.
> However, if your firewall (or whatever) is set up as a 'smart smtp server'
> (again, terminology from the 'old days' ;-), then everyone inside
> ourcharity.org.uk would send email using THAT machine (which would
> perform that relay test and see that you are sending email from INSIDE
> ourcharity.org.uk and thus allow it). The 'smart smtp server' would
> then send that email directly to the recipient machine, bypassing your
> ISP's smtp server entirely. (Again, this is how I have mine set up,
> and it works fine.) (Alternatively, you can just have the client
> machines send directly to the recipient, but that's usually a quite
> a bit more of a hassle).
This is exactly what I had in mind. Once kernel 2.4 is sufficiently
stable we'll have a full-blown application firewall using port
redirection for ports 25 and 80 to Postfix and a web-proxy. No
connection to the net without authentication and (if I can get it
right) a lock-down on everything else. This will also allow us to
virus-scan all mail traffic in both directions.
Your othe email was very helpful too - more comments there.
Thanks,
Tom
