No Francois, there is no risk of an open relay with the first rule because the session must be authenticated with a username and password. If you want, you can use an open relay checker like https://mxtoolbox.com/diagnostic.aspx if you're really concerned. I use the same rule you did and I passed the open relay check. -Matt On Sun, Dec 2, 2018 at 3:48 PM François <za...@redarmor.net> wrote: > > After understood the Gilles’ advices, I fixed the issues by finding the right > ruleset : > > action distribuer mbox alias <aliases> > action relayer relay > > match auth from any for any action relayer > match from any for domain example.org action distribuer > > Now, I’m able to send and receive emails with my osmtpd 6.4 server. > > Last question. Is there any to risk to be an open relay with the rule #1? > I expect the auth mechanism avoid any bad usage of my server. Do I right ? > > BR, François. > > > Le 2 déc. 2018 à 13:27, Gilles Chehade <gil...@poolp.org> a écrit : > > > > On Sun, Dec 02, 2018 at 01:05:56PM +0100, Fran??ois wrote: > >> Thanks Gilles for your quick answer. > >> > >> Based on your recommendations, I have now only this 3 match rules : > >> > >> match from any mail-from <indesirables> for any reject > >> match auth from local action relayer > >> match auth from any action distribuer > >> > > > > you also need a for on the last rules > > > > not specifying from implies from local, > > not specifying for implies for local. > > > > > > you should most definitely have something along the lines of: > > > > match auth from local for [...] > > match auth from auth for [...] > > > > > > > >> Below how the server reacts when I try to send an email from my laptop > >> connected at the same osmtpd server network to an outside email domain > >> (redarmor.net) : > >> > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as > >> NETADDR in table static:<anyhost> -> found > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as > >> DOMAIN in table static:<anydestination> -> found > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check ?? > >> franc...@example.org" as MAILADDR in table static:indesirables -> 0 > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as > >> NETADDR in table static:<localhost> -> 0 > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "192.168.0.1" as > >> NETADDR in table static:<anyhost> -> found > >> Dec 2 12:43:12 gabrielle smtpd[1459]: lookup: check "redarmor.net" as > >> DOMAIN in table static:<localnames> -> 0 > >> Dec 2 12:43:12 gabrielle smtpd[1459]: no rule matched > >> > >> And when I sent an email from outside domain (redarmor.net) to my domain > >> (example.org) : > >> > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as > >> NETADDR in table static:<anyhost> -> found > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as > >> DOMAIN in table static:<anydestination> -> found > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "za...@redarmor.net" > >> as MAILADDR in table static:indesirables -> 0 > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as > >> NETADDR in table static:<localhost> -> 0 > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check "217.70.183.201" as > >> NETADDR in table static:<anyhost> -> found > >> Dec 2 12:47:02 gabrielle smtpd[1459]: lookup: check ?? example.org" as > >> DOMAIN in table static:<localnames> -> 0 > >> Dec 2 12:47:02 gabrielle smtpd[1459]: no rule matched > >> > >> As explained in my first email, this two examples leads to the error > >> message result="550 Invalid recipient ??. > >> > >> I will try a configuration which set explicitly the source for the ?? > >> relayer ?? action like this : action ?? relayer" relay src <sources> > >> helo-src <helonames> with a table sources set with the local network. > >> > >> BR, Fran??ois. > >> > >> > >> > >> > >>> Le 2 d??c. 2018 ?? 12:26, Gilles Chehade <gil...@poolp.org> a ??crit : > >>> > >>> On Sun, Dec 02, 2018 at 11:46:45AM +0100, Fran??ois wrote: > >>>> Hello All > >>>> > >>>> I'm trying to move from Opensmtpd 6.0.2p1 to 6.4.0p2 my email server > >>>> hosted at home. > >>>> I'm running Linux on Raspberry Pi. > >>>> > >>>> I didn't face any issue with the release 6.0.2. But after migrated the > >>>> smtpd.conf file in 6.4.0p2 format, I'm not able to send or receive > >>>> emails properly through smtp protocol. > >>>> > >>> > >>> [...] > >>> > >>>> > >>>> Here after an extract of my smtpd.conf : > >>>> > >>>> listen on 127.0.0.1 > >>>> listen on $lan_addr tls-require pki mail.example.org hostname > >>>> mail.example.org > >>>> listen on $lan_addr smtps pki mail.example.org auth hostname > >>>> mail.example.org mask-src > >>>> listen on $lan_addr port 587 tls-require pki mail.example.org auth > >>>> hostname mail.example.org mask-src > >>>> > >>>> table aliases file:/etc/aliases > >>>> table indesirables { "@qq.com ?? } > >>>> > >>>> action distribuer mbox alias <aliases> > >>>> action relayer relay > >>>> > >>>> match from any mail-from <indesirables> for any reject > >>>> match for local action distribuer > >>>> match for any action relayer > >>>> > >>>> I don't understand my mistake. For information, I compiled the binaries > >>>> from the sources, maybe I missed to set something in the Makefile. > >>>> Thanks in advance for your support. > >>>> > >>> > >>> The problem is that in 6.0.x authenticated users are considered as local > >>> sessions and therefore match you last two rules, but this was not right, > >>> it led to some configuration being impossible to express. > >>> > >>> Starting with 6.4.x, authenticated users are no longer considered local, > >>> and rules must explicitly match them: > >>> > >>> match auth from any [...] > >>> > >>> The 'auth' criteria is no longer related to the locality, so you're able > >>> to write rules that match differently the authenticated users which come > >>> from your machine or from others: > >>> > >>> match auth from local [...] > >>> match auth from any [...] > >>> > >>> Your new ruleset should have one or two additional match rules I guess. > >>> > >>> Also, while at it, it is now also possible to match non-network sessions > >>> with: > >>> > >>> match from socket [...] > >>> > >>> This used to only be matched by from local but can now also be matched a > >>> bit more precisely. > >>> > >>> > >>> -- > >>> Gilles Chehade > >>> @poolpOrg > >>> > >>> https://www.poolp.org tip me: https://paypal.me/poolpOrg > >>> > >>> -- > >>> You received this mail because you are subscribed to misc@opensmtpd.org > >>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > >>> > >> > >> > >> -- > >> You received this mail because you are subscribed to misc@opensmtpd.org > >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > >> > > > > -- > > Gilles Chehade > > @poolpOrg > > > > https://www.poolp.org tip me: https://paypal.me/poolpOrg > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >
-- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
