Il 29/08/2014 16:58, Eric Shubert ha scritto:
On 08/29/2014 07:12 AM, Tonix - Antonio Nati wrote:
I don't know if the variable you need is enabled in your
distribution/version.
Actually you could put in place this solution:
Enable (uncomment) the following define in checkuser_settings.h and
recompile.
#define CHKUSER_DISABLE_VARIABLE "RELAYCLIENT"
With such option, chkuser is disabled for every aythenticated or
authorized sender which has RELAYCLIENT set (we reccomend this
option).
Unfortunately, I've missed this recommendation up to now, and this
variable is not set. I'll see about getting this included in the next
release of the qmail package.
I'm not sure all have the same needs, and it's a compiling option, so it
could not be easy to make a solution for alls.
Actually we suggest to enable it on port 587 and on separate servers
which act only as SMTP gateway.
Thinking better, there could be no reason not to use it on port 25 on
public MX, percent of people using it instead of dedicated servers would
be very small.
Actually, here in Italy, there is a good reason to push customers to use
port 587: some important mobile network do no permit access to port 25
on external network, so we suggest our customers to use port 587 also on
our dedicated gateways.
So, dedicated SMTP gateways have this option on port 25, 465, 587.
Michele, are you running legacy (*-toaster) packages, or the new ones?
As alternative if you want to disable chkuser from a specific IP:
Enable (uncomment) the following define in checkuser_settings.h and
recompile.
#define CHKUSER_DISABLE_VARIABLE "DISABLE_CHECKUSER"
and put in your control file:
xx.xx.xx.xx:allow,DISABLE_CHECKUSER="",RBLSMTPD=""
Actually, all controls related to too many wrong or existing recipients,
as well as not existin domains or other like that should be set only for
public MX frontends, not for SMTP relays serving only authenticated
users.
This brings up an interesting point. It'll be easy enough to disable
these controls on port 587. Is there a way though that chkuser can
tell if authentication has taken place or not on port 25?
chkuser uses RELAYCLIENT to check if sender is authorized to relay,
despite of port.
There is another option which will refuse any message if sender is not
authenticated (RELAYCLIENT not set):
CHKUSER_EXTRA_MUSTAUTH_VARIABLE
So I enable and set this option on port 587 and on servers which only
play as SMTP gateway, and it will only accept messages from authorized
senders.
*
*
Also, can you list the specific controls that you feel should be
disabled for authenticated sessions?
Actually, I suggest disabling whole chkuser for each authenticated session.
Only in this way desktop clients may manage complex errors, and send
anyway messages, receiving back from SMTP server detailed negative
answers for singles failures.
In case of public MX frontend, instead, I'd esclude all formal controls,
keeping on tarpitting, dns & MX checking on senders (on rcpt DNS and MX
controls could be useless, as the right domain should always exist in
rcptcontrol), and full recipients checking of course.
Cheers!
Tonino
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it to...@interazioni.it
------------------------------------------------------------
