Oden Eriksson <[EMAIL PROTECTED]> writes on 24 April 1999 at 12:32:18 +0200
> Hi there all,
>
> My Name is Oden and I'm new to this list and a Linux newbie, but
> I'm very enthusiastic!.
>
> I have run a small web hotel (more of a "private" solution) for
> months now using Linux Mandrake v5.3 (RedHat v5.2 + KDE v1.1)
> + Summersoft's "qmail-1.03-7.src.rpm" + "qmail-imap-4.5.beta-
> 2.src.rpm". Everything's running just fine but... I have an open
> relay... I got a e-mail from "The Open Relay Behaviour-modification
> System <[EMAIL PROTECTED]>" telling me someone may have used
> my server for spamming or something... My server was added to
> the "ORBS database" (what in the hell ever that is...).
It's a database that many systems (mine, for example) check before
accepting an SMTP connection. I don't accept email routed through
open relays. This has cut down on my spam considerably, plus it
provides some additional incentive for the people operating open
relays to get them closed down.
Being listed in the ORBS means you and your users can't send email to
various places. It *also* may mean that spammers looking for an open
relay to exploit can easily find you. You think it's trouble to be in
ORBS -- wait till you see the mail you get if you're actually
exploited for a big spam!
> I've seen many posts about the Open Relay thing, but I guess I'm
> just too stupid to understand... I just cannot figure out a way to let
> my users use the smtp server without beeing an "open relay".
>
> My users are all having dial up connections with dynamic ip
> addresses. I have no dial in feature.
>
> The solutions I've seen so far on this list (and in the archive) is
> either _very_ complex or they won't cut it in the long run. What to
> do ?
>
> Why can't it just be like the pop thing..., you are required to pass a
> password to access the thing...
Well, the SMTP protocol as originally defined doesn't have any sort of
authentication in it. If it did, how would two unrelated systems
ever manage to exchange email in the first place? The problem really
is that it's being used by the pop clients for a purpose it was never
designed for -- injecting email from "local" users.
> I have tried using the rcpthosts file but soon realized that I had to
> add every damn domain my users would send an e-mail to, to this
> file. This I will _never_ do..., it's too much work.
This shows you're misunderstanding it. There are a bunch of
explanations out there, but here's the very short summary:
Things get confused if users you think of as "local" are actually
submitting their outbound mail from other systems using SMTP (as is
the case with nearly all POP clients). If you're in this situation,
you need to enable relaying for the IP addresses that those
submissions come from. You do this by using tcpserver to set an
environment variable based on the IP address.
What rcpthosts lists is systems that you accept mail for from real
remote users (not the funny case of local users submitting mail via
smtp, described above). It's to control *inbound* mail, not
outbound.
If the users you need to relay for are dynamic IP addresses at various
places, you're in trouble. One solution is the "SMTP after POP"
solution, where after they authenticate using POP relaying is turned
on for their IP address for a period of time.
The correct solution, however, is for dynamic IP users to use the
outbound mail server of the ISP they get their IP from. The POP and
SMTP servers are configured separately in every popmail client I've
seen, so you can point your POP server at the system where your mail
actually resides, and the SMTP server at the nearest mailserver. They
do not have to be the same.
Another solution would be to use SSH and have them tunnel the SMTP
connection through the net to your local system. This is perhaps in
the category "complicated" for many users.
--
David Dyer-Bennet [EMAIL PROTECTED]
http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon
http://ouroboros.demesne.com/ The Ouroboros Bookworms
Join the 20th century before it's too late!
