Quoting Ken Hohhof ([EMAIL PROTECTED]): > This has nothing to do with qpopper. The relaying denied message > came from your SMTP daemon running on port 25.
> A > third approach which we use on some of our boxes is poprelayd (pop > before relay), this is a PERL script which collects IP addresses from > the qpopper log every 5 seconds and then caches those IP addresses in a > sleepycat database for a configurable time, e.g. an hour. The idea is > that the user has identified themselves by checking their POP mailbox > with a valid username and password, so they are trusted and will be > allowed to relay for some reasonable length of time. This last > approach does not make sense if you users are on your local LAN, in > that case you can easily restrict relaying by IP address. POP-b4-SMTP is risky at best and fails at worst. Clients have planned to use it and have found great pain after deploying dozens of laptops. There are those who chose it even after SMTP AUTH was available and clearly the "Right Answer" to replace the hack that is POP-b4-SMTP. Some ISPs, AOL notably among them, use proxies of some sort. The POP request comes in, your script enables anyone coming from that AOL host to relay freely for 20 minutes <shudder> but your SMTP connection comes in via a different relay. You are denied. Ooops. But only sometimes cause you have no control of which IP address your SMTP connection comes from. SMTP-AUTH is almost always the right answer at this point. Even for internal LAN mail (keeps some guy who got on your 802.11a line from spamming). Most happy GUI mail clients support it just fine. The laptops use it when the owner is on the LAN or at home on their external DSL line. They never notice. > Of course you should not run an open relay unless you are behind a > firewall that disallows SMTP connections from outside the firewall, > even so there is probably no reason to configure your server as an open > relay. I've run promiscuous deep inside the LAN, many hops from the firewall. I still block non-resolvable IP addresses, which just means that if you aren't in DNS, you are restricted. This upsets those who run half-assed DHCP and DNS setups. Usually upsets them into running DNS right.
