Re: rcpthosts

Thu, 2 Dec 1999 19:52:39 -0800 

Jim,

Is this machine accessible via The Net, or is it behind a firewall?

If it's behind the firewall, you are set.  Just open the darned thing
up, and be done with it.

If this is available from The [evil] Net, and you don't want to relay
for the world, you can do two things.

Option 1
==============
Use a different port (port 444 instead of port 25), but have the
qmail-smtpd that runs on that port accept and relay any mail--this
falls into the security through obscurity ballgame, and will be frowned
upon by most qmail-list folks (and I wouldn't recommend, although you
could do this)....

So, you create this line in inetd.conf:

444    stream  tcp     nowait  root    /tmp/relay-kludge.sh

and create this file (/tmp/relay-kludge.sh) with 755 perms (or something
more restrictive):

#!/bin/sh
#
#
export RELAYCLIENT=""
 
/var/qmail/bin/qmail-smtpd                                       


And you tell your users to use that port (444) for all of their SMTP
sessions.

        or

Option 2
============
You can run ucspi, which has built-in support for IP-based selective
relaying.


Perhaps you wish not to "complicate" things by running ucspi, but I
believe quite strongly that it is the best solution in this regard. 
This will also allow you to have finely grained control over what other
IPs are allowed to relay through your machine, not only your users, but
also.....a friend who has a static IP, let's say....or maybe you are on
the road one day, and you need to allow yourself an "open relay"....you
could shell in and make the change, and then you have a relay....

It's really not a great deal more work to install the ucspi package,
and it works with qmail (and a dozen other programs) so very well, that
it's worth the effort to install and configure it.  (Frankly for me,
it's not about load/concurrency, but configurability....that's why I
prefer tcpserver--part of the ucspi package--so much.)

If you'd like some example lines, or an introduction to tcpserver,
respond to me off the list, and I'll give you a few pointers.

-Martin

-------
On  2 Dec, Jim Hall wrote:
  : My clients are trying to mail outside the LAN, and receiving an 553 error
  : "im sorry that domain isnt in my list of rcpthosts".
  : 
  : is there any way to allow my clients to mail anyone outside my LAN without
  : running ucspi-tcp? I only have 6 clients, and do not have high loads, so im
  : sure inetd can handle the process.
  : 
  : Thanks in advance,
  : Jim
  : 

-- 
Martin A. Brown --- SecurePipe Communications --- [EMAIL PROTECTED]

Reply via email to